Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
Analysis ID:1501348
MD5:6d97f33394b481c648d746db3c08d688
SHA1:2967efab90b991dbacafbad83587cb3f3e9f5863
SHA256:7ed8eee365a1d22bf1d878e2e99b1e0ab4d3e803480214367cb0c77cb1540fcd
Tags:exe
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004088C00_2_004088C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_004088C02_2_004088C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_004088C03_2_004088C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: String function: 004032FC appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: String function: 00403198 appears 66 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: String function: 004045CC appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: String function: 004031B8 appears 33 times
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean4.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00409920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,0_2_0040A10C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeString found in binary or memory: /LOADINF="filename"
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" /load
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeAutomated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeAutomated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeAutomated click: OK
Source: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00406A50 push 00406A8Dh; ret 0_2_00406A85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004093EC push 0040941Fh; ret 0_2_00409417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax0_2_004085BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00406A50 push 00406A8Dh; ret 2_2_00406A85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_004040B5 push eax; ret 2_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00404185 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00404206 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_004042E8 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_00404283 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_004093EC push 0040941Fh; ret 2_2_00409417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 2_2_004085B8 push ecx; mov dword ptr [esp], eax2_2_004085BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00406A50 push 00406A8Dh; ret 3_2_00406A85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_004040B5 push eax; ret 3_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00404185 push 00404391h; ret 3_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00404206 push 00404391h; ret 3_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_004042E8 push 00404391h; ret 3_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_00404283 push 00404391h; ret 3_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_004093EC push 0040941Fh; ret 3_2_00409417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 3_2_004085B8 push ecx; mov dword ptr [esp], eax3_2_004085BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6303
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_0040A050
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,0_2_00405694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,0_2_004056E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,2_2_00405694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,2_2_004056E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,3_2_00405694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: GetLocaleInfoA,3_2_004056E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exeCode function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_00404654

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
Process Injection		1
Process Injection		LSASS Memory14
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline0%Avira URL Cloudsafe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSecuriteInfo.com.Win32.Malware-gen.15311.21206.exefalse
  • Avira URL Cloud: safe
unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSecuriteInfo.com.Win32.Malware-gen.15311.21206.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1501348
Start date and time:2024-08-29 19:26:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
Detection:CLEAN
Classification:clean4.winEXE@3/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 60
  • Number of non-executed functions: 51
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.380995995895499
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.86%
  • Inno Setup installer (109748/4) 1.08%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
File size:114'328 bytes
MD5:6d97f33394b481c648d746db3c08d688
SHA1:2967efab90b991dbacafbad83587cb3f3e9f5863
SHA256:7ed8eee365a1d22bf1d878e2e99b1e0ab4d3e803480214367cb0c77cb1540fcd
SHA512:a91c469d3245053d2c6caa34067c209e8c69b460107adeb5e886ac3a097d0aeb4a61d07e5d4769720a005ea3d72833a4e6e4539d36ca9f142a39c6ce5c7319c3
SSDEEP:1536:FHqhLKmQ0yDvLl81tn/+i0aHdEnsdU7NlEeJaeff5vgJ5SLrXfwV+EnaUToen:ALfTyHl4tFHdK37UeJaegwfXfwV+Ena8
TLSH:9BB3C003E7D18475E1B2C9B45E1691588B3BBD262C3C141872DC4E9E6F3BA90D91F3A7
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:2d2e3797b32b2b99

Static PE Info

General

Entrypoint:0x40aad0
Entrypoint Section:CODE
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:1
OS Version Minor:0
File Version Major:1
File Version Minor:0
Subsystem Version Major:1
Subsystem Version Minor:0
Import Hash:2fb819a19fe4dee5c03e8c6a79342f79

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007FE0F8F1E61Bh
call 00007FE0F8F1F822h
call 00007FE0F8F1FB89h
call 00007FE0F8F1FFDCh
call 00007FE0F8F21F7Bh
call 00007FE0F8F24912h
call 00007FE0F8F24A79h
xor eax, eax
push ebp
push 0040B1A1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040B16Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040D014h]
call 00007FE0F8F2554Bh
call 00007FE0F8F25136h
cmp byte ptr [0040C234h], 00000000h
je 00007FE0F8F2602Eh
call 00007FE0F8F25648h
xor eax, eax
call 00007FE0F8F1F311h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007FE0F8F2258Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040DE30h
call 00007FE0F8F1E6B2h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040DE30h]
mov dl, 01h
mov eax, 00407840h
call 00007FE0F8F22E46h
mov dword ptr [0040DE34h], eax
xor edx, edx
push ebp
push 0040B122h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FE0F8F255A6h
mov dword ptr [0040DE3Ch], eax
mov eax, dword ptr [0040DE3Ch]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xe0000x97c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x2c00.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x100000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
CODE0x10000xa2080xa40049513e676dadfb3919c4b137dd7c6d66False0.5959413109756098data6.6016742350943245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA0xc0000x2500x4000a7b48e75f6b6ef4a087528fee0d185cFalse0.30859375data2.771347682604831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS0xd0000xe940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xe0000x97c0xa00df5f31e62e05c787fd29eed7071bf556False0.41796875data4.486076246232586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xf0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x100000x180x20014dfa4128117e7f94fe2f8d7dea374a0False0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc0x110000x9200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc0x120000x2c000x2c00b1ca663b3fdaccf300709c384cae902aFalse0.33442826704545453data4.596525256479807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x123540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
RT_ICON0x1247c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
RT_ICON0x129e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
RT_ICON0x12ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
RT_STRING0x135740x2f2data0.35543766578249336
RT_STRING0x138680x30cdata0.3871794871794872
RT_STRING0x13b740x2cedata0.42618384401114207
RT_STRING0x13e440x68data0.75
RT_STRING0x13eac0xb4data0.6277777777777778
RT_STRING0x13f600xaedata0.5344827586206896
RT_RCDATA0x140100x2cdata1.1590909090909092
RT_GROUP_ICON0x1403c0x3edataEnglishUnited States0.8387096774193549
RT_VERSION0x1407c0x4f4dataEnglishUnited States0.28391167192429023
RT_MANIFEST0x145700x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42658227848101266

Imports

DLLImport
kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dllMessageBoxA
oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dllInitCommonControls
advapi32.dllAdjustTokenPrivileges

Possible Origin

Language of compilation systemCountry where language is spokenMap
DutchNetherlands
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:27:03
Start date:29/08/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" -install
Imagebase:0x400000
File size:114'328 bytes
MD5 hash:6D97F33394B481C648D746DB3C08D688
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:13:27:05
Start date:29/08/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" /install
Imagebase:0x400000
File size:114'328 bytes
MD5 hash:6D97F33394B481C648D746DB3C08D688
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:3
Start time:13:27:08
Start date:29/08/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15311.21206.exe" /load
Imagebase:0x400000
File size:114'328 bytes
MD5 hash:6D97F33394B481C648D746DB3C08D688
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:11.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:8%
    Total number of Nodes:1560
    Total number of Limit Nodes:12
    execution_graph 6736 409543 6737 409535 6736->6737 6738 409460 Wow64RevertWow64FsRedirection 6737->6738 6739 40953d 6738->6739 6740 408344 6741 40836c VirtualFree 6740->6741 6742 408351 6741->6742 6753 402b48 RaiseException 6754 40294a 6755 402952 6754->6755 6756 403554 4 API calls 6755->6756 6757 402967 6755->6757 6756->6755 6758 403f4a 6759 403f53 6758->6759 6760 403f5c 6758->6760 6761 403f07 4 API calls 6759->6761 6761->6760 6000 403a52 6001 403a74 6000->6001 6002 403a5a WriteFile 6000->6002 6002->6001 6003 403a78 GetLastError 6002->6003 6003->6001 6004 402654 6005 403154 4 API calls 6004->6005 6007 402614 6005->6007 6006 402632 6006->6006 6007->6006 6008 403154 4 API calls 6007->6008 6008->6006 6009 409258 6010 40927c 6009->6010 6013 409134 6010->6013 6014 403198 4 API calls 6013->6014 6015 409165 6013->6015 6014->6015 6017 40917c 6015->6017 6021 403278 18 API calls 6015->6021 6023 409190 6015->6023 6024 4032fc 18 API calls 6015->6024 6016 4031b8 4 API calls 6018 40921d 6016->6018 6019 4032c4 18 API calls 6017->6019 6020 409186 6019->6020 6022 4032fc 18 API calls 6020->6022 6021->6015 6022->6023 6023->6016 6024->6015 6766 405f5c 6767 405f64 6766->6767 6768 405f6c 6766->6768 6769 405f73 6767->6769 6770 405f6a 6767->6770 6771 405dc8 19 API calls 6769->6771 6773 405ed4 6770->6773 6771->6768 6774 405edc 6773->6774 6775 405ef6 6774->6775 6776 403154 4 API calls 6774->6776 6777 405f12 6775->6777 6778 405efb 6775->6778 6776->6774 6780 403154 4 API calls 6777->6780 6779 405dc8 19 API calls 6778->6779 6781 405f0e 6779->6781 6782 405f17 6780->6782 6784 403154 4 API calls 6781->6784 6783 405e38 33 API calls 6782->6783 6783->6781 6785 405f40 6784->6785 6786 403154 4 API calls 6785->6786 6787 405f4e 6786->6787 6787->6768 6025 402e64 6026 402e69 6025->6026 6027 402e7a RtlUnwind 6026->6027 6028 402e5e 6026->6028 6029 402e9d 6027->6029 5932 40b16f 5941 409bd4 5932->5941 5955 405b34 5941->5955 5943 409bef 5944 409c1d 5943->5944 5961 4076c0 5943->5961 5947 403198 4 API calls 5944->5947 5946 409c0d 5949 409c15 MessageBoxA 5946->5949 5948 409c32 5947->5948 5950 402f24 5948->5950 5949->5944 5951 403154 4 API calls 5950->5951 5952 402f29 5951->5952 5982 402bcc 5952->5982 5954 402f51 5954->5954 5956 403154 4 API calls 5955->5956 5957 405b39 5956->5957 5958 405b51 5957->5958 5959 403154 4 API calls 5957->5959 5958->5943 5960 405b47 5959->5960 5960->5943 5962 405b34 4 API calls 5961->5962 5963 4076cf 5962->5963 5964 4076d5 5963->5964 5966 4076e3 5963->5966 5965 40322c 4 API calls 5964->5965 5967 4076e1 5965->5967 5968 4076f3 5966->5968 5969 4076ff 5966->5969 5967->5946 5972 407684 5968->5972 5979 4032b8 5969->5979 5973 40322c 4 API calls 5972->5973 5974 407693 5973->5974 5975 4076b0 5974->5975 5976 406dd8 CharPrevA 5974->5976 5975->5967 5977 40769f 5976->5977 5977->5975 5978 4032fc 18 API calls 5977->5978 5978->5975 5980 403278 18 API calls 5979->5980 5981 4032c2 5980->5981 5981->5967 5983 402bd5 RaiseException 5982->5983 5984 402be6 5982->5984 5983->5984 5984->5954 6034 407a78 SetFilePointer 6035 407aab 6034->6035 6036 407a9b GetLastError 6034->6036 6036->6035 6037 407aa4 6036->6037 6038 407940 35 API calls 6037->6038 6038->6035 6792 40af7a 6793 40afaa 6792->6793 6794 40afb4 CreateWindowExA SetWindowLongA 6793->6794 6795 40561c 33 API calls 6794->6795 6796 40b037 6795->6796 6797 4032fc 18 API calls 6796->6797 6798 40b045 6797->6798 6799 4032fc 18 API calls 6798->6799 6800 40b052 6799->6800 6819 407004 GetCommandLineA 6800->6819 6803 4032fc 18 API calls 6804 40b067 6803->6804 6826 409ec4 6804->6826 6807 40b08c 6809 40b0c5 6807->6809 6842 4099b0 6807->6842 6808 409da4 19 API calls 6808->6807 6811 40b0de 6809->6811 6814 40b0d8 RemoveDirectoryA 6809->6814 6812 40b0f2 6811->6812 6813 40b0e7 DestroyWindow 6811->6813 6815 40b11a 6812->6815 6816 40357c 4 API calls 6812->6816 6813->6812 6814->6811 6817 40b110 6816->6817 6818 4025ac 4 API calls 6817->6818 6818->6815 6820 406f78 18 API calls 6819->6820 6821 407029 6820->6821 6822 4032c4 18 API calls 6821->6822 6823 407032 6822->6823 6824 403198 4 API calls 6823->6824 6825 407047 6824->6825 6825->6803 6827 4033b4 18 API calls 6826->6827 6828 409eff 6827->6828 6829 409f31 CreateProcessA 6828->6829 6830 409f44 CloseHandle 6829->6830 6831 409f3d 6829->6831 6833 409f4d 6830->6833 6850 409b20 GetLastError 6831->6850 6863 409e98 6833->6863 6836 409f69 6837 409e98 3 API calls 6836->6837 6838 409f6e GetExitCodeProcess CloseHandle 6837->6838 6839 409f8e 6838->6839 6840 403198 4 API calls 6839->6840 6841 409f96 6840->6841 6841->6807 6841->6808 6843 409a0a 6842->6843 6845 4099c3 6842->6845 6843->6809 6844 4099cb Sleep 6844->6845 6845->6843 6845->6844 6846 4099db Sleep 6845->6846 6848 4099f2 GetLastError 6845->6848 6867 409470 6845->6867 6846->6845 6848->6843 6849 4099fc GetLastError 6848->6849 6849->6843 6849->6845 6851 40511c 33 API calls 6850->6851 6852 409b67 6851->6852 6853 407738 19 API calls 6852->6853 6854 409b77 6853->6854 6855 40925c 18 API calls 6854->6855 6856 409b8c 6855->6856 6857 405d18 18 API calls 6856->6857 6858 409b9b 6857->6858 6859 4031b8 4 API calls 6858->6859 6860 409bba 6859->6860 6861 403198 4 API calls 6860->6861 6862 409bc2 6861->6862 6862->6830 6864 409eac PeekMessageA 6863->6864 6865 409ea0 TranslateMessage DispatchMessageA 6864->6865 6866 409ebe MsgWaitForMultipleObjects 6864->6866 6865->6864 6866->6833 6866->6836 6868 409424 2 API calls 6867->6868 6869 409486 6868->6869 6870 40948a 6869->6870 6871 4094a6 DeleteFileA GetLastError 6869->6871 6870->6845 6872 4094c4 6871->6872 6873 409460 Wow64RevertWow64FsRedirection 6872->6873 6874 4094cc 6873->6874 6874->6845 6875 407b7c WriteFile 6876 407ba3 6875->6876 6877 407b9c 6875->6877 6879 407bb4 6876->6879 6880 4078a0 34 API calls 6876->6880 6878 407940 35 API calls 6877->6878 6878->6876 6880->6879 6881 403f7d 6882 403fa2 6881->6882 6886 403f84 6881->6886 6884 403e8e 4 API calls 6882->6884 6882->6886 6883 403f8c 6884->6886 6885 402674 4 API calls 6887 403fca 6885->6887 6886->6883 6886->6885 5845 403d02 5847 403d12 5845->5847 5846 403ddf ExitProcess 5847->5846 5848 403db8 5847->5848 5849 403dea 5847->5849 5854 403da4 5847->5854 5855 403d8f MessageBoxA 5847->5855 5861 403cc8 5848->5861 5852 403cc8 4 API calls 5853 403dcc 5852->5853 5865 4019dc 5853->5865 5877 403fe4 5854->5877 5855->5848 5858 403dd1 5858->5846 5858->5849 5862 403cd6 5861->5862 5864 403ceb 5862->5864 5881 402674 5862->5881 5864->5852 5866 401abb 5865->5866 5867 4019ed 5865->5867 5866->5858 5868 401a04 RtlEnterCriticalSection 5867->5868 5869 401a0e LocalFree 5867->5869 5868->5869 5870 401a41 5869->5870 5871 401a2f VirtualFree 5870->5871 5872 401a49 5870->5872 5871->5870 5873 401a70 LocalFree 5872->5873 5874 401a87 5872->5874 5873->5873 5873->5874 5875 401aa9 RtlDeleteCriticalSection 5874->5875 5876 401a9f RtlLeaveCriticalSection 5874->5876 5875->5858 5876->5875 5878 403fe8 5877->5878 5884 403f07 5878->5884 5880 404006 5882 403154 4 API calls 5881->5882 5883 40267a 5882->5883 5883->5864 5894 403f09 5884->5894 5886 403e9c 5887 403f3c 5886->5887 5890 403ef2 5886->5890 5896 403ea9 5886->5896 5898 403e8e 5886->5898 5887->5880 5888 403ecf 5888->5880 5889 403154 4 API calls 5889->5894 5892 402674 4 API calls 5890->5892 5892->5888 5894->5886 5894->5889 5895 403f3d 5894->5895 5907 403e9c 5894->5907 5895->5880 5896->5888 5897 402674 4 API calls 5896->5897 5897->5888 5900 403e4c 5898->5900 5899 403e67 5905 403e78 5899->5905 5906 402674 4 API calls 5899->5906 5900->5899 5901 403e62 5900->5901 5902 403e7b 5900->5902 5904 403cc8 4 API calls 5901->5904 5903 402674 4 API calls 5902->5903 5903->5905 5904->5899 5905->5890 5905->5896 5906->5905 5908 403ed7 5907->5908 5914 403ea9 5907->5914 5909 403ef2 5908->5909 5910 403e8e 4 API calls 5908->5910 5911 402674 4 API calls 5909->5911 5912 403ee6 5910->5912 5913 403ecf 5911->5913 5912->5909 5912->5914 5913->5894 5914->5913 5915 402674 4 API calls 5914->5915 5915->5913 6888 406b04 IsDBCSLeadByte 6889 406b1c 6888->6889 6043 404206 6044 40420a 6043->6044 6045 4041cc 6043->6045 6046 404282 6044->6046 6047 403154 4 API calls 6044->6047 6048 404323 6047->6048 6890 40ad07 6891 409fc0 18 API calls 6890->6891 6892 40ad0c 6891->6892 6893 40ad11 6892->6893 6894 402f24 5 API calls 6892->6894 6895 409e14 29 API calls 6893->6895 6894->6893 6898 40ad16 6895->6898 6896 40ad69 6927 4026c4 GetSystemTime 6896->6927 6898->6896 6901 40928c 18 API calls 6898->6901 6899 40ad6e 6900 409808 46 API calls 6899->6900 6902 40ad76 6900->6902 6904 40ad45 6901->6904 6903 4031e8 18 API calls 6902->6903 6905 40ad83 6903->6905 6906 40ad4d MessageBoxA 6904->6906 6907 406db0 19 API calls 6905->6907 6906->6896 6909 40ad5a 6906->6909 6908 40ad90 6907->6908 6910 406b48 19 API calls 6908->6910 6911 405cec 19 API calls 6909->6911 6912 40ada0 6910->6912 6911->6896 6913 406ac0 19 API calls 6912->6913 6914 40adb1 6913->6914 6915 403340 18 API calls 6914->6915 6916 40adbf 6915->6916 6917 4031e8 18 API calls 6916->6917 6918 40adcf 6917->6918 6919 407994 37 API calls 6918->6919 6920 40ae0e 6919->6920 6921 402594 18 API calls 6920->6921 6922 40ae2e 6921->6922 6923 407edc 19 API calls 6922->6923 6924 40ae70 6923->6924 6925 40816c 35 API calls 6924->6925 6926 40ae97 6925->6926 6927->6899 5916 402c08 5919 402c82 5916->5919 5920 402c19 5916->5920 5917 402c56 RtlUnwind 5918 403154 4 API calls 5917->5918 5918->5919 5920->5917 5920->5919 5923 402b28 5920->5923 5924 402b31 RaiseException 5923->5924 5925 402b47 5923->5925 5924->5925 5925->5917 6049 403018 6050 403070 6049->6050 6051 403025 6049->6051 6052 40302a RtlUnwind 6051->6052 6053 40304e 6052->6053 6055 402f78 6053->6055 6056 402be8 6053->6056 6057 402bf1 RaiseException 6056->6057 6058 402c04 6056->6058 6057->6058 6058->6050 6945 40b127 6946 40b099 6945->6946 6947 40b0c5 6946->6947 6948 4099b0 9 API calls 6946->6948 6949 40b0de 6947->6949 6952 40b0d8 RemoveDirectoryA 6947->6952 6948->6947 6950 40b0f2 6949->6950 6951 40b0e7 DestroyWindow 6949->6951 6953 40b11a 6950->6953 6954 40357c 4 API calls 6950->6954 6951->6950 6952->6949 6955 40b110 6954->6955 6956 4025ac 4 API calls 6955->6956 6956->6953 6071 403a28 ReadFile 6072 403a46 6071->6072 6073 403a49 GetLastError 6071->6073 6074 40602a 6075 40602c 6074->6075 6076 406068 6075->6076 6077 406062 6075->6077 6078 40607f 6075->6078 6079 405dc8 19 API calls 6076->6079 6077->6076 6080 4060d4 6077->6080 6083 405164 19 API calls 6078->6083 6081 40607b 6079->6081 6082 405e38 33 API calls 6080->6082 6085 403198 4 API calls 6081->6085 6082->6081 6084 4060a8 6083->6084 6086 405e38 33 API calls 6084->6086 6087 40610e 6085->6087 6086->6081 6088 40462b 6089 404638 SetErrorMode 6088->6089 6957 40b12c 6958 40b135 6957->6958 6961 40b160 6957->6961 6967 409920 6958->6967 6960 40b13a 6960->6961 6965 40b158 MessageBoxA 6960->6965 6962 403198 4 API calls 6961->6962 6963 40b198 6962->6963 6964 403198 4 API calls 6963->6964 6966 40b1a0 6964->6966 6965->6961 6968 409987 ExitWindowsEx 6967->6968 6969 40992c GetCurrentProcess OpenProcessToken 6967->6969 6971 40993e 6968->6971 6970 409942 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6969->6970 6969->6971 6970->6968 6970->6971 6971->6960 6976 403932 6977 403924 6976->6977 6980 40374c 6977->6980 6979 40392c 6981 403759 6980->6981 6982 403766 6980->6982 6981->6982 6983 403779 VariantClear 6981->6983 6982->6979 6983->6979 6104 409e36 6105 409e38 6104->6105 6106 409e5a 6105->6106 6107 409e76 CallWindowProcA 6105->6107 6107->6106 6112 409e38 6113 409e5a 6112->6113 6115 409e47 6112->6115 6114 409e76 CallWindowProcA 6114->6113 6115->6113 6115->6114 6116 4090c4 6117 4090cb 6116->6117 6118 403198 4 API calls 6117->6118 6128 409165 6118->6128 6119 409190 6120 4031b8 4 API calls 6119->6120 6122 40921d 6120->6122 6121 40917c 6123 4032c4 18 API calls 6121->6123 6124 409186 6123->6124 6126 4032fc 18 API calls 6124->6126 6125 403278 18 API calls 6125->6128 6126->6119 6127 4032fc 18 API calls 6127->6128 6128->6119 6128->6121 6128->6125 6128->6127 5927 4074cb 5928 4074bc SetErrorMode 5927->5928 6129 402ccc 6132 402cfe 6129->6132 6134 402cdd 6129->6134 6130 402d88 RtlUnwind 6131 403154 4 API calls 6130->6131 6131->6132 6133 402b28 RaiseException 6135 402d7f 6133->6135 6134->6130 6134->6132 6134->6133 6135->6130 6994 403fcd 6995 403f07 4 API calls 6994->6995 6996 403fd6 6995->6996 6997 403e9c 4 API calls 6996->6997 6998 403fe2 6997->6998 5124 40aad0 5167 4030dc 5124->5167 5126 40aae6 5170 4042e8 5126->5170 5128 40aaeb 5173 404654 GetModuleHandleA GetVersion 5128->5173 5132 40aaf5 5270 406a50 5132->5270 5134 40aafa 5279 409558 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5134->5279 5141 40ab3d 5307 4070b4 5141->5307 5153 40abe8 5364 407954 5153->5364 5154 40abaa 5154->5153 5357 409fc0 5154->5357 5156 40ac0e 5157 40ac29 5156->5157 5158 409fc0 18 API calls 5156->5158 5368 407edc 5157->5368 5158->5157 5160 40ac4e 5378 408fbc 5160->5378 5164 40ac94 5165 408fbc 35 API calls 5164->5165 5166 40accd 5164->5166 5165->5164 5397 403094 5167->5397 5169 4030e1 GetModuleHandleA GetCommandLineA 5169->5126 5172 404323 5170->5172 5398 403154 5170->5398 5172->5128 5174 4046a5 5173->5174 5175 404685 GetProcAddress 5173->5175 5177 4048d2 GetProcAddress 5174->5177 5178 4046ad GetProcAddress 5174->5178 5175->5174 5176 404696 5175->5176 5176->5174 5179 4048e1 5177->5179 5180 4048e8 GetProcAddress 5177->5180 5181 4046bc 5178->5181 5179->5180 5182 4048f7 SetProcessDEPPolicy 5180->5182 5183 4048fb 5180->5183 5415 4045a0 GetSystemDirectoryA 5181->5415 5182->5183 5411 403198 5183->5411 5187 4031e8 18 API calls 5189 4046d8 5187->5189 5189->5177 5190 40470b 5189->5190 5418 4032fc 5189->5418 5432 40322c 5190->5432 5194 4032fc 18 API calls 5195 404726 5194->5195 5436 4045cc SetErrorMode 5195->5436 5198 40322c 4 API calls 5199 40473c 5198->5199 5200 4032fc 18 API calls 5199->5200 5201 404749 5200->5201 5202 4045cc 2 API calls 5201->5202 5203 404751 5202->5203 5204 40322c 4 API calls 5203->5204 5205 40475f 5204->5205 5206 4032fc 18 API calls 5205->5206 5207 40476c 5206->5207 5208 4045cc 2 API calls 5207->5208 5209 404774 5208->5209 5210 40322c 4 API calls 5209->5210 5211 404782 5210->5211 5212 4032fc 18 API calls 5211->5212 5213 40478f 5212->5213 5214 4045cc 2 API calls 5213->5214 5215 404797 5214->5215 5216 40322c 4 API calls 5215->5216 5217 4047a5 5216->5217 5218 4032fc 18 API calls 5217->5218 5219 4047b2 5218->5219 5220 4045cc 2 API calls 5219->5220 5221 4047ba 5220->5221 5222 40322c 4 API calls 5221->5222 5223 4047c8 5222->5223 5224 4032fc 18 API calls 5223->5224 5225 4047d5 5224->5225 5226 4045cc 2 API calls 5225->5226 5227 4047dd 5226->5227 5228 40322c 4 API calls 5227->5228 5229 4047eb 5228->5229 5230 4032fc 18 API calls 5229->5230 5231 4047f8 5230->5231 5232 4045cc 2 API calls 5231->5232 5233 404800 5232->5233 5234 40322c 4 API calls 5233->5234 5235 40480e 5234->5235 5236 4032fc 18 API calls 5235->5236 5237 40481b 5236->5237 5238 4045cc 2 API calls 5237->5238 5239 404823 5238->5239 5240 40322c 4 API calls 5239->5240 5241 404831 5240->5241 5242 4032fc 18 API calls 5241->5242 5243 40483e 5242->5243 5244 4045cc 2 API calls 5243->5244 5245 404846 5244->5245 5246 40322c 4 API calls 5245->5246 5247 404854 5246->5247 5248 4032fc 18 API calls 5247->5248 5249 404861 5248->5249 5250 4045cc 2 API calls 5249->5250 5251 404869 5250->5251 5252 40322c 4 API calls 5251->5252 5253 404877 5252->5253 5254 4032fc 18 API calls 5253->5254 5255 404884 5254->5255 5256 4045cc 2 API calls 5255->5256 5257 40488c 5256->5257 5258 40322c 4 API calls 5257->5258 5259 40489a 5258->5259 5260 4032fc 18 API calls 5259->5260 5261 4048a7 5260->5261 5262 4045cc 2 API calls 5261->5262 5263 4048af 5262->5263 5264 40322c 4 API calls 5263->5264 5265 4048bd 5264->5265 5266 4032fc 18 API calls 5265->5266 5267 4048ca 5266->5267 5268 4045cc 2 API calls 5267->5268 5268->5177 5269 404aac 6F661CD0 5269->5132 5542 406130 5270->5542 5280 4095ad 5279->5280 5648 40717c GetSystemDirectoryA 5280->5648 5284 4095d4 5285 4032fc 18 API calls 5284->5285 5286 4095e1 5285->5286 5661 407454 SetErrorMode 5286->5661 5291 4031b8 4 API calls 5292 409615 5291->5292 5293 40a050 GetSystemInfo VirtualQuery 5292->5293 5294 40a104 5293->5294 5297 40a07a 5293->5297 5299 409c40 5294->5299 5295 40a0e5 VirtualQuery 5295->5294 5295->5297 5296 40a0a4 VirtualProtect 5296->5297 5297->5294 5297->5295 5297->5296 5298 40a0d3 VirtualProtect 5297->5298 5298->5295 5693 407058 GetCommandLineA 5299->5693 5301 409d28 5303 4031b8 4 API calls 5301->5303 5302 4070b4 20 API calls 5306 409c5d 5302->5306 5304 409d42 5303->5304 5304->5141 5334 40a160 5304->5334 5305 403454 18 API calls 5305->5306 5306->5301 5306->5302 5306->5305 5308 4070db GetModuleFileNameA 5307->5308 5309 4070ff GetCommandLineA 5307->5309 5310 403278 18 API calls 5308->5310 5311 407104 5309->5311 5312 4070fd 5310->5312 5313 407109 5311->5313 5316 406f78 18 API calls 5311->5316 5317 407111 5311->5317 5314 40712c 5312->5314 5315 403198 4 API calls 5313->5315 5318 403198 4 API calls 5314->5318 5315->5317 5316->5311 5319 40322c 4 API calls 5317->5319 5320 407141 5318->5320 5319->5314 5321 4031e8 5320->5321 5322 4031ec 5321->5322 5325 4031fc 5321->5325 5324 403254 18 API calls 5322->5324 5322->5325 5323 403228 5327 407994 5323->5327 5324->5325 5325->5323 5326 4025ac 4 API calls 5325->5326 5326->5323 5328 40799e 5327->5328 5714 407a2a 5328->5714 5717 407a2c 5328->5717 5329 4079ca 5330 4079de 5329->5330 5720 407940 GetLastError 5329->5720 5341 40a10c FindResourceA 5330->5341 5335 40322c 4 API calls 5334->5335 5336 40a183 5335->5336 5337 40a192 MessageBoxA 5336->5337 5338 40a1a7 5337->5338 5339 403198 4 API calls 5338->5339 5340 40a1af 5339->5340 5340->5141 5342 40a121 5341->5342 5343 40a126 SizeofResource 5341->5343 5344 409fc0 18 API calls 5342->5344 5345 40a133 5343->5345 5346 40a138 LoadResource 5343->5346 5344->5343 5347 409fc0 18 API calls 5345->5347 5348 40a146 5346->5348 5349 40a14b LockResource 5346->5349 5347->5346 5350 409fc0 18 API calls 5348->5350 5351 40a157 5349->5351 5352 40a15c 5349->5352 5350->5349 5353 409fc0 18 API calls 5351->5353 5352->5154 5354 407dcc 5352->5354 5353->5352 5819 407d78 5354->5819 5358 409fe1 5357->5358 5359 409fc9 5357->5359 5361 405d18 18 API calls 5358->5361 5360 405d18 18 API calls 5359->5360 5362 409fdb 5360->5362 5363 409ff2 5361->5363 5362->5153 5363->5153 5365 407968 5364->5365 5366 407978 5365->5366 5367 4078a0 34 API calls 5365->5367 5366->5156 5367->5366 5370 407ee9 5368->5370 5369 405d18 18 API calls 5371 407f3d 5369->5371 5370->5369 5370->5371 5372 407dcc InterlockedExchange 5371->5372 5373 407f4f 5372->5373 5374 405d18 18 API calls 5373->5374 5375 407f65 5373->5375 5374->5375 5376 407fa8 5375->5376 5377 405d18 18 API calls 5375->5377 5376->5160 5377->5376 5382 409036 5378->5382 5391 408fed 5378->5391 5379 409081 5823 40816c 5379->5823 5381 409098 5385 4031b8 4 API calls 5381->5385 5382->5379 5384 4034f0 18 API calls 5382->5384 5389 403420 18 API calls 5382->5389 5390 4031e8 18 API calls 5382->5390 5393 40816c 35 API calls 5382->5393 5383 4034f0 18 API calls 5383->5391 5384->5382 5387 4090b2 5385->5387 5386 4031e8 18 API calls 5386->5391 5394 4050a8 5387->5394 5388 403420 18 API calls 5388->5391 5389->5382 5390->5382 5391->5382 5391->5383 5391->5386 5391->5388 5392 40816c 35 API calls 5391->5392 5392->5391 5393->5382 5395 402594 18 API calls 5394->5395 5396 4050b3 5395->5396 5396->5164 5397->5169 5399 403164 5398->5399 5400 40318c TlsGetValue 5398->5400 5399->5172 5401 403196 5400->5401 5402 40316f 5400->5402 5401->5172 5406 40310c 5402->5406 5404 403174 TlsGetValue 5405 403184 5404->5405 5405->5172 5407 403120 LocalAlloc 5406->5407 5408 403116 5406->5408 5409 40313e TlsSetValue 5407->5409 5410 403132 5407->5410 5408->5407 5409->5410 5410->5404 5412 4031b7 5411->5412 5413 40319e 5411->5413 5412->5269 5413->5412 5440 4025ac 5413->5440 5444 40458c 5415->5444 5419 403300 5418->5419 5420 40333f 5418->5420 5421 4031e8 5419->5421 5422 40330a 5419->5422 5420->5190 5425 4031fc 5421->5425 5429 403254 18 API calls 5421->5429 5423 403334 5422->5423 5424 40331d 5422->5424 5428 4034f0 18 API calls 5423->5428 5527 4034f0 5424->5527 5427 403228 5425->5427 5431 4025ac 4 API calls 5425->5431 5427->5190 5430 403322 5428->5430 5429->5425 5430->5190 5431->5427 5434 403230 5432->5434 5433 403252 5433->5194 5434->5433 5435 4025ac 4 API calls 5434->5435 5435->5433 5540 403414 5436->5540 5439 40461e 5439->5198 5441 4025b0 5440->5441 5442 4025ba 5440->5442 5441->5442 5443 403154 4 API calls 5441->5443 5442->5412 5443->5442 5447 4032c4 5444->5447 5450 403278 5447->5450 5449 403288 5451 403198 4 API calls 5449->5451 5453 403254 5450->5453 5452 4032a0 5451->5452 5452->5187 5454 403274 5453->5454 5455 403258 5453->5455 5454->5449 5458 402594 5455->5458 5457 403261 5457->5449 5459 402598 5458->5459 5461 4025a2 5458->5461 5464 401fd4 5459->5464 5460 40259e 5460->5461 5462 403154 4 API calls 5460->5462 5461->5457 5461->5461 5462->5461 5465 401fe8 5464->5465 5466 401fed 5464->5466 5475 401918 RtlInitializeCriticalSection 5465->5475 5468 402012 RtlEnterCriticalSection 5466->5468 5469 40201c 5466->5469 5472 401ff1 5466->5472 5468->5469 5469->5472 5482 401ee0 5469->5482 5472->5460 5473 402147 5473->5460 5474 40213d RtlLeaveCriticalSection 5474->5473 5476 40193c RtlEnterCriticalSection 5475->5476 5477 401946 5475->5477 5476->5477 5478 401964 LocalAlloc 5477->5478 5479 40197e 5478->5479 5480 4019c3 RtlLeaveCriticalSection 5479->5480 5481 4019cd 5479->5481 5480->5481 5481->5466 5485 401ef0 5482->5485 5483 401f1c 5487 401f40 5483->5487 5493 401d00 5483->5493 5485->5483 5485->5487 5488 401e58 5485->5488 5487->5473 5487->5474 5497 4016d8 5488->5497 5492 401e75 5492->5485 5494 401d4e 5493->5494 5495 401d1e 5493->5495 5494->5495 5514 401c68 5494->5514 5495->5487 5500 4016f4 5497->5500 5498 4016fe 5501 4015c4 VirtualAlloc 5498->5501 5499 401430 LocalAlloc VirtualAlloc VirtualFree 5499->5500 5500->5498 5500->5499 5502 40175b 5500->5502 5503 40132c LocalAlloc 5500->5503 5504 40174f 5500->5504 5505 40170a 5501->5505 5502->5492 5507 401dcc 5502->5507 5503->5500 5506 40150c VirtualFree 5504->5506 5505->5502 5506->5502 5508 401d80 9 API calls 5507->5508 5509 401de0 5508->5509 5510 40132c LocalAlloc 5509->5510 5511 401df0 5510->5511 5512 401b44 9 API calls 5511->5512 5513 401df8 5511->5513 5512->5513 5513->5492 5515 401c7a 5514->5515 5516 401c9d 5515->5516 5517 401caf 5515->5517 5518 40188c LocalAlloc VirtualFree VirtualFree 5516->5518 5519 40188c LocalAlloc VirtualFree VirtualFree 5517->5519 5520 401cad 5518->5520 5519->5520 5521 401cc5 5520->5521 5522 401b44 9 API calls 5520->5522 5521->5495 5523 401cd4 5522->5523 5524 401cee 5523->5524 5525 401b98 9 API calls 5523->5525 5526 4013a0 LocalAlloc 5524->5526 5525->5524 5526->5521 5528 40352d 5527->5528 5529 4034fd 5527->5529 5531 403198 4 API calls 5528->5531 5530 403526 5529->5530 5532 403509 5529->5532 5533 403254 18 API calls 5530->5533 5534 403517 5531->5534 5536 4025c4 5532->5536 5533->5528 5534->5430 5537 4025ca 5536->5537 5538 403154 4 API calls 5537->5538 5539 4025dc 5537->5539 5538->5539 5539->5534 5541 403418 LoadLibraryA 5540->5541 5541->5439 5614 405dc8 5542->5614 5545 405708 GetSystemDefaultLCID 5547 40573e 5545->5547 5546 405164 19 API calls 5546->5547 5547->5546 5548 405694 19 API calls 5547->5548 5549 4031e8 18 API calls 5547->5549 5552 4057a0 5547->5552 5548->5547 5549->5547 5550 405164 19 API calls 5550->5552 5551 405694 19 API calls 5551->5552 5552->5550 5552->5551 5553 4031e8 18 API calls 5552->5553 5554 405823 5552->5554 5553->5552 5630 4031b8 5554->5630 5557 40584c GetSystemDefaultLCID 5634 405694 GetLocaleInfoA 5557->5634 5560 4031e8 18 API calls 5561 40588c 5560->5561 5562 405694 19 API calls 5561->5562 5563 4058a1 5562->5563 5564 405694 19 API calls 5563->5564 5565 4058c5 5564->5565 5640 4056e0 GetLocaleInfoA 5565->5640 5568 4056e0 GetLocaleInfoA 5569 4058f5 5568->5569 5570 405694 19 API calls 5569->5570 5571 40590f 5570->5571 5572 4056e0 GetLocaleInfoA 5571->5572 5573 40592c 5572->5573 5574 405694 19 API calls 5573->5574 5575 405946 5574->5575 5576 4031e8 18 API calls 5575->5576 5577 405953 5576->5577 5578 405694 19 API calls 5577->5578 5579 405968 5578->5579 5580 4031e8 18 API calls 5579->5580 5581 405975 5580->5581 5582 4056e0 GetLocaleInfoA 5581->5582 5583 405983 5582->5583 5584 405694 19 API calls 5583->5584 5585 40599d 5584->5585 5586 4031e8 18 API calls 5585->5586 5587 4059aa 5586->5587 5588 405694 19 API calls 5587->5588 5589 4059bf 5588->5589 5590 4031e8 18 API calls 5589->5590 5591 4059cc 5590->5591 5592 405694 19 API calls 5591->5592 5593 4059e1 5592->5593 5594 4059fe 5593->5594 5595 4059ef 5593->5595 5597 40322c 4 API calls 5594->5597 5596 40322c 4 API calls 5595->5596 5598 4059fc 5596->5598 5597->5598 5599 405694 19 API calls 5598->5599 5600 405a20 5599->5600 5601 405a3d 5600->5601 5602 405a2e 5600->5602 5604 403198 4 API calls 5601->5604 5603 40322c 4 API calls 5602->5603 5605 405a3b 5603->5605 5604->5605 5642 4033b4 5605->5642 5607 405a5f 5608 4033b4 18 API calls 5607->5608 5609 405a79 5608->5609 5610 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5609->5610 5611 405a93 5610->5611 5612 40617c GetVersionExA 5611->5612 5613 406193 5612->5613 5613->5134 5615 405dd4 5614->5615 5622 405164 LoadStringA 5615->5622 5618 4031e8 18 API calls 5619 405e05 5618->5619 5620 403198 4 API calls 5619->5620 5621 405e1a 5620->5621 5621->5545 5625 403278 5622->5625 5626 403254 18 API calls 5625->5626 5627 403288 5626->5627 5628 403198 4 API calls 5627->5628 5629 4032a0 5628->5629 5629->5618 5632 4031be 5630->5632 5631 4031e3 5631->5557 5632->5631 5633 4025ac 4 API calls 5632->5633 5633->5632 5635 4056bb 5634->5635 5636 4056cd 5634->5636 5637 403278 18 API calls 5635->5637 5638 40322c 4 API calls 5636->5638 5639 4056cb 5637->5639 5638->5639 5639->5560 5641 4056fc 5640->5641 5641->5568 5643 4033bc 5642->5643 5644 403254 18 API calls 5643->5644 5645 4033cf 5644->5645 5646 4031e8 18 API calls 5645->5646 5647 4033f7 5646->5647 5669 405268 5648->5669 5651 406ac0 5652 406aca 5651->5652 5653 406aed 5651->5653 5672 406dd8 5652->5672 5655 40322c 4 API calls 5653->5655 5656 406af6 5655->5656 5656->5284 5657 406ad1 5657->5653 5658 406adc 5657->5658 5677 403340 5658->5677 5660 406aea 5660->5284 5662 403414 5661->5662 5663 40748c LoadLibraryA 5662->5663 5664 4074a2 5663->5664 5665 407738 FormatMessageA 5664->5665 5666 40775e 5665->5666 5667 403278 18 API calls 5666->5667 5668 40777b 5667->5668 5668->5291 5670 4032c4 18 API calls 5669->5670 5671 405277 5670->5671 5671->5651 5673 406de3 5672->5673 5674 406ddf 5672->5674 5692 406df8 CharPrevA 5673->5692 5674->5657 5676 406df4 5676->5657 5678 403344 5677->5678 5679 4033a5 5677->5679 5680 4031e8 5678->5680 5681 40334c 5678->5681 5684 403254 18 API calls 5680->5684 5686 4031fc 5680->5686 5681->5679 5683 40335b 5681->5683 5687 4031e8 18 API calls 5681->5687 5682 403228 5682->5660 5685 403254 18 API calls 5683->5685 5684->5686 5689 403375 5685->5689 5686->5682 5688 4025ac 4 API calls 5686->5688 5687->5683 5688->5682 5690 4031e8 18 API calls 5689->5690 5691 4033a1 5690->5691 5691->5660 5692->5676 5700 406f78 5693->5700 5695 40707b 5696 40708d 5695->5696 5697 406f78 18 API calls 5695->5697 5698 403198 4 API calls 5696->5698 5697->5695 5699 4070a2 5698->5699 5699->5306 5701 406fa4 5700->5701 5702 403278 18 API calls 5701->5702 5703 406fb1 5702->5703 5710 403420 5703->5710 5705 406fb9 5706 4031e8 18 API calls 5705->5706 5707 406fd1 5706->5707 5708 403198 4 API calls 5707->5708 5709 406ff3 5708->5709 5709->5695 5711 403426 5710->5711 5713 403437 5710->5713 5712 403254 18 API calls 5711->5712 5711->5713 5712->5713 5713->5705 5715 407a2c 5714->5715 5716 407a6b CreateFileA 5715->5716 5716->5329 5718 403414 5717->5718 5719 407a6b CreateFileA 5718->5719 5719->5329 5723 4078a0 5720->5723 5724 407738 19 API calls 5723->5724 5726 4078c8 5724->5726 5725 4078e8 5735 405d18 5725->5735 5726->5725 5732 40561c 5726->5732 5729 4078f7 5730 403198 4 API calls 5729->5730 5731 407914 5730->5731 5731->5330 5739 405630 5732->5739 5737 405d1f 5735->5737 5736 4031e8 18 API calls 5738 405d37 5736->5738 5737->5736 5738->5729 5740 40564d 5739->5740 5747 4052e0 5740->5747 5743 405679 5745 403278 18 API calls 5743->5745 5746 40562b 5745->5746 5746->5725 5749 4052fb 5747->5749 5748 40530d 5748->5743 5752 40506c 5748->5752 5749->5748 5755 405402 5749->5755 5762 4052d4 5749->5762 5753 405dc8 19 API calls 5752->5753 5754 40507d 5753->5754 5754->5743 5756 405413 5755->5756 5758 405461 5755->5758 5756->5758 5759 4054e7 5756->5759 5761 40547f 5758->5761 5765 40527c 5758->5765 5759->5761 5769 4052c0 5759->5769 5761->5749 5763 403198 4 API calls 5762->5763 5764 4052de 5763->5764 5764->5749 5766 40528a 5765->5766 5772 405084 5766->5772 5768 4052b8 5768->5758 5785 4039a4 5769->5785 5775 405e38 5772->5775 5774 40509d 5774->5768 5776 405e46 5775->5776 5777 405164 19 API calls 5776->5777 5778 405e70 5777->5778 5779 40561c 33 API calls 5778->5779 5780 405e7e 5779->5780 5781 4031e8 18 API calls 5780->5781 5782 405e89 5781->5782 5783 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5782->5783 5784 405ea3 5783->5784 5784->5774 5786 4039ab 5785->5786 5791 4038b4 5786->5791 5788 4039cb 5789 403198 4 API calls 5788->5789 5790 4039d2 5789->5790 5790->5761 5792 4038d5 5791->5792 5793 4038c8 5791->5793 5795 403934 5792->5795 5796 4038db 5792->5796 5794 403780 6 API calls 5793->5794 5808 4038d0 5794->5808 5797 403993 5795->5797 5798 40393b 5795->5798 5799 4038e1 5796->5799 5800 4038ee 5796->5800 5801 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5797->5801 5802 403941 5798->5802 5803 40394b 5798->5803 5804 403894 6 API calls 5799->5804 5805 403894 6 API calls 5800->5805 5801->5808 5806 403864 23 API calls 5802->5806 5807 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5803->5807 5804->5808 5809 4038fc 5805->5809 5806->5808 5810 40395d 5807->5810 5808->5788 5811 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5809->5811 5812 403864 23 API calls 5810->5812 5813 403917 5811->5813 5814 403976 5812->5814 5815 40374c VariantClear 5813->5815 5817 40374c VariantClear 5814->5817 5816 40392c 5815->5816 5816->5788 5818 40398b 5817->5818 5818->5788 5820 407d8a 5819->5820 5821 407d9b 5819->5821 5822 407d8f InterlockedExchange 5820->5822 5821->5154 5822->5821 5824 408187 5823->5824 5828 40817c 5823->5828 5829 408110 5824->5829 5827 405d18 18 API calls 5827->5828 5828->5381 5830 408163 5829->5830 5831 408124 5829->5831 5830->5827 5830->5828 5831->5830 5833 408060 5831->5833 5834 40806b 5833->5834 5837 40807c 5833->5837 5835 405d18 18 API calls 5834->5835 5835->5837 5836 407954 34 API calls 5838 408090 5836->5838 5837->5836 5839 407954 34 API calls 5838->5839 5840 4080b1 5839->5840 5841 407dcc InterlockedExchange 5840->5841 5842 4080c6 5841->5842 5843 4080dc 5842->5843 5844 405d18 18 API calls 5842->5844 5843->5831 5844->5843 6136 4024d0 6137 4024e4 6136->6137 6138 4024e9 6136->6138 6139 401918 4 API calls 6137->6139 6140 402518 6138->6140 6141 40250e RtlEnterCriticalSection 6138->6141 6143 4024ed 6138->6143 6139->6138 6151 402300 6140->6151 6141->6140 6145 402525 6147 402581 6145->6147 6148 402577 RtlLeaveCriticalSection 6145->6148 6146 401fd4 14 API calls 6149 402531 6146->6149 6148->6147 6149->6145 6161 40215c 6149->6161 6152 402314 6151->6152 6153 402335 6152->6153 6154 4023b8 6152->6154 6155 402344 6153->6155 6175 401b74 6153->6175 6154->6155 6158 402455 6154->6158 6178 401d80 6154->6178 6182 401e84 6154->6182 6155->6145 6155->6146 6158->6155 6160 401d00 9 API calls 6158->6160 6160->6155 6162 40217a 6161->6162 6163 402175 6161->6163 6165 4021b5 6162->6165 6166 4021ab RtlEnterCriticalSection 6162->6166 6167 40217e 6162->6167 6164 401918 4 API calls 6163->6164 6164->6162 6168 402244 6165->6168 6172 4021c1 6165->6172 6173 402270 6165->6173 6166->6165 6167->6145 6168->6167 6171 401d80 7 API calls 6168->6171 6169 4022e3 RtlLeaveCriticalSection 6170 4022ed 6169->6170 6170->6145 6171->6167 6172->6169 6172->6170 6173->6172 6174 401d00 7 API calls 6173->6174 6174->6172 6176 40215c 9 API calls 6175->6176 6177 401b95 6176->6177 6177->6155 6179 401d92 6178->6179 6180 401d89 6178->6180 6179->6154 6180->6179 6181 401b74 9 API calls 6180->6181 6181->6179 6187 401768 6182->6187 6184 401e99 6185 401ea6 6184->6185 6186 401dcc 9 API calls 6184->6186 6185->6154 6186->6185 6190 401787 6187->6190 6188 40183b 6196 4017e7 6188->6196 6202 4015c4 6188->6202 6189 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6189->6190 6190->6188 6190->6189 6192 40132c LocalAlloc 6190->6192 6193 401821 6190->6193 6195 4017d6 6190->6195 6192->6190 6194 40150c VirtualFree 6193->6194 6194->6196 6198 40150c 6195->6198 6196->6184 6201 40153b 6198->6201 6199 401594 6199->6196 6200 401568 VirtualFree 6200->6201 6201->6199 6201->6200 6203 40160a 6202->6203 6204 401626 VirtualAlloc 6203->6204 6205 40163a 6203->6205 6204->6203 6204->6205 6205->6196 6206 4028d2 6207 4028da 6206->6207 6209 4028ef 6207->6209 6212 403554 6207->6212 6210 4025ac 4 API calls 6209->6210 6211 4028f4 6210->6211 6213 403566 6212->6213 6215 403578 6213->6215 6216 403604 6213->6216 6215->6207 6217 40357c 6216->6217 6220 4035d0 6217->6220 6221 40359b 6217->6221 6224 4035a0 6217->6224 6226 4035b6 6217->6226 6218 4035b1 6222 403198 4 API calls 6218->6222 6219 4035b8 6223 4031b8 4 API calls 6219->6223 6220->6226 6229 40357c 6220->6229 6221->6224 6225 4035ec 6221->6225 6222->6226 6223->6226 6224->6218 6224->6219 6225->6226 6228 403554 4 API calls 6225->6228 6226->6213 6228->6225 6230 403591 6229->6230 6231 4035a0 6229->6231 6234 4035b6 6230->6234 6235 4035d0 6230->6235 6236 40359b 6230->6236 6232 4035b1 6231->6232 6233 4035b8 6231->6233 6237 403198 4 API calls 6232->6237 6238 4031b8 4 API calls 6233->6238 6234->6220 6235->6234 6239 40357c 4 API calls 6235->6239 6236->6231 6241 4035ec 6236->6241 6237->6234 6238->6234 6239->6235 6240 403554 4 API calls 6240->6241 6241->6234 6241->6240 6242 4094d2 6243 4094c4 6242->6243 6246 409460 6243->6246 6247 409465 Wow64RevertWow64FsRedirection 6246->6247 6248 40946f 6246->6248 6247->6248 6999 4019d3 7000 4019ba 6999->7000 7001 4019c3 RtlLeaveCriticalSection 7000->7001 7002 4019cd 7000->7002 7001->7002 6249 4094d4 SetLastError 6250 4094dd 6249->6250 7003 407bd6 7010 407bd8 7003->7010 7004 407b90 WriteFile 7005 407ba3 7004->7005 7006 407b9c 7004->7006 7008 407bb4 7005->7008 7009 4078a0 34 API calls 7005->7009 7007 407940 35 API calls 7006->7007 7007->7005 7009->7008 7010->7004 7011 407c94 7010->7011 6251 407ae0 ReadFile 6252 407b00 6251->6252 6253 407b17 6251->6253 6254 407b10 6252->6254 6255 407b06 GetLastError 6252->6255 6256 407940 35 API calls 6254->6256 6255->6253 6255->6254 6256->6253 7015 4075e2 7016 4075cc 7015->7016 7017 403198 4 API calls 7016->7017 7018 4075d4 7017->7018 7019 403198 4 API calls 7018->7019 7020 4075dc 7019->7020 7021 4093e4 7024 4092b0 7021->7024 7025 4092b9 7024->7025 7026 403198 4 API calls 7025->7026 7027 4092c7 7025->7027 7026->7025 7028 4055e8 7029 4055fb 7028->7029 7030 4052e0 33 API calls 7029->7030 7031 40560f 7030->7031 7032 402be9 RaiseException 7033 402c04 7032->7033 6257 40acec 6258 40ad11 6257->6258 6291 409e14 6258->6291 6260 40ad69 6303 4026c4 GetSystemTime 6260->6303 6262 40ad16 6262->6260 6296 40928c 6262->6296 6263 40ad6e 6304 409808 6263->6304 6267 40ad45 6270 40ad4d MessageBoxA 6267->6270 6268 4031e8 18 API calls 6269 40ad83 6268->6269 6322 406db0 6269->6322 6270->6260 6273 40ad5a 6270->6273 6299 405cec 6273->6299 6277 406ac0 19 API calls 6278 40adb1 6277->6278 6279 403340 18 API calls 6278->6279 6280 40adbf 6279->6280 6281 4031e8 18 API calls 6280->6281 6282 40adcf 6281->6282 6283 407994 37 API calls 6282->6283 6284 40ae0e 6283->6284 6285 402594 18 API calls 6284->6285 6286 40ae2e 6285->6286 6287 407edc 19 API calls 6286->6287 6288 40ae70 6287->6288 6289 40816c 35 API calls 6288->6289 6290 40ae97 6289->6290 6339 409a14 6291->6339 6416 40925c 6296->6416 6300 405cf1 6299->6300 6301 405dc8 19 API calls 6300->6301 6302 405d03 6301->6302 6302->6302 6303->6263 6320 409828 6304->6320 6307 40984d CreateDirectoryA 6308 4098c5 6307->6308 6309 409857 GetLastError 6307->6309 6310 40322c 4 API calls 6308->6310 6309->6320 6311 4098cf 6310->6311 6313 4031b8 4 API calls 6311->6313 6312 40928c 18 API calls 6312->6320 6315 4098e9 6313->6315 6317 4031b8 4 API calls 6315->6317 6316 407738 19 API calls 6316->6320 6318 4098f6 6317->6318 6318->6268 6319 40925c 18 API calls 6319->6320 6320->6307 6320->6312 6320->6316 6320->6319 6321 405d18 18 API calls 6320->6321 6420 4071a8 6320->6420 6443 4096fc 6320->6443 6462 40511c 6320->6462 6321->6320 6559 406ca8 6322->6559 6325 403454 18 API calls 6326 406dd2 6325->6326 6327 406b48 6326->6327 6564 406d6c 6327->6564 6330 406b86 6333 403454 18 API calls 6330->6333 6331 406b78 6332 403340 18 API calls 6331->6332 6334 406b84 6332->6334 6335 406b99 6333->6335 6337 403198 4 API calls 6334->6337 6336 403340 18 API calls 6335->6336 6336->6334 6338 406bbb 6337->6338 6338->6277 6345 409a33 6339->6345 6340 409a68 6342 409a75 GetUserDefaultLangID 6340->6342 6346 409a6a 6340->6346 6341 409a6c 6356 4074d8 GetModuleHandleA GetProcAddress 6341->6356 6342->6346 6344 409a47 6350 409da4 6344->6350 6345->6340 6345->6341 6345->6344 6346->6344 6347 409aa3 GetACP 6346->6347 6348 409ac7 6346->6348 6347->6344 6347->6346 6348->6344 6349 409aed GetACP 6348->6349 6349->6344 6349->6348 6351 409de6 6350->6351 6352 409dac 6350->6352 6351->6262 6352->6351 6353 403420 18 API calls 6352->6353 6354 409de0 6353->6354 6400 409334 6354->6400 6357 407512 6356->6357 6358 40751b 6356->6358 6369 403198 4 API calls 6357->6369 6359 407524 6358->6359 6360 40755c 6358->6360 6377 40741c 6359->6377 6362 40741c RegOpenKeyExA 6360->6362 6363 407575 6362->6363 6365 407592 6363->6365 6366 407410 20 API calls 6363->6366 6364 40753d 6364->6365 6380 407410 6364->6380 6367 40322c 4 API calls 6365->6367 6370 407589 RegCloseKey 6366->6370 6371 40759f 6367->6371 6373 4075d4 6369->6373 6370->6365 6375 4032fc 18 API calls 6371->6375 6374 403198 4 API calls 6373->6374 6376 4075dc 6374->6376 6375->6357 6376->6346 6378 407427 6377->6378 6379 40742d RegOpenKeyExA 6377->6379 6378->6379 6379->6364 6383 4072c4 6380->6383 6384 4072ea RegQueryValueExA 6383->6384 6387 40730d 6384->6387 6399 40732f 6384->6399 6385 403198 4 API calls 6388 4073fb RegCloseKey 6385->6388 6386 407327 6389 403198 4 API calls 6386->6389 6387->6386 6390 403278 18 API calls 6387->6390 6391 403420 18 API calls 6387->6391 6387->6399 6388->6365 6389->6399 6390->6387 6392 407364 RegQueryValueExA 6391->6392 6392->6384 6393 407380 6392->6393 6394 4034f0 18 API calls 6393->6394 6393->6399 6395 4073c2 6394->6395 6396 4073d4 6395->6396 6398 403420 18 API calls 6395->6398 6397 4031e8 18 API calls 6396->6397 6397->6399 6398->6396 6399->6385 6401 409342 6400->6401 6403 40935a 6401->6403 6413 4092cc 6401->6413 6404 4092cc 18 API calls 6403->6404 6405 40937e 6403->6405 6404->6405 6406 407dcc InterlockedExchange 6405->6406 6407 409399 6406->6407 6408 4092cc 18 API calls 6407->6408 6410 4093ac 6407->6410 6408->6410 6409 4092cc 18 API calls 6409->6410 6410->6409 6411 403278 18 API calls 6410->6411 6412 4093db 6410->6412 6411->6410 6412->6351 6414 405d18 18 API calls 6413->6414 6415 4092dd 6414->6415 6415->6403 6417 40927c 6416->6417 6418 409134 18 API calls 6417->6418 6419 409285 6418->6419 6419->6267 6465 406ee0 6420->6465 6423 4071da 6424 406ee0 19 API calls 6423->6424 6427 407226 6423->6427 6426 4071ea 6424->6426 6428 4071f6 6426->6428 6430 406ebc 21 API calls 6426->6430 6479 406d10 6427->6479 6428->6427 6431 40721b 6428->6431 6433 406ee0 19 API calls 6428->6433 6430->6428 6431->6427 6476 407150 GetWindowsDirectoryA 6431->6476 6436 40720f 6433->6436 6435 406ac0 19 API calls 6437 40723b 6435->6437 6436->6431 6439 406ebc 21 API calls 6436->6439 6438 40322c 4 API calls 6437->6438 6440 407245 6438->6440 6439->6431 6441 4031b8 4 API calls 6440->6441 6442 40725f 6441->6442 6442->6320 6444 40971c 6443->6444 6445 406ac0 19 API calls 6444->6445 6446 409735 6445->6446 6447 40322c 4 API calls 6446->6447 6450 409740 6447->6450 6449 406e00 20 API calls 6449->6450 6450->6449 6451 4033b4 18 API calls 6450->6451 6452 40928c 18 API calls 6450->6452 6454 405d18 18 API calls 6450->6454 6455 4097bc 6450->6455 6526 409688 6450->6526 6534 4094e8 6450->6534 6451->6450 6452->6450 6454->6450 6456 40322c 4 API calls 6455->6456 6457 4097c7 6456->6457 6458 4031b8 4 API calls 6457->6458 6459 4097e1 6458->6459 6460 403198 4 API calls 6459->6460 6461 4097e9 6460->6461 6461->6320 6463 405630 33 API calls 6462->6463 6464 40513a 6463->6464 6464->6320 6466 4034f0 18 API calls 6465->6466 6467 406ef3 6466->6467 6468 406f0a GetEnvironmentVariableA 6467->6468 6472 406f1d 6467->6472 6488 4072a0 6467->6488 6468->6467 6469 406f16 6468->6469 6470 403198 4 API calls 6469->6470 6470->6472 6472->6423 6473 406ebc 6472->6473 6492 406e64 6473->6492 6477 405268 18 API calls 6476->6477 6478 407171 6477->6478 6478->6427 6480 403414 6479->6480 6481 406d33 GetFullPathNameA 6480->6481 6482 406d56 6481->6482 6483 406d3f 6481->6483 6485 40322c 4 API calls 6482->6485 6483->6482 6484 406d47 6483->6484 6486 403278 18 API calls 6484->6486 6487 406d54 6485->6487 6486->6487 6487->6435 6489 4072ae 6488->6489 6490 4034f0 18 API calls 6489->6490 6491 4072bc 6490->6491 6491->6467 6499 406e00 6492->6499 6494 406e86 6495 406e8e GetFileAttributesA 6494->6495 6496 406ea3 6495->6496 6497 403198 4 API calls 6496->6497 6498 406eab 6497->6498 6498->6423 6509 406bcc 6499->6509 6501 406e38 6504 406e43 6501->6504 6505 406e4e 6501->6505 6503 406e11 6503->6501 6516 406df8 CharPrevA 6503->6516 6506 40322c 4 API calls 6504->6506 6517 403454 6505->6517 6508 406e4c 6506->6508 6508->6494 6512 406bdd 6509->6512 6510 406c41 6511 406b08 IsDBCSLeadByte 6510->6511 6513 406c3c 6510->6513 6511->6513 6512->6510 6514 406bfb 6512->6514 6513->6503 6514->6513 6524 406b08 IsDBCSLeadByte 6514->6524 6516->6503 6518 403486 6517->6518 6519 403459 6517->6519 6520 403198 4 API calls 6518->6520 6519->6518 6522 40346d 6519->6522 6521 40347c 6520->6521 6521->6508 6523 403278 18 API calls 6522->6523 6523->6521 6525 406b1c 6524->6525 6525->6514 6527 403198 4 API calls 6526->6527 6529 4096a9 6527->6529 6531 4096d6 6529->6531 6543 4032a8 6529->6543 6546 403494 6529->6546 6532 403198 4 API calls 6531->6532 6533 4096eb 6532->6533 6533->6450 6550 409424 6534->6550 6536 4094fe 6537 409502 6536->6537 6556 406ed0 6536->6556 6537->6450 6540 409535 6541 409460 Wow64RevertWow64FsRedirection 6540->6541 6542 40953d 6541->6542 6542->6450 6544 403278 18 API calls 6543->6544 6545 4032b5 6544->6545 6545->6529 6547 403498 6546->6547 6549 4034c3 6546->6549 6548 4034f0 18 API calls 6547->6548 6548->6549 6549->6529 6551 409432 6550->6551 6552 40942e 6550->6552 6553 409454 SetLastError 6551->6553 6554 40943b Wow64DisableWow64FsRedirection 6551->6554 6552->6536 6555 40944f 6553->6555 6554->6555 6555->6536 6557 406e64 21 API calls 6556->6557 6558 406eda GetLastError 6557->6558 6558->6540 6560 406bcc IsDBCSLeadByte 6559->6560 6562 406cbd 6560->6562 6561 406d07 6561->6325 6562->6561 6563 406b08 IsDBCSLeadByte 6562->6563 6563->6562 6565 406d7b 6564->6565 6566 406ca8 IsDBCSLeadByte 6565->6566 6568 406d86 6566->6568 6567 406b72 6567->6330 6567->6331 6568->6567 6569 406b08 IsDBCSLeadByte 6568->6569 6569->6568 6574 402af2 6575 402afe 6574->6575 6578 402ed0 6575->6578 6579 403154 4 API calls 6578->6579 6581 402ee0 6579->6581 6580 402b03 6581->6580 6583 402b0c 6581->6583 6584 402b25 6583->6584 6585 402b15 RaiseException 6583->6585 6584->6580 6585->6584 5926 406df8 CharPrevA 7044 402dfa 7045 402e26 7044->7045 7046 402e0d 7044->7046 7048 402ba4 7046->7048 7049 402bc9 7048->7049 7050 402bad 7048->7050 7049->7045 7051 402bb5 RaiseException 7050->7051 7051->7049 5929 4079fc 5930 407a08 CloseHandle 5929->5930 5931 407a11 5929->5931 5930->5931 6596 403a80 CloseHandle 6597 403a90 6596->6597 6598 403a91 GetLastError 6596->6598 6599 404283 6600 4042c3 6599->6600 6601 403154 4 API calls 6600->6601 6602 404323 6601->6602 7052 404185 7053 4041ff 7052->7053 7054 4041cc 7053->7054 7055 403154 4 API calls 7053->7055 7056 404323 7055->7056 6603 403e87 6604 403e4c 6603->6604 6605 403e62 6604->6605 6606 403e7b 6604->6606 6609 403e67 6604->6609 6608 403cc8 4 API calls 6605->6608 6607 402674 4 API calls 6606->6607 6610 403e78 6607->6610 6608->6609 6609->6610 6611 402674 4 API calls 6609->6611 6611->6610 6612 408488 6613 40849a 6612->6613 6616 4084a1 6612->6616 6623 4083c4 6613->6623 6615 4084d5 6619 408502 6615->6619 6621 408230 33 API calls 6615->6621 6616->6615 6617 4084c9 6616->6617 6618 4084cb 6616->6618 6637 4082e0 6617->6637 6634 408230 6618->6634 6621->6619 6624 4083d9 6623->6624 6625 408230 33 API calls 6624->6625 6626 4083e8 6624->6626 6625->6626 6627 408422 6626->6627 6628 408230 33 API calls 6626->6628 6629 408436 6627->6629 6630 408230 33 API calls 6627->6630 6628->6627 6633 408462 6629->6633 6644 40836c 6629->6644 6630->6629 6633->6616 6647 405d4c 6634->6647 6636 408252 6636->6615 6638 40561c 33 API calls 6637->6638 6639 40830b 6638->6639 6655 408298 6639->6655 6641 408313 6642 403198 4 API calls 6641->6642 6643 408328 6642->6643 6643->6615 6645 40837b VirtualFree 6644->6645 6646 40838d VirtualAlloc 6644->6646 6645->6646 6646->6633 6648 405d58 6647->6648 6649 40561c 33 API calls 6648->6649 6650 405d85 6649->6650 6651 4031e8 18 API calls 6650->6651 6652 405d90 6651->6652 6653 403198 4 API calls 6652->6653 6654 405da5 6653->6654 6654->6636 6656 405d4c 33 API calls 6655->6656 6657 4082ba 6656->6657 6657->6641 7061 40af8d 7062 40af90 SetLastError 7061->7062 7063 409b20 35 API calls 7062->7063 7064 40afa5 7063->7064 7065 40afaa 7064->7065 7066 402f24 5 API calls 7064->7066 7067 40afb4 CreateWindowExA SetWindowLongA 7065->7067 7066->7065 7068 40561c 33 API calls 7067->7068 7069 40b037 7068->7069 7070 4032fc 18 API calls 7069->7070 7071 40b045 7070->7071 7072 4032fc 18 API calls 7071->7072 7073 40b052 7072->7073 7074 407004 19 API calls 7073->7074 7075 40b05e 7074->7075 7076 4032fc 18 API calls 7075->7076 7077 40b067 7076->7077 7078 409ec4 43 API calls 7077->7078 7079 40b079 7078->7079 7080 40b08c 7079->7080 7081 409da4 19 API calls 7079->7081 7082 40b0c5 7080->7082 7083 4099b0 9 API calls 7080->7083 7081->7080 7084 40b0de 7082->7084 7087 40b0d8 RemoveDirectoryA 7082->7087 7083->7082 7085 40b0f2 7084->7085 7086 40b0e7 DestroyWindow 7084->7086 7088 40b11a 7085->7088 7089 40357c 4 API calls 7085->7089 7086->7085 7087->7084 7090 40b110 7089->7090 7091 4025ac 4 API calls 7090->7091 7091->7088 7092 403991 7093 403983 7092->7093 7094 40374c VariantClear 7093->7094 7095 40398b 7094->7095 6667 403a97 6668 403aac 6667->6668 6669 403bbc GetStdHandle 6668->6669 6670 403b0e CreateFileA 6668->6670 6680 403ab2 6668->6680 6671 403c17 GetLastError 6669->6671 6675 403bba 6669->6675 6670->6671 6672 403b2c 6670->6672 6671->6680 6674 403b3b GetFileSize 6672->6674 6672->6675 6674->6671 6676 403b4e SetFilePointer 6674->6676 6677 403be7 GetFileType 6675->6677 6675->6680 6676->6671 6681 403b6a ReadFile 6676->6681 6679 403c02 CloseHandle 6677->6679 6677->6680 6679->6680 6681->6671 6682 403b8c 6681->6682 6682->6675 6683 403b9f SetFilePointer 6682->6683 6683->6671 6684 403bb0 SetEndOfFile 6683->6684 6684->6671 6684->6675 6697 402caa 6698 403154 4 API calls 6697->6698 6699 402caf 6698->6699 6700 4028ac 6701 402594 18 API calls 6700->6701 6702 4028b6 6701->6702 6703 407aae GetFileSize 6704 407ada 6703->6704 6705 407aca GetLastError 6703->6705 6705->6704 6706 407ad3 6705->6706 6707 407940 35 API calls 6706->6707 6707->6704 6714 40aeb6 6715 40aedb 6714->6715 6716 407dcc InterlockedExchange 6715->6716 6717 40af05 6716->6717 6718 40af15 6717->6718 6719 409fc0 18 API calls 6717->6719 6724 407b60 SetEndOfFile 6718->6724 6719->6718 6721 40af31 6722 4025ac 4 API calls 6721->6722 6723 40af68 6722->6723 6725 407b70 6724->6725 6726 407b77 6724->6726 6727 407940 35 API calls 6725->6727 6726->6721 6727->6726 6732 401ab9 6733 401a96 6732->6733 6734 401aa9 RtlDeleteCriticalSection 6733->6734 6735 401a9f RtlLeaveCriticalSection 6733->6735 6735->6734

    Executed Functions

    Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
    • GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$HandleModulePolicyProcessVersion
    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
    • API String ID: 3297890031-1119018034
    • Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
    • Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D
    Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 140 40a050-40a074 GetSystemInfo VirtualQuery 141 40a104-40a10b 140->141 142 40a07a 140->142 143 40a0f9-40a0fe 142->143 143->141 144 40a07c-40a083 143->144 145 40a0e5-40a0f7 VirtualQuery 144->145 146 40a085-40a089 144->146 145->141 145->143 146->145 147 40a08b-40a093 146->147 148 40a0a4-40a0b5 VirtualProtect 147->148 149 40a095-40a098 147->149 151 40a0b7 148->151 152 40a0b9-40a0bb 148->152 149->148 150 40a09a-40a09d 149->150 150->148 154 40a09f-40a0a2 150->154 151->152 153 40a0ca-40a0cd 152->153 155 40a0bd-40a0c6 call 40a048 153->155 156 40a0cf-40a0d1 153->156 154->148 154->152 155->153 156->145 158 40a0d3-40a0e0 VirtualProtect 156->158 158->145
    APIs
    • GetSystemInfo.KERNEL32(?), ref: 0040A062
    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$ProtectQuery$InfoSystem
    • String ID:
    • API String ID: 2441996862-0
    • Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
    • Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A
    Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 387 405694-4056b9 GetLocaleInfoA 388 4056bb-4056cb call 403278 387->388 389 4056cd-4056d1 call 40322c 387->389 393 4056d6-4056db 388->393 389->393
    APIs
    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
    • Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED
    Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
    • API String ID: 1646373207-2130885113
    • Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
    • Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D
    Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 121 4019dc-4019e7 122 401abb-401abd 121->122 123 4019ed-401a02 121->123 124 401a04-401a09 RtlEnterCriticalSection 123->124 125 401a0e-401a2d LocalFree 123->125 124->125 126 401a41-401a47 125->126 127 401a49-401a6e call 4012dc * 3 126->127 128 401a2f-401a3f VirtualFree 126->128 135 401a70-401a85 LocalFree 127->135 136 401a87-401a9d 127->136 128->126 135->135 135->136 138 401aa9-401ab3 RtlDeleteCriticalSection 136->138 139 401a9f-401aa4 RtlLeaveCriticalSection 136->139 139->138
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
    • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
    • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
    • String ID:
    • API String ID: 3782394904-0
    • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
    • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
    Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 403d02-403d10 161 403d12-403d19 160->161 162 403d29-403d30 160->162 163 403ddf-403de5 ExitProcess 161->163 164 403d1f 161->164 165 403d32-403d3c 162->165 166 403d3e-403d45 162->166 164->162 167 403d21-403d23 164->167 165->162 168 403d47-403d51 166->168 169 403db8-403dcc call 403cc8 * 2 call 4019dc 166->169 167->162 170 403dea-403e19 call 4030b4 167->170 173 403d56-403d62 168->173 186 403dd1-403dd8 169->186 173->173 176 403d64-403d6e 173->176 177 403d73-403d84 176->177 177->177 180 403d86-403d8d 177->180 182 403da4-403db3 call 403fe4 call 403f67 180->182 183 403d8f-403da2 MessageBoxA 180->183 182->169 183->169 186->170 188 403dda call 4030b4 186->188 188->163
    APIs
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
    • ExitProcess.KERNEL32 ref: 00403DE5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExitMessageProcess
    • String ID: Error$Runtime error at 00000000
    • API String ID: 1220098344-2970929446
    • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
    • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
    Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 191 401918-40193a RtlInitializeCriticalSection 192 401946-40197c call 4012dc * 3 LocalAlloc 191->192 193 40193c-401941 RtlEnterCriticalSection 191->193 200 4019ad-4019c1 192->200 201 40197e 192->201 193->192 205 4019c3-4019c8 RtlLeaveCriticalSection 200->205 206 4019cd 200->206 202 401983-401995 201->202 202->202 204 401997-4019a6 202->204 204->200 205->206
    APIs
    • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
    • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
    • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
    • String ID:
    • API String ID: 730355536-0
    • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
    • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
    Function 00402C08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 402c08-402c13 208 402cc5-402cca 207->208 209 402c19-402c25 207->209 210 402c56-402c7d RtlUnwind call 403154 209->210 211 402c27-402c34 call 40285c 209->211 215 402c82-402ca3 call 402b70 210->215 211->208 216 402c3a-402c3e 211->216 215->208 216->208 220 402c44-402c53 call 402b28 216->220 220->210
    APIs
    • RtlUnwind.KERNEL32(?,?,Function_00002C08,00000000,?,?,Function_00002C08,?), ref: 00402C74
      • Part of subcall function 00402B28: RaiseException.KERNEL32(0EEDFAD4,00000000,00000002), ref: 00402B3E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionRaiseUnwind
    • String ID: ,`@
    • API String ID: 478881706-3711388833
    • Opcode ID: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction ID: 97d3f2471094b4ca6c51ddda2b863264321d4d076ae0fb00dec9115aef34ba71
    • Opcode Fuzzy Hash: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction Fuzzy Hash: 70013974204200AFE310EF15CA89F2BB7A9FB88754F55C56AF5086B3E1C778EC01CA69
    Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 223 401fd4-401fe6 224 401fe8 call 401918 223->224 225 401ffb-402010 223->225 229 401fed-401fef 224->229 227 402012-402017 RtlEnterCriticalSection 225->227 228 40201c-402025 225->228 227->228 230 402027 228->230 231 40202c-402032 228->231 229->225 232 401ff1-401ff6 229->232 230->231 233 402038-40203c 231->233 234 4020cb-4020d1 231->234 235 40214f-402158 232->235 238 402041-402050 233->238 239 40203e 233->239 236 4020d3-4020e0 234->236 237 40211d-40211f call 401ee0 234->237 240 4020e2-4020ea 236->240 241 4020ef-40211b call 402f54 236->241 244 402124-40213b 237->244 238->234 242 402052-402060 238->242 239->238 240->241 241->235 246 402062-402066 242->246 247 40207c-402080 242->247 255 402147 244->255 256 40213d-402142 RtlLeaveCriticalSection 244->256 248 402068 246->248 249 40206b-40207a 246->249 251 402082 247->251 252 402085-4020a0 247->252 248->249 254 4020a2-4020c6 call 402f54 249->254 251->252 252->254 254->235 256->255
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
      • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
      • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
      • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
      • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
    • String ID:
    • API String ID: 296031713-0
    • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
    • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
    Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 259 407454-4074a7 SetErrorMode call 403414 LoadLibraryA
    APIs
    • SetErrorMode.KERNEL32(00008000), ref: 0040745E
    • LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLibraryLoadMode
    • String ID:
    • API String ID: 2987862817-0
    • Opcode ID: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
    • Opcode Fuzzy Hash: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569
    Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 401430-40143d 329 401446-40144c 328->329 330 40143f-401444 328->330 331 401452-40146a VirtualAlloc 329->331 330->331 332 40146c-40147a call 4012e4 331->332 333 40148f-401492 331->333 332->333 336 40147c-40148d VirtualFree 332->336 336->333
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
    • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
    Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727
      • Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DefaultInfoLoadLocaleStringSystem
    • String ID:
    • API String ID: 1658689577-0
    • Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
    • Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94
    Function 00409BD4 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00409C18
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction ID: d81cb0aa80d85b52c51bcf804432e731ae41fb5784218249075f4083c33b45f1
    • Opcode Fuzzy Hash: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction Fuzzy Hash: F6F0E271608608BEEB11EB62CD03F5B77ACDB86B18F904477B900B65D2C67D6E00897D
    Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 383 407a2a-407a74 call 403414 CreateFileA
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
    • Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
    Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
    • Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
    Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID:
    • API String ID: 1306739567-0
    • Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
    • Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F
    Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
    • Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519
    Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
    • Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B
    Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharPrev
    • String ID:
    • API String ID: 122130370-0
    • Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
    • Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction Fuzzy Hash:
    Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
    • Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389

    Non-executed Functions

    Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 107509674-3733053543
    • Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
    • Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F
    Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
    • SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Resource$FindLoadLockSizeof
    • String ID:
    • API String ID: 3473537107-0
    • Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
    • Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE
    Function 004056E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
    • Instruction ID: d144edb85d9c502d4ea0939edf991ab5ce3f28f90927345f3a95d007e4e99129
    • Opcode Fuzzy Hash: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
    • Instruction Fuzzy Hash: DCD0A7AA31E250BAE310519B2D85EBB4BDCCBC57B4F14443FFA48D7242D2248C06A7B6
    Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
    Download Yara Rule
    APIs
    • GetSystemTime.KERNEL32(?), ref: 004026CE
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: SystemTime
    • String ID:
    • API String ID: 2656138-0
    • Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
    • Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
    • Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
    • Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748
    Function 004088C0 Relevance: .5, Instructions: 545COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
    • Instruction ID: 3b27ac6c5e0f9a5810868b706c98a54019571903b6d877547466b603179570a7
    • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
    • Instruction Fuzzy Hash: 9E32D674E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF55
    Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressCloseHandleModuleProc
    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
    • API String ID: 4190037839-2401316094
    • Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
    • Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E
    Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
    • String ID:
    • API String ID: 1694776339-0
    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
    Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32 ref: 0040AF99
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3757039580-3001827809
    • Opcode ID: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
    • Opcode Fuzzy Hash: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D
    Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
      • Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C
      • Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
      • Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
      • Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3586484885-3001827809
    • Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
    • Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C
    Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
    Download Yara Rule
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
      • Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale$DefaultSystem
    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
    • API String ID: 1044490935-665933166
    • Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
    • Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C
    Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
    Download Yara Rule
    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
    • GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
    • String ID: D
    • API String ID: 3356880605-2746444292
    • Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
    • Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669
    Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocString
    • String ID:
    • API String ID: 262959230-0
    • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
    • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
    Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
    • GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CommandHandleLineModule
    • String ID: H'H$U1hd.@
    • API String ID: 2123368496-3849876926
    • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
    • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD
    Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
    • Opcode Fuzzy Hash: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD
    Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
    • Opcode Fuzzy Hash: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD
    Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
    • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID: .tmp
    • API String ID: 1375471231-2986845003
    • Opcode ID: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
    • Opcode Fuzzy Hash: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9
    Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Unwind
    • String ID: a@$,`@
    • API String ID: 3419175465-3299659662
    • Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
    • Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769
    Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195
    Strings
    • Setup, xrefs: 0040A185
    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
    • API String ID: 2030045667-3271211647
    • Opcode ID: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
    • Opcode Fuzzy Hash: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D
    Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
    Memory Dump Source
    • Source File: 00000000.00000002.1571772015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1571758137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571787469.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1571801512.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLastSleep
    • String ID:
    • API String ID: 1458359878-0
    • Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
    • Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9

    Execution Graph

    Execution Coverage:11.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1560
    Total number of Limit Nodes:12
    execution_graph 6736 409543 6737 409535 6736->6737 6738 409460 Wow64RevertWow64FsRedirection 6737->6738 6739 40953d 6738->6739 6740 408344 6741 40836c VirtualFree 6740->6741 6742 408351 6741->6742 6753 402b48 RaiseException 6754 40294a 6755 402952 6754->6755 6756 403554 4 API calls 6755->6756 6757 402967 6755->6757 6756->6755 6758 403f4a 6759 403f53 6758->6759 6760 403f5c 6758->6760 6761 403f07 4 API calls 6759->6761 6761->6760 6000 403a52 6001 403a74 6000->6001 6002 403a5a WriteFile 6000->6002 6002->6001 6003 403a78 GetLastError 6002->6003 6003->6001 6004 402654 6005 403154 4 API calls 6004->6005 6007 402614 6005->6007 6006 402632 6006->6006 6007->6006 6008 403154 4 API calls 6007->6008 6008->6006 6009 409258 6010 40927c 6009->6010 6013 409134 6010->6013 6014 403198 4 API calls 6013->6014 6015 409165 6013->6015 6014->6015 6017 40917c 6015->6017 6021 403278 18 API calls 6015->6021 6023 409190 6015->6023 6024 4032fc 18 API calls 6015->6024 6016 4031b8 4 API calls 6018 40921d 6016->6018 6019 4032c4 18 API calls 6017->6019 6020 409186 6019->6020 6022 4032fc 18 API calls 6020->6022 6021->6015 6022->6023 6023->6016 6024->6015 6766 405f5c 6767 405f64 6766->6767 6768 405f6c 6766->6768 6769 405f73 6767->6769 6770 405f6a 6767->6770 6771 405dc8 19 API calls 6769->6771 6773 405ed4 6770->6773 6771->6768 6774 405edc 6773->6774 6775 405ef6 6774->6775 6776 403154 4 API calls 6774->6776 6777 405f12 6775->6777 6778 405efb 6775->6778 6776->6774 6780 403154 4 API calls 6777->6780 6779 405dc8 19 API calls 6778->6779 6781 405f0e 6779->6781 6782 405f17 6780->6782 6784 403154 4 API calls 6781->6784 6783 405e38 33 API calls 6782->6783 6783->6781 6785 405f40 6784->6785 6786 403154 4 API calls 6785->6786 6787 405f4e 6786->6787 6787->6768 6025 402e64 6026 402e69 6025->6026 6027 402e7a RtlUnwind 6026->6027 6028 402e5e 6026->6028 6029 402e9d 6027->6029 5932 40b16f 5941 409bd4 5932->5941 5955 405b34 5941->5955 5943 409bef 5944 409c1d 5943->5944 5961 4076c0 5943->5961 5947 403198 4 API calls 5944->5947 5946 409c0d 5949 409c15 MessageBoxA 5946->5949 5948 409c32 5947->5948 5950 402f24 5948->5950 5949->5944 5951 403154 4 API calls 5950->5951 5952 402f29 5951->5952 5982 402bcc 5952->5982 5954 402f51 5954->5954 5956 403154 4 API calls 5955->5956 5957 405b39 5956->5957 5958 405b51 5957->5958 5959 403154 4 API calls 5957->5959 5958->5943 5960 405b47 5959->5960 5960->5943 5962 405b34 4 API calls 5961->5962 5963 4076cf 5962->5963 5964 4076d5 5963->5964 5966 4076e3 5963->5966 5965 40322c 4 API calls 5964->5965 5967 4076e1 5965->5967 5968 4076f3 5966->5968 5969 4076ff 5966->5969 5967->5946 5972 407684 5968->5972 5979 4032b8 5969->5979 5973 40322c 4 API calls 5972->5973 5974 407693 5973->5974 5975 4076b0 5974->5975 5976 406dd8 CharPrevA 5974->5976 5975->5967 5977 40769f 5976->5977 5977->5975 5978 4032fc 18 API calls 5977->5978 5978->5975 5980 403278 18 API calls 5979->5980 5981 4032c2 5980->5981 5981->5967 5983 402bd5 RaiseException 5982->5983 5984 402be6 5982->5984 5983->5984 5984->5954 6034 407a78 SetFilePointer 6035 407aab 6034->6035 6036 407a9b GetLastError 6034->6036 6036->6035 6037 407aa4 6036->6037 6038 407940 35 API calls 6037->6038 6038->6035 6792 40af7a 6793 40afaa 6792->6793 6794 40afb4 CreateWindowExA SetWindowLongA 6793->6794 6795 40561c 33 API calls 6794->6795 6796 40b037 6795->6796 6797 4032fc 18 API calls 6796->6797 6798 40b045 6797->6798 6799 4032fc 18 API calls 6798->6799 6800 40b052 6799->6800 6819 407004 GetCommandLineA 6800->6819 6803 4032fc 18 API calls 6804 40b067 6803->6804 6826 409ec4 6804->6826 6807 40b08c 6809 40b0c5 6807->6809 6842 4099b0 6807->6842 6808 409da4 19 API calls 6808->6807 6811 40b0de 6809->6811 6814 40b0d8 RemoveDirectoryA 6809->6814 6812 40b0f2 6811->6812 6813 40b0e7 DestroyWindow 6811->6813 6815 40b11a 6812->6815 6816 40357c 4 API calls 6812->6816 6813->6812 6814->6811 6817 40b110 6816->6817 6818 4025ac 4 API calls 6817->6818 6818->6815 6820 406f78 18 API calls 6819->6820 6821 407029 6820->6821 6822 4032c4 18 API calls 6821->6822 6823 407032 6822->6823 6824 403198 4 API calls 6823->6824 6825 407047 6824->6825 6825->6803 6827 4033b4 18 API calls 6826->6827 6828 409eff 6827->6828 6829 409f31 CreateProcessA 6828->6829 6830 409f44 CloseHandle 6829->6830 6831 409f3d 6829->6831 6833 409f4d 6830->6833 6850 409b20 GetLastError 6831->6850 6863 409e98 6833->6863 6836 409f69 6837 409e98 3 API calls 6836->6837 6838 409f6e GetExitCodeProcess CloseHandle 6837->6838 6839 409f8e 6838->6839 6840 403198 4 API calls 6839->6840 6841 409f96 6840->6841 6841->6807 6841->6808 6843 409a0a 6842->6843 6845 4099c3 6842->6845 6843->6809 6844 4099cb Sleep 6844->6845 6845->6843 6845->6844 6846 4099db Sleep 6845->6846 6848 4099f2 GetLastError 6845->6848 6867 409470 6845->6867 6846->6845 6848->6843 6849 4099fc GetLastError 6848->6849 6849->6843 6849->6845 6851 40511c 33 API calls 6850->6851 6852 409b67 6851->6852 6853 407738 19 API calls 6852->6853 6854 409b77 6853->6854 6855 40925c 18 API calls 6854->6855 6856 409b8c 6855->6856 6857 405d18 18 API calls 6856->6857 6858 409b9b 6857->6858 6859 4031b8 4 API calls 6858->6859 6860 409bba 6859->6860 6861 403198 4 API calls 6860->6861 6862 409bc2 6861->6862 6862->6830 6864 409eac PeekMessageA 6863->6864 6865 409ea0 TranslateMessage DispatchMessageA 6864->6865 6866 409ebe MsgWaitForMultipleObjects 6864->6866 6865->6864 6866->6833 6866->6836 6868 409424 2 API calls 6867->6868 6869 409486 6868->6869 6870 40948a 6869->6870 6871 4094a6 DeleteFileA GetLastError 6869->6871 6870->6845 6872 4094c4 6871->6872 6873 409460 Wow64RevertWow64FsRedirection 6872->6873 6874 4094cc 6873->6874 6874->6845 6875 407b7c WriteFile 6876 407ba3 6875->6876 6877 407b9c 6875->6877 6879 407bb4 6876->6879 6880 4078a0 34 API calls 6876->6880 6878 407940 35 API calls 6877->6878 6878->6876 6880->6879 6881 403f7d 6882 403fa2 6881->6882 6886 403f84 6881->6886 6884 403e8e 4 API calls 6882->6884 6882->6886 6883 403f8c 6884->6886 6885 402674 4 API calls 6887 403fca 6885->6887 6886->6883 6886->6885 5845 403d02 5847 403d12 5845->5847 5846 403ddf ExitProcess 5847->5846 5848 403db8 5847->5848 5849 403dea 5847->5849 5854 403da4 5847->5854 5855 403d8f MessageBoxA 5847->5855 5861 403cc8 5848->5861 5852 403cc8 4 API calls 5853 403dcc 5852->5853 5865 4019dc 5853->5865 5877 403fe4 5854->5877 5855->5848 5858 403dd1 5858->5846 5858->5849 5862 403cd6 5861->5862 5864 403ceb 5862->5864 5881 402674 5862->5881 5864->5852 5866 401abb 5865->5866 5867 4019ed 5865->5867 5866->5858 5868 401a04 RtlEnterCriticalSection 5867->5868 5869 401a0e LocalFree 5867->5869 5868->5869 5870 401a41 5869->5870 5871 401a2f VirtualFree 5870->5871 5872 401a49 5870->5872 5871->5870 5873 401a70 LocalFree 5872->5873 5874 401a87 5872->5874 5873->5873 5873->5874 5875 401aa9 RtlDeleteCriticalSection 5874->5875 5876 401a9f RtlLeaveCriticalSection 5874->5876 5875->5858 5876->5875 5878 403fe8 5877->5878 5884 403f07 5878->5884 5880 404006 5882 403154 4 API calls 5881->5882 5883 40267a 5882->5883 5883->5864 5894 403f09 5884->5894 5886 403e9c 5887 403f3c 5886->5887 5890 403ef2 5886->5890 5896 403ea9 5886->5896 5898 403e8e 5886->5898 5887->5880 5888 403ecf 5888->5880 5889 403154 4 API calls 5889->5894 5892 402674 4 API calls 5890->5892 5892->5888 5894->5886 5894->5889 5895 403f3d 5894->5895 5907 403e9c 5894->5907 5895->5880 5896->5888 5897 402674 4 API calls 5896->5897 5897->5888 5900 403e4c 5898->5900 5899 403e67 5905 403e78 5899->5905 5906 402674 4 API calls 5899->5906 5900->5899 5901 403e62 5900->5901 5902 403e7b 5900->5902 5904 403cc8 4 API calls 5901->5904 5903 402674 4 API calls 5902->5903 5903->5905 5904->5899 5905->5890 5905->5896 5906->5905 5908 403ed7 5907->5908 5914 403ea9 5907->5914 5909 403ef2 5908->5909 5910 403e8e 4 API calls 5908->5910 5911 402674 4 API calls 5909->5911 5912 403ee6 5910->5912 5913 403ecf 5911->5913 5912->5909 5912->5914 5913->5894 5914->5913 5915 402674 4 API calls 5914->5915 5915->5913 6888 406b04 IsDBCSLeadByte 6889 406b1c 6888->6889 6043 404206 6044 40420a 6043->6044 6045 4041cc 6043->6045 6046 404282 6044->6046 6047 403154 4 API calls 6044->6047 6048 404323 6047->6048 6890 40ad07 6891 409fc0 18 API calls 6890->6891 6892 40ad0c 6891->6892 6893 40ad11 6892->6893 6894 402f24 5 API calls 6892->6894 6895 409e14 29 API calls 6893->6895 6894->6893 6898 40ad16 6895->6898 6896 40ad69 6927 4026c4 GetSystemTime 6896->6927 6898->6896 6901 40928c 18 API calls 6898->6901 6899 40ad6e 6900 409808 46 API calls 6899->6900 6902 40ad76 6900->6902 6904 40ad45 6901->6904 6903 4031e8 18 API calls 6902->6903 6905 40ad83 6903->6905 6906 40ad4d MessageBoxA 6904->6906 6907 406db0 19 API calls 6905->6907 6906->6896 6909 40ad5a 6906->6909 6908 40ad90 6907->6908 6910 406b48 19 API calls 6908->6910 6911 405cec 19 API calls 6909->6911 6912 40ada0 6910->6912 6911->6896 6913 406ac0 19 API calls 6912->6913 6914 40adb1 6913->6914 6915 403340 18 API calls 6914->6915 6916 40adbf 6915->6916 6917 4031e8 18 API calls 6916->6917 6918 40adcf 6917->6918 6919 407994 37 API calls 6918->6919 6920 40ae0e 6919->6920 6921 402594 18 API calls 6920->6921 6922 40ae2e 6921->6922 6923 407edc 19 API calls 6922->6923 6924 40ae70 6923->6924 6925 40816c 35 API calls 6924->6925 6926 40ae97 6925->6926 6927->6899 5916 402c08 5919 402c82 5916->5919 5920 402c19 5916->5920 5917 402c56 RtlUnwind 5918 403154 4 API calls 5917->5918 5918->5919 5920->5917 5920->5919 5923 402b28 5920->5923 5924 402b31 RaiseException 5923->5924 5925 402b47 5923->5925 5924->5925 5925->5917 6049 403018 6050 403070 6049->6050 6051 403025 6049->6051 6052 40302a RtlUnwind 6051->6052 6053 40304e 6052->6053 6055 402f78 6053->6055 6056 402be8 6053->6056 6057 402bf1 RaiseException 6056->6057 6058 402c04 6056->6058 6057->6058 6058->6050 6945 40b127 6946 40b099 6945->6946 6947 40b0c5 6946->6947 6948 4099b0 9 API calls 6946->6948 6949 40b0de 6947->6949 6952 40b0d8 RemoveDirectoryA 6947->6952 6948->6947 6950 40b0f2 6949->6950 6951 40b0e7 DestroyWindow 6949->6951 6953 40b11a 6950->6953 6954 40357c 4 API calls 6950->6954 6951->6950 6952->6949 6955 40b110 6954->6955 6956 4025ac 4 API calls 6955->6956 6956->6953 6071 403a28 ReadFile 6072 403a46 6071->6072 6073 403a49 GetLastError 6071->6073 6074 40602a 6075 40602c 6074->6075 6076 406068 6075->6076 6077 406062 6075->6077 6078 40607f 6075->6078 6079 405dc8 19 API calls 6076->6079 6077->6076 6080 4060d4 6077->6080 6083 405164 19 API calls 6078->6083 6081 40607b 6079->6081 6082 405e38 33 API calls 6080->6082 6085 403198 4 API calls 6081->6085 6082->6081 6084 4060a8 6083->6084 6086 405e38 33 API calls 6084->6086 6087 40610e 6085->6087 6086->6081 6088 40462b 6089 404638 SetErrorMode 6088->6089 6957 40b12c 6958 40b135 6957->6958 6961 40b160 6957->6961 6967 409920 6958->6967 6960 40b13a 6960->6961 6965 40b158 MessageBoxA 6960->6965 6962 403198 4 API calls 6961->6962 6963 40b198 6962->6963 6964 403198 4 API calls 6963->6964 6966 40b1a0 6964->6966 6965->6961 6968 409987 ExitWindowsEx 6967->6968 6969 40992c GetCurrentProcess OpenProcessToken 6967->6969 6971 40993e 6968->6971 6970 409942 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6969->6970 6969->6971 6970->6968 6970->6971 6971->6960 6976 403932 6977 403924 6976->6977 6980 40374c 6977->6980 6979 40392c 6981 403759 6980->6981 6982 403766 6980->6982 6981->6982 6983 403779 VariantClear 6981->6983 6982->6979 6983->6979 6104 409e36 6105 409e38 6104->6105 6106 409e5a 6105->6106 6107 409e76 CallWindowProcA 6105->6107 6107->6106 6112 409e38 6113 409e5a 6112->6113 6115 409e47 6112->6115 6114 409e76 CallWindowProcA 6114->6113 6115->6113 6115->6114 6116 4090c4 6117 4090cb 6116->6117 6118 403198 4 API calls 6117->6118 6128 409165 6118->6128 6119 409190 6120 4031b8 4 API calls 6119->6120 6122 40921d 6120->6122 6121 40917c 6123 4032c4 18 API calls 6121->6123 6124 409186 6123->6124 6126 4032fc 18 API calls 6124->6126 6125 403278 18 API calls 6125->6128 6126->6119 6127 4032fc 18 API calls 6127->6128 6128->6119 6128->6121 6128->6125 6128->6127 5927 4074cb 5928 4074bc SetErrorMode 5927->5928 6129 402ccc 6132 402cfe 6129->6132 6134 402cdd 6129->6134 6130 402d88 RtlUnwind 6131 403154 4 API calls 6130->6131 6131->6132 6133 402b28 RaiseException 6135 402d7f 6133->6135 6134->6130 6134->6132 6134->6133 6135->6130 6994 403fcd 6995 403f07 4 API calls 6994->6995 6996 403fd6 6995->6996 6997 403e9c 4 API calls 6996->6997 6998 403fe2 6997->6998 5124 40aad0 5167 4030dc 5124->5167 5126 40aae6 5170 4042e8 5126->5170 5128 40aaeb 5173 404654 GetModuleHandleA GetVersion 5128->5173 5132 40aaf5 5270 406a50 5132->5270 5134 40aafa 5279 409558 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5134->5279 5141 40ab3d 5307 4070b4 5141->5307 5153 40abe8 5364 407954 5153->5364 5154 40abaa 5154->5153 5357 409fc0 5154->5357 5156 40ac0e 5157 40ac29 5156->5157 5158 409fc0 18 API calls 5156->5158 5368 407edc 5157->5368 5158->5157 5160 40ac4e 5378 408fbc 5160->5378 5164 40ac94 5165 408fbc 35 API calls 5164->5165 5166 40accd 5164->5166 5165->5164 5397 403094 5167->5397 5169 4030e1 GetModuleHandleA GetCommandLineA 5169->5126 5172 404323 5170->5172 5398 403154 5170->5398 5172->5128 5174 4046a5 5173->5174 5175 404685 GetProcAddress 5173->5175 5177 4048d2 GetProcAddress 5174->5177 5178 4046ad GetProcAddress 5174->5178 5175->5174 5176 404696 5175->5176 5176->5174 5179 4048e1 5177->5179 5180 4048e8 GetProcAddress 5177->5180 5181 4046bc 5178->5181 5179->5180 5182 4048f7 SetProcessDEPPolicy 5180->5182 5183 4048fb 5180->5183 5415 4045a0 GetSystemDirectoryA 5181->5415 5182->5183 5411 403198 5183->5411 5187 4031e8 18 API calls 5189 4046d8 5187->5189 5189->5177 5190 40470b 5189->5190 5418 4032fc 5189->5418 5432 40322c 5190->5432 5194 4032fc 18 API calls 5195 404726 5194->5195 5436 4045cc SetErrorMode 5195->5436 5198 40322c 4 API calls 5199 40473c 5198->5199 5200 4032fc 18 API calls 5199->5200 5201 404749 5200->5201 5202 4045cc 2 API calls 5201->5202 5203 404751 5202->5203 5204 40322c 4 API calls 5203->5204 5205 40475f 5204->5205 5206 4032fc 18 API calls 5205->5206 5207 40476c 5206->5207 5208 4045cc 2 API calls 5207->5208 5209 404774 5208->5209 5210 40322c 4 API calls 5209->5210 5211 404782 5210->5211 5212 4032fc 18 API calls 5211->5212 5213 40478f 5212->5213 5214 4045cc 2 API calls 5213->5214 5215 404797 5214->5215 5216 40322c 4 API calls 5215->5216 5217 4047a5 5216->5217 5218 4032fc 18 API calls 5217->5218 5219 4047b2 5218->5219 5220 4045cc 2 API calls 5219->5220 5221 4047ba 5220->5221 5222 40322c 4 API calls 5221->5222 5223 4047c8 5222->5223 5224 4032fc 18 API calls 5223->5224 5225 4047d5 5224->5225 5226 4045cc 2 API calls 5225->5226 5227 4047dd 5226->5227 5228 40322c 4 API calls 5227->5228 5229 4047eb 5228->5229 5230 4032fc 18 API calls 5229->5230 5231 4047f8 5230->5231 5232 4045cc 2 API calls 5231->5232 5233 404800 5232->5233 5234 40322c 4 API calls 5233->5234 5235 40480e 5234->5235 5236 4032fc 18 API calls 5235->5236 5237 40481b 5236->5237 5238 4045cc 2 API calls 5237->5238 5239 404823 5238->5239 5240 40322c 4 API calls 5239->5240 5241 404831 5240->5241 5242 4032fc 18 API calls 5241->5242 5243 40483e 5242->5243 5244 4045cc 2 API calls 5243->5244 5245 404846 5244->5245 5246 40322c 4 API calls 5245->5246 5247 404854 5246->5247 5248 4032fc 18 API calls 5247->5248 5249 404861 5248->5249 5250 4045cc 2 API calls 5249->5250 5251 404869 5250->5251 5252 40322c 4 API calls 5251->5252 5253 404877 5252->5253 5254 4032fc 18 API calls 5253->5254 5255 404884 5254->5255 5256 4045cc 2 API calls 5255->5256 5257 40488c 5256->5257 5258 40322c 4 API calls 5257->5258 5259 40489a 5258->5259 5260 4032fc 18 API calls 5259->5260 5261 4048a7 5260->5261 5262 4045cc 2 API calls 5261->5262 5263 4048af 5262->5263 5264 40322c 4 API calls 5263->5264 5265 4048bd 5264->5265 5266 4032fc 18 API calls 5265->5266 5267 4048ca 5266->5267 5268 4045cc 2 API calls 5267->5268 5268->5177 5269 404aac 6F661CD0 5269->5132 5542 406130 5270->5542 5280 4095ad 5279->5280 5648 40717c GetSystemDirectoryA 5280->5648 5284 4095d4 5285 4032fc 18 API calls 5284->5285 5286 4095e1 5285->5286 5661 407454 SetErrorMode 5286->5661 5291 4031b8 4 API calls 5292 409615 5291->5292 5293 40a050 GetSystemInfo VirtualQuery 5292->5293 5294 40a104 5293->5294 5297 40a07a 5293->5297 5299 409c40 5294->5299 5295 40a0e5 VirtualQuery 5295->5294 5295->5297 5296 40a0a4 VirtualProtect 5296->5297 5297->5294 5297->5295 5297->5296 5298 40a0d3 VirtualProtect 5297->5298 5298->5295 5693 407058 GetCommandLineA 5299->5693 5301 409d28 5303 4031b8 4 API calls 5301->5303 5302 4070b4 20 API calls 5306 409c5d 5302->5306 5304 409d42 5303->5304 5304->5141 5334 40a160 5304->5334 5305 403454 18 API calls 5305->5306 5306->5301 5306->5302 5306->5305 5308 4070db GetModuleFileNameA 5307->5308 5309 4070ff GetCommandLineA 5307->5309 5310 403278 18 API calls 5308->5310 5311 407104 5309->5311 5312 4070fd 5310->5312 5313 407109 5311->5313 5316 406f78 18 API calls 5311->5316 5317 407111 5311->5317 5314 40712c 5312->5314 5315 403198 4 API calls 5313->5315 5318 403198 4 API calls 5314->5318 5315->5317 5316->5311 5319 40322c 4 API calls 5317->5319 5320 407141 5318->5320 5319->5314 5321 4031e8 5320->5321 5322 4031ec 5321->5322 5325 4031fc 5321->5325 5324 403254 18 API calls 5322->5324 5322->5325 5323 403228 5327 407994 5323->5327 5324->5325 5325->5323 5326 4025ac 4 API calls 5325->5326 5326->5323 5328 40799e 5327->5328 5714 407a2a 5328->5714 5717 407a2c 5328->5717 5329 4079ca 5330 4079de 5329->5330 5720 407940 GetLastError 5329->5720 5341 40a10c FindResourceA 5330->5341 5335 40322c 4 API calls 5334->5335 5336 40a183 5335->5336 5337 40a192 MessageBoxA 5336->5337 5338 40a1a7 5337->5338 5339 403198 4 API calls 5338->5339 5340 40a1af 5339->5340 5340->5141 5342 40a121 5341->5342 5343 40a126 SizeofResource 5341->5343 5344 409fc0 18 API calls 5342->5344 5345 40a133 5343->5345 5346 40a138 LoadResource 5343->5346 5344->5343 5347 409fc0 18 API calls 5345->5347 5348 40a146 5346->5348 5349 40a14b LockResource 5346->5349 5347->5346 5350 409fc0 18 API calls 5348->5350 5351 40a157 5349->5351 5352 40a15c 5349->5352 5350->5349 5353 409fc0 18 API calls 5351->5353 5352->5154 5354 407dcc 5352->5354 5353->5352 5819 407d78 5354->5819 5358 409fe1 5357->5358 5359 409fc9 5357->5359 5361 405d18 18 API calls 5358->5361 5360 405d18 18 API calls 5359->5360 5362 409fdb 5360->5362 5363 409ff2 5361->5363 5362->5153 5363->5153 5365 407968 5364->5365 5366 407978 5365->5366 5367 4078a0 34 API calls 5365->5367 5366->5156 5367->5366 5370 407ee9 5368->5370 5369 405d18 18 API calls 5371 407f3d 5369->5371 5370->5369 5370->5371 5372 407dcc InterlockedExchange 5371->5372 5373 407f4f 5372->5373 5374 405d18 18 API calls 5373->5374 5375 407f65 5373->5375 5374->5375 5376 407fa8 5375->5376 5377 405d18 18 API calls 5375->5377 5376->5160 5377->5376 5382 409036 5378->5382 5391 408fed 5378->5391 5379 409081 5823 40816c 5379->5823 5381 409098 5385 4031b8 4 API calls 5381->5385 5382->5379 5384 4034f0 18 API calls 5382->5384 5389 403420 18 API calls 5382->5389 5390 4031e8 18 API calls 5382->5390 5393 40816c 35 API calls 5382->5393 5383 4034f0 18 API calls 5383->5391 5384->5382 5387 4090b2 5385->5387 5386 4031e8 18 API calls 5386->5391 5394 4050a8 5387->5394 5388 403420 18 API calls 5388->5391 5389->5382 5390->5382 5391->5382 5391->5383 5391->5386 5391->5388 5392 40816c 35 API calls 5391->5392 5392->5391 5393->5382 5395 402594 18 API calls 5394->5395 5396 4050b3 5395->5396 5396->5164 5397->5169 5399 403164 5398->5399 5400 40318c TlsGetValue 5398->5400 5399->5172 5401 403196 5400->5401 5402 40316f 5400->5402 5401->5172 5406 40310c 5402->5406 5404 403174 TlsGetValue 5405 403184 5404->5405 5405->5172 5407 403120 LocalAlloc 5406->5407 5408 403116 5406->5408 5409 40313e TlsSetValue 5407->5409 5410 403132 5407->5410 5408->5407 5409->5410 5410->5404 5412 4031b7 5411->5412 5413 40319e 5411->5413 5412->5269 5413->5412 5440 4025ac 5413->5440 5444 40458c 5415->5444 5419 403300 5418->5419 5420 40333f 5418->5420 5421 4031e8 5419->5421 5422 40330a 5419->5422 5420->5190 5425 4031fc 5421->5425 5429 403254 18 API calls 5421->5429 5423 403334 5422->5423 5424 40331d 5422->5424 5428 4034f0 18 API calls 5423->5428 5527 4034f0 5424->5527 5427 403228 5425->5427 5431 4025ac 4 API calls 5425->5431 5427->5190 5430 403322 5428->5430 5429->5425 5430->5190 5431->5427 5434 403230 5432->5434 5433 403252 5433->5194 5434->5433 5435 4025ac 4 API calls 5434->5435 5435->5433 5540 403414 5436->5540 5439 40461e 5439->5198 5441 4025b0 5440->5441 5442 4025ba 5440->5442 5441->5442 5443 403154 4 API calls 5441->5443 5442->5412 5443->5442 5447 4032c4 5444->5447 5450 403278 5447->5450 5449 403288 5451 403198 4 API calls 5449->5451 5453 403254 5450->5453 5452 4032a0 5451->5452 5452->5187 5454 403274 5453->5454 5455 403258 5453->5455 5454->5449 5458 402594 5455->5458 5457 403261 5457->5449 5459 402598 5458->5459 5461 4025a2 5458->5461 5464 401fd4 5459->5464 5460 40259e 5460->5461 5462 403154 4 API calls 5460->5462 5461->5457 5461->5461 5462->5461 5465 401fe8 5464->5465 5466 401fed 5464->5466 5475 401918 RtlInitializeCriticalSection 5465->5475 5468 402012 RtlEnterCriticalSection 5466->5468 5469 40201c 5466->5469 5472 401ff1 5466->5472 5468->5469 5469->5472 5482 401ee0 5469->5482 5472->5460 5473 402147 5473->5460 5474 40213d RtlLeaveCriticalSection 5474->5473 5476 40193c RtlEnterCriticalSection 5475->5476 5477 401946 5475->5477 5476->5477 5478 401964 LocalAlloc 5477->5478 5479 40197e 5478->5479 5480 4019c3 RtlLeaveCriticalSection 5479->5480 5481 4019cd 5479->5481 5480->5481 5481->5466 5485 401ef0 5482->5485 5483 401f1c 5487 401f40 5483->5487 5493 401d00 5483->5493 5485->5483 5485->5487 5488 401e58 5485->5488 5487->5473 5487->5474 5497 4016d8 5488->5497 5492 401e75 5492->5485 5494 401d4e 5493->5494 5495 401d1e 5493->5495 5494->5495 5514 401c68 5494->5514 5495->5487 5500 4016f4 5497->5500 5498 4016fe 5501 4015c4 VirtualAlloc 5498->5501 5499 401430 LocalAlloc VirtualAlloc VirtualFree 5499->5500 5500->5498 5500->5499 5502 40175b 5500->5502 5503 40132c LocalAlloc 5500->5503 5504 40174f 5500->5504 5505 40170a 5501->5505 5502->5492 5507 401dcc 5502->5507 5503->5500 5506 40150c VirtualFree 5504->5506 5505->5502 5506->5502 5508 401d80 9 API calls 5507->5508 5509 401de0 5508->5509 5510 40132c LocalAlloc 5509->5510 5511 401df0 5510->5511 5512 401b44 9 API calls 5511->5512 5513 401df8 5511->5513 5512->5513 5513->5492 5515 401c7a 5514->5515 5516 401c9d 5515->5516 5517 401caf 5515->5517 5518 40188c LocalAlloc VirtualFree VirtualFree 5516->5518 5519 40188c LocalAlloc VirtualFree VirtualFree 5517->5519 5520 401cad 5518->5520 5519->5520 5521 401cc5 5520->5521 5522 401b44 9 API calls 5520->5522 5521->5495 5523 401cd4 5522->5523 5524 401cee 5523->5524 5525 401b98 9 API calls 5523->5525 5526 4013a0 LocalAlloc 5524->5526 5525->5524 5526->5521 5528 40352d 5527->5528 5529 4034fd 5527->5529 5531 403198 4 API calls 5528->5531 5530 403526 5529->5530 5532 403509 5529->5532 5533 403254 18 API calls 5530->5533 5534 403517 5531->5534 5536 4025c4 5532->5536 5533->5528 5534->5430 5537 4025ca 5536->5537 5538 403154 4 API calls 5537->5538 5539 4025dc 5537->5539 5538->5539 5539->5534 5541 403418 LoadLibraryA 5540->5541 5541->5439 5614 405dc8 5542->5614 5545 405708 GetSystemDefaultLCID 5547 40573e 5545->5547 5546 405164 19 API calls 5546->5547 5547->5546 5548 405694 19 API calls 5547->5548 5549 4031e8 18 API calls 5547->5549 5552 4057a0 5547->5552 5548->5547 5549->5547 5550 405164 19 API calls 5550->5552 5551 405694 19 API calls 5551->5552 5552->5550 5552->5551 5553 4031e8 18 API calls 5552->5553 5554 405823 5552->5554 5553->5552 5630 4031b8 5554->5630 5557 40584c GetSystemDefaultLCID 5634 405694 GetLocaleInfoA 5557->5634 5560 4031e8 18 API calls 5561 40588c 5560->5561 5562 405694 19 API calls 5561->5562 5563 4058a1 5562->5563 5564 405694 19 API calls 5563->5564 5565 4058c5 5564->5565 5640 4056e0 GetLocaleInfoA 5565->5640 5568 4056e0 GetLocaleInfoA 5569 4058f5 5568->5569 5570 405694 19 API calls 5569->5570 5571 40590f 5570->5571 5572 4056e0 GetLocaleInfoA 5571->5572 5573 40592c 5572->5573 5574 405694 19 API calls 5573->5574 5575 405946 5574->5575 5576 4031e8 18 API calls 5575->5576 5577 405953 5576->5577 5578 405694 19 API calls 5577->5578 5579 405968 5578->5579 5580 4031e8 18 API calls 5579->5580 5581 405975 5580->5581 5582 4056e0 GetLocaleInfoA 5581->5582 5583 405983 5582->5583 5584 405694 19 API calls 5583->5584 5585 40599d 5584->5585 5586 4031e8 18 API calls 5585->5586 5587 4059aa 5586->5587 5588 405694 19 API calls 5587->5588 5589 4059bf 5588->5589 5590 4031e8 18 API calls 5589->5590 5591 4059cc 5590->5591 5592 405694 19 API calls 5591->5592 5593 4059e1 5592->5593 5594 4059fe 5593->5594 5595 4059ef 5593->5595 5597 40322c 4 API calls 5594->5597 5596 40322c 4 API calls 5595->5596 5598 4059fc 5596->5598 5597->5598 5599 405694 19 API calls 5598->5599 5600 405a20 5599->5600 5601 405a3d 5600->5601 5602 405a2e 5600->5602 5604 403198 4 API calls 5601->5604 5603 40322c 4 API calls 5602->5603 5605 405a3b 5603->5605 5604->5605 5642 4033b4 5605->5642 5607 405a5f 5608 4033b4 18 API calls 5607->5608 5609 405a79 5608->5609 5610 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5609->5610 5611 405a93 5610->5611 5612 40617c GetVersionExA 5611->5612 5613 406193 5612->5613 5613->5134 5615 405dd4 5614->5615 5622 405164 LoadStringA 5615->5622 5618 4031e8 18 API calls 5619 405e05 5618->5619 5620 403198 4 API calls 5619->5620 5621 405e1a 5620->5621 5621->5545 5625 403278 5622->5625 5626 403254 18 API calls 5625->5626 5627 403288 5626->5627 5628 403198 4 API calls 5627->5628 5629 4032a0 5628->5629 5629->5618 5632 4031be 5630->5632 5631 4031e3 5631->5557 5632->5631 5633 4025ac 4 API calls 5632->5633 5633->5632 5635 4056bb 5634->5635 5636 4056cd 5634->5636 5637 403278 18 API calls 5635->5637 5638 40322c 4 API calls 5636->5638 5639 4056cb 5637->5639 5638->5639 5639->5560 5641 4056fc 5640->5641 5641->5568 5643 4033bc 5642->5643 5644 403254 18 API calls 5643->5644 5645 4033cf 5644->5645 5646 4031e8 18 API calls 5645->5646 5647 4033f7 5646->5647 5669 405268 5648->5669 5651 406ac0 5652 406aca 5651->5652 5653 406aed 5651->5653 5672 406dd8 5652->5672 5655 40322c 4 API calls 5653->5655 5656 406af6 5655->5656 5656->5284 5657 406ad1 5657->5653 5658 406adc 5657->5658 5677 403340 5658->5677 5660 406aea 5660->5284 5662 403414 5661->5662 5663 40748c LoadLibraryA 5662->5663 5664 4074a2 5663->5664 5665 407738 FormatMessageA 5664->5665 5666 40775e 5665->5666 5667 403278 18 API calls 5666->5667 5668 40777b 5667->5668 5668->5291 5670 4032c4 18 API calls 5669->5670 5671 405277 5670->5671 5671->5651 5673 406de3 5672->5673 5674 406ddf 5672->5674 5692 406df8 CharPrevA 5673->5692 5674->5657 5676 406df4 5676->5657 5678 403344 5677->5678 5679 4033a5 5677->5679 5680 4031e8 5678->5680 5681 40334c 5678->5681 5684 403254 18 API calls 5680->5684 5686 4031fc 5680->5686 5681->5679 5683 40335b 5681->5683 5687 4031e8 18 API calls 5681->5687 5682 403228 5682->5660 5685 403254 18 API calls 5683->5685 5684->5686 5689 403375 5685->5689 5686->5682 5688 4025ac 4 API calls 5686->5688 5687->5683 5688->5682 5690 4031e8 18 API calls 5689->5690 5691 4033a1 5690->5691 5691->5660 5692->5676 5700 406f78 5693->5700 5695 40707b 5696 40708d 5695->5696 5697 406f78 18 API calls 5695->5697 5698 403198 4 API calls 5696->5698 5697->5695 5699 4070a2 5698->5699 5699->5306 5701 406fa4 5700->5701 5702 403278 18 API calls 5701->5702 5703 406fb1 5702->5703 5710 403420 5703->5710 5705 406fb9 5706 4031e8 18 API calls 5705->5706 5707 406fd1 5706->5707 5708 403198 4 API calls 5707->5708 5709 406ff3 5708->5709 5709->5695 5711 403426 5710->5711 5713 403437 5710->5713 5712 403254 18 API calls 5711->5712 5711->5713 5712->5713 5713->5705 5715 407a2c 5714->5715 5716 407a6b CreateFileA 5715->5716 5716->5329 5718 403414 5717->5718 5719 407a6b CreateFileA 5718->5719 5719->5329 5723 4078a0 5720->5723 5724 407738 19 API calls 5723->5724 5726 4078c8 5724->5726 5725 4078e8 5735 405d18 5725->5735 5726->5725 5732 40561c 5726->5732 5729 4078f7 5730 403198 4 API calls 5729->5730 5731 407914 5730->5731 5731->5330 5739 405630 5732->5739 5737 405d1f 5735->5737 5736 4031e8 18 API calls 5738 405d37 5736->5738 5737->5736 5738->5729 5740 40564d 5739->5740 5747 4052e0 5740->5747 5743 405679 5745 403278 18 API calls 5743->5745 5746 40562b 5745->5746 5746->5725 5749 4052fb 5747->5749 5748 40530d 5748->5743 5752 40506c 5748->5752 5749->5748 5755 405402 5749->5755 5762 4052d4 5749->5762 5753 405dc8 19 API calls 5752->5753 5754 40507d 5753->5754 5754->5743 5756 405413 5755->5756 5758 405461 5755->5758 5756->5758 5759 4054e7 5756->5759 5761 40547f 5758->5761 5765 40527c 5758->5765 5759->5761 5769 4052c0 5759->5769 5761->5749 5763 403198 4 API calls 5762->5763 5764 4052de 5763->5764 5764->5749 5766 40528a 5765->5766 5772 405084 5766->5772 5768 4052b8 5768->5758 5785 4039a4 5769->5785 5775 405e38 5772->5775 5774 40509d 5774->5768 5776 405e46 5775->5776 5777 405164 19 API calls 5776->5777 5778 405e70 5777->5778 5779 40561c 33 API calls 5778->5779 5780 405e7e 5779->5780 5781 4031e8 18 API calls 5780->5781 5782 405e89 5781->5782 5783 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5782->5783 5784 405ea3 5783->5784 5784->5774 5786 4039ab 5785->5786 5791 4038b4 5786->5791 5788 4039cb 5789 403198 4 API calls 5788->5789 5790 4039d2 5789->5790 5790->5761 5792 4038d5 5791->5792 5793 4038c8 5791->5793 5795 403934 5792->5795 5796 4038db 5792->5796 5794 403780 6 API calls 5793->5794 5808 4038d0 5794->5808 5797 403993 5795->5797 5798 40393b 5795->5798 5799 4038e1 5796->5799 5800 4038ee 5796->5800 5801 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5797->5801 5802 403941 5798->5802 5803 40394b 5798->5803 5804 403894 6 API calls 5799->5804 5805 403894 6 API calls 5800->5805 5801->5808 5806 403864 23 API calls 5802->5806 5807 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5803->5807 5804->5808 5809 4038fc 5805->5809 5806->5808 5810 40395d 5807->5810 5808->5788 5811 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5809->5811 5812 403864 23 API calls 5810->5812 5813 403917 5811->5813 5814 403976 5812->5814 5815 40374c VariantClear 5813->5815 5817 40374c VariantClear 5814->5817 5816 40392c 5815->5816 5816->5788 5818 40398b 5817->5818 5818->5788 5820 407d8a 5819->5820 5821 407d9b 5819->5821 5822 407d8f InterlockedExchange 5820->5822 5821->5154 5822->5821 5824 408187 5823->5824 5828 40817c 5823->5828 5829 408110 5824->5829 5827 405d18 18 API calls 5827->5828 5828->5381 5830 408163 5829->5830 5831 408124 5829->5831 5830->5827 5830->5828 5831->5830 5833 408060 5831->5833 5834 40806b 5833->5834 5837 40807c 5833->5837 5835 405d18 18 API calls 5834->5835 5835->5837 5836 407954 34 API calls 5838 408090 5836->5838 5837->5836 5839 407954 34 API calls 5838->5839 5840 4080b1 5839->5840 5841 407dcc InterlockedExchange 5840->5841 5842 4080c6 5841->5842 5843 4080dc 5842->5843 5844 405d18 18 API calls 5842->5844 5843->5831 5844->5843 6136 4024d0 6137 4024e4 6136->6137 6138 4024e9 6136->6138 6139 401918 4 API calls 6137->6139 6140 402518 6138->6140 6141 40250e RtlEnterCriticalSection 6138->6141 6143 4024ed 6138->6143 6139->6138 6151 402300 6140->6151 6141->6140 6145 402525 6147 402581 6145->6147 6148 402577 RtlLeaveCriticalSection 6145->6148 6146 401fd4 14 API calls 6149 402531 6146->6149 6148->6147 6149->6145 6161 40215c 6149->6161 6152 402314 6151->6152 6153 402335 6152->6153 6154 4023b8 6152->6154 6155 402344 6153->6155 6175 401b74 6153->6175 6154->6155 6158 402455 6154->6158 6178 401d80 6154->6178 6182 401e84 6154->6182 6155->6145 6155->6146 6158->6155 6160 401d00 9 API calls 6158->6160 6160->6155 6162 40217a 6161->6162 6163 402175 6161->6163 6165 4021b5 6162->6165 6166 4021ab RtlEnterCriticalSection 6162->6166 6167 40217e 6162->6167 6164 401918 4 API calls 6163->6164 6164->6162 6168 402244 6165->6168 6172 4021c1 6165->6172 6173 402270 6165->6173 6166->6165 6167->6145 6168->6167 6171 401d80 7 API calls 6168->6171 6169 4022e3 RtlLeaveCriticalSection 6170 4022ed 6169->6170 6170->6145 6171->6167 6172->6169 6172->6170 6173->6172 6174 401d00 7 API calls 6173->6174 6174->6172 6176 40215c 9 API calls 6175->6176 6177 401b95 6176->6177 6177->6155 6179 401d92 6178->6179 6180 401d89 6178->6180 6179->6154 6180->6179 6181 401b74 9 API calls 6180->6181 6181->6179 6187 401768 6182->6187 6184 401e99 6185 401ea6 6184->6185 6186 401dcc 9 API calls 6184->6186 6185->6154 6186->6185 6190 401787 6187->6190 6188 40183b 6196 4017e7 6188->6196 6202 4015c4 6188->6202 6189 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6189->6190 6190->6188 6190->6189 6192 40132c LocalAlloc 6190->6192 6193 401821 6190->6193 6195 4017d6 6190->6195 6192->6190 6194 40150c VirtualFree 6193->6194 6194->6196 6198 40150c 6195->6198 6196->6184 6201 40153b 6198->6201 6199 401594 6199->6196 6200 401568 VirtualFree 6200->6201 6201->6199 6201->6200 6203 40160a 6202->6203 6204 401626 VirtualAlloc 6203->6204 6205 40163a 6203->6205 6204->6203 6204->6205 6205->6196 6206 4028d2 6207 4028da 6206->6207 6209 4028ef 6207->6209 6212 403554 6207->6212 6210 4025ac 4 API calls 6209->6210 6211 4028f4 6210->6211 6213 403566 6212->6213 6215 403578 6213->6215 6216 403604 6213->6216 6215->6207 6217 40357c 6216->6217 6220 4035d0 6217->6220 6221 40359b 6217->6221 6224 4035a0 6217->6224 6226 4035b6 6217->6226 6218 4035b1 6222 403198 4 API calls 6218->6222 6219 4035b8 6223 4031b8 4 API calls 6219->6223 6220->6226 6229 40357c 6220->6229 6221->6224 6225 4035ec 6221->6225 6222->6226 6223->6226 6224->6218 6224->6219 6225->6226 6228 403554 4 API calls 6225->6228 6226->6213 6228->6225 6230 403591 6229->6230 6231 4035a0 6229->6231 6234 4035b6 6230->6234 6235 4035d0 6230->6235 6236 40359b 6230->6236 6232 4035b1 6231->6232 6233 4035b8 6231->6233 6237 403198 4 API calls 6232->6237 6238 4031b8 4 API calls 6233->6238 6234->6220 6235->6234 6239 40357c 4 API calls 6235->6239 6236->6231 6241 4035ec 6236->6241 6237->6234 6238->6234 6239->6235 6240 403554 4 API calls 6240->6241 6241->6234 6241->6240 6242 4094d2 6243 4094c4 6242->6243 6246 409460 6243->6246 6247 409465 Wow64RevertWow64FsRedirection 6246->6247 6248 40946f 6246->6248 6247->6248 6999 4019d3 7000 4019ba 6999->7000 7001 4019c3 RtlLeaveCriticalSection 7000->7001 7002 4019cd 7000->7002 7001->7002 6249 4094d4 SetLastError 6250 4094dd 6249->6250 7003 407bd6 7010 407bd8 7003->7010 7004 407b90 WriteFile 7005 407ba3 7004->7005 7006 407b9c 7004->7006 7008 407bb4 7005->7008 7009 4078a0 34 API calls 7005->7009 7007 407940 35 API calls 7006->7007 7007->7005 7009->7008 7010->7004 7011 407c94 7010->7011 6251 407ae0 ReadFile 6252 407b00 6251->6252 6253 407b17 6251->6253 6254 407b10 6252->6254 6255 407b06 GetLastError 6252->6255 6256 407940 35 API calls 6254->6256 6255->6253 6255->6254 6256->6253 7015 4075e2 7016 4075cc 7015->7016 7017 403198 4 API calls 7016->7017 7018 4075d4 7017->7018 7019 403198 4 API calls 7018->7019 7020 4075dc 7019->7020 7021 4093e4 7024 4092b0 7021->7024 7025 4092b9 7024->7025 7026 403198 4 API calls 7025->7026 7027 4092c7 7025->7027 7026->7025 7028 4055e8 7029 4055fb 7028->7029 7030 4052e0 33 API calls 7029->7030 7031 40560f 7030->7031 7032 402be9 RaiseException 7033 402c04 7032->7033 6257 40acec 6258 40ad11 6257->6258 6291 409e14 6258->6291 6260 40ad69 6303 4026c4 GetSystemTime 6260->6303 6262 40ad16 6262->6260 6296 40928c 6262->6296 6263 40ad6e 6304 409808 6263->6304 6267 40ad45 6270 40ad4d MessageBoxA 6267->6270 6268 4031e8 18 API calls 6269 40ad83 6268->6269 6322 406db0 6269->6322 6270->6260 6273 40ad5a 6270->6273 6299 405cec 6273->6299 6277 406ac0 19 API calls 6278 40adb1 6277->6278 6279 403340 18 API calls 6278->6279 6280 40adbf 6279->6280 6281 4031e8 18 API calls 6280->6281 6282 40adcf 6281->6282 6283 407994 37 API calls 6282->6283 6284 40ae0e 6283->6284 6285 402594 18 API calls 6284->6285 6286 40ae2e 6285->6286 6287 407edc 19 API calls 6286->6287 6288 40ae70 6287->6288 6289 40816c 35 API calls 6288->6289 6290 40ae97 6289->6290 6339 409a14 6291->6339 6416 40925c 6296->6416 6300 405cf1 6299->6300 6301 405dc8 19 API calls 6300->6301 6302 405d03 6301->6302 6302->6302 6303->6263 6320 409828 6304->6320 6307 40984d CreateDirectoryA 6308 4098c5 6307->6308 6309 409857 GetLastError 6307->6309 6310 40322c 4 API calls 6308->6310 6309->6320 6311 4098cf 6310->6311 6313 4031b8 4 API calls 6311->6313 6312 40928c 18 API calls 6312->6320 6315 4098e9 6313->6315 6317 4031b8 4 API calls 6315->6317 6316 407738 19 API calls 6316->6320 6318 4098f6 6317->6318 6318->6268 6319 40925c 18 API calls 6319->6320 6320->6307 6320->6312 6320->6316 6320->6319 6321 405d18 18 API calls 6320->6321 6420 4071a8 6320->6420 6443 4096fc 6320->6443 6462 40511c 6320->6462 6321->6320 6559 406ca8 6322->6559 6325 403454 18 API calls 6326 406dd2 6325->6326 6327 406b48 6326->6327 6564 406d6c 6327->6564 6330 406b86 6333 403454 18 API calls 6330->6333 6331 406b78 6332 403340 18 API calls 6331->6332 6334 406b84 6332->6334 6335 406b99 6333->6335 6337 403198 4 API calls 6334->6337 6336 403340 18 API calls 6335->6336 6336->6334 6338 406bbb 6337->6338 6338->6277 6345 409a33 6339->6345 6340 409a68 6342 409a75 GetUserDefaultLangID 6340->6342 6346 409a6a 6340->6346 6341 409a6c 6356 4074d8 GetModuleHandleA GetProcAddress 6341->6356 6342->6346 6344 409a47 6350 409da4 6344->6350 6345->6340 6345->6341 6345->6344 6346->6344 6347 409aa3 GetACP 6346->6347 6348 409ac7 6346->6348 6347->6344 6347->6346 6348->6344 6349 409aed GetACP 6348->6349 6349->6344 6349->6348 6351 409de6 6350->6351 6352 409dac 6350->6352 6351->6262 6352->6351 6353 403420 18 API calls 6352->6353 6354 409de0 6353->6354 6400 409334 6354->6400 6357 407512 6356->6357 6358 40751b 6356->6358 6369 403198 4 API calls 6357->6369 6359 407524 6358->6359 6360 40755c 6358->6360 6377 40741c 6359->6377 6362 40741c RegOpenKeyExA 6360->6362 6363 407575 6362->6363 6365 407592 6363->6365 6366 407410 20 API calls 6363->6366 6364 40753d 6364->6365 6380 407410 6364->6380 6367 40322c 4 API calls 6365->6367 6370 407589 RegCloseKey 6366->6370 6371 40759f 6367->6371 6373 4075d4 6369->6373 6370->6365 6375 4032fc 18 API calls 6371->6375 6374 403198 4 API calls 6373->6374 6376 4075dc 6374->6376 6375->6357 6376->6346 6378 407427 6377->6378 6379 40742d RegOpenKeyExA 6377->6379 6378->6379 6379->6364 6383 4072c4 6380->6383 6384 4072ea RegQueryValueExA 6383->6384 6387 40730d 6384->6387 6399 40732f 6384->6399 6385 403198 4 API calls 6388 4073fb RegCloseKey 6385->6388 6386 407327 6389 403198 4 API calls 6386->6389 6387->6386 6390 403278 18 API calls 6387->6390 6391 403420 18 API calls 6387->6391 6387->6399 6388->6365 6389->6399 6390->6387 6392 407364 RegQueryValueExA 6391->6392 6392->6384 6393 407380 6392->6393 6394 4034f0 18 API calls 6393->6394 6393->6399 6395 4073c2 6394->6395 6396 4073d4 6395->6396 6398 403420 18 API calls 6395->6398 6397 4031e8 18 API calls 6396->6397 6397->6399 6398->6396 6399->6385 6401 409342 6400->6401 6403 40935a 6401->6403 6413 4092cc 6401->6413 6404 4092cc 18 API calls 6403->6404 6405 40937e 6403->6405 6404->6405 6406 407dcc InterlockedExchange 6405->6406 6407 409399 6406->6407 6408 4092cc 18 API calls 6407->6408 6410 4093ac 6407->6410 6408->6410 6409 4092cc 18 API calls 6409->6410 6410->6409 6411 403278 18 API calls 6410->6411 6412 4093db 6410->6412 6411->6410 6412->6351 6414 405d18 18 API calls 6413->6414 6415 4092dd 6414->6415 6415->6403 6417 40927c 6416->6417 6418 409134 18 API calls 6417->6418 6419 409285 6418->6419 6419->6267 6465 406ee0 6420->6465 6423 4071da 6424 406ee0 19 API calls 6423->6424 6427 407226 6423->6427 6426 4071ea 6424->6426 6428 4071f6 6426->6428 6430 406ebc 21 API calls 6426->6430 6479 406d10 6427->6479 6428->6427 6431 40721b 6428->6431 6433 406ee0 19 API calls 6428->6433 6430->6428 6431->6427 6476 407150 GetWindowsDirectoryA 6431->6476 6436 40720f 6433->6436 6435 406ac0 19 API calls 6437 40723b 6435->6437 6436->6431 6439 406ebc 21 API calls 6436->6439 6438 40322c 4 API calls 6437->6438 6440 407245 6438->6440 6439->6431 6441 4031b8 4 API calls 6440->6441 6442 40725f 6441->6442 6442->6320 6444 40971c 6443->6444 6445 406ac0 19 API calls 6444->6445 6446 409735 6445->6446 6447 40322c 4 API calls 6446->6447 6450 409740 6447->6450 6449 406e00 20 API calls 6449->6450 6450->6449 6451 4033b4 18 API calls 6450->6451 6452 40928c 18 API calls 6450->6452 6454 405d18 18 API calls 6450->6454 6455 4097bc 6450->6455 6526 409688 6450->6526 6534 4094e8 6450->6534 6451->6450 6452->6450 6454->6450 6456 40322c 4 API calls 6455->6456 6457 4097c7 6456->6457 6458 4031b8 4 API calls 6457->6458 6459 4097e1 6458->6459 6460 403198 4 API calls 6459->6460 6461 4097e9 6460->6461 6461->6320 6463 405630 33 API calls 6462->6463 6464 40513a 6463->6464 6464->6320 6466 4034f0 18 API calls 6465->6466 6467 406ef3 6466->6467 6468 406f0a GetEnvironmentVariableA 6467->6468 6472 406f1d 6467->6472 6488 4072a0 6467->6488 6468->6467 6469 406f16 6468->6469 6470 403198 4 API calls 6469->6470 6470->6472 6472->6423 6473 406ebc 6472->6473 6492 406e64 6473->6492 6477 405268 18 API calls 6476->6477 6478 407171 6477->6478 6478->6427 6480 403414 6479->6480 6481 406d33 GetFullPathNameA 6480->6481 6482 406d56 6481->6482 6483 406d3f 6481->6483 6485 40322c 4 API calls 6482->6485 6483->6482 6484 406d47 6483->6484 6486 403278 18 API calls 6484->6486 6487 406d54 6485->6487 6486->6487 6487->6435 6489 4072ae 6488->6489 6490 4034f0 18 API calls 6489->6490 6491 4072bc 6490->6491 6491->6467 6499 406e00 6492->6499 6494 406e86 6495 406e8e GetFileAttributesA 6494->6495 6496 406ea3 6495->6496 6497 403198 4 API calls 6496->6497 6498 406eab 6497->6498 6498->6423 6509 406bcc 6499->6509 6501 406e38 6504 406e43 6501->6504 6505 406e4e 6501->6505 6503 406e11 6503->6501 6516 406df8 CharPrevA 6503->6516 6506 40322c 4 API calls 6504->6506 6517 403454 6505->6517 6508 406e4c 6506->6508 6508->6494 6512 406bdd 6509->6512 6510 406c41 6511 406b08 IsDBCSLeadByte 6510->6511 6513 406c3c 6510->6513 6511->6513 6512->6510 6514 406bfb 6512->6514 6513->6503 6514->6513 6524 406b08 IsDBCSLeadByte 6514->6524 6516->6503 6518 403486 6517->6518 6519 403459 6517->6519 6520 403198 4 API calls 6518->6520 6519->6518 6522 40346d 6519->6522 6521 40347c 6520->6521 6521->6508 6523 403278 18 API calls 6522->6523 6523->6521 6525 406b1c 6524->6525 6525->6514 6527 403198 4 API calls 6526->6527 6529 4096a9 6527->6529 6531 4096d6 6529->6531 6543 4032a8 6529->6543 6546 403494 6529->6546 6532 403198 4 API calls 6531->6532 6533 4096eb 6532->6533 6533->6450 6550 409424 6534->6550 6536 4094fe 6537 409502 6536->6537 6556 406ed0 6536->6556 6537->6450 6540 409535 6541 409460 Wow64RevertWow64FsRedirection 6540->6541 6542 40953d 6541->6542 6542->6450 6544 403278 18 API calls 6543->6544 6545 4032b5 6544->6545 6545->6529 6547 403498 6546->6547 6549 4034c3 6546->6549 6548 4034f0 18 API calls 6547->6548 6548->6549 6549->6529 6551 409432 6550->6551 6552 40942e 6550->6552 6553 409454 SetLastError 6551->6553 6554 40943b Wow64DisableWow64FsRedirection 6551->6554 6552->6536 6555 40944f 6553->6555 6554->6555 6555->6536 6557 406e64 21 API calls 6556->6557 6558 406eda GetLastError 6557->6558 6558->6540 6560 406bcc IsDBCSLeadByte 6559->6560 6562 406cbd 6560->6562 6561 406d07 6561->6325 6562->6561 6563 406b08 IsDBCSLeadByte 6562->6563 6563->6562 6565 406d7b 6564->6565 6566 406ca8 IsDBCSLeadByte 6565->6566 6568 406d86 6566->6568 6567 406b72 6567->6330 6567->6331 6568->6567 6569 406b08 IsDBCSLeadByte 6568->6569 6569->6568 6574 402af2 6575 402afe 6574->6575 6578 402ed0 6575->6578 6579 403154 4 API calls 6578->6579 6581 402ee0 6579->6581 6580 402b03 6581->6580 6583 402b0c 6581->6583 6584 402b25 6583->6584 6585 402b15 RaiseException 6583->6585 6584->6580 6585->6584 5926 406df8 CharPrevA 7044 402dfa 7045 402e26 7044->7045 7046 402e0d 7044->7046 7048 402ba4 7046->7048 7049 402bc9 7048->7049 7050 402bad 7048->7050 7049->7045 7051 402bb5 RaiseException 7050->7051 7051->7049 5929 4079fc 5930 407a08 CloseHandle 5929->5930 5931 407a11 5929->5931 5930->5931 6596 403a80 CloseHandle 6597 403a90 6596->6597 6598 403a91 GetLastError 6596->6598 6599 404283 6600 4042c3 6599->6600 6601 403154 4 API calls 6600->6601 6602 404323 6601->6602 7052 404185 7053 4041ff 7052->7053 7054 4041cc 7053->7054 7055 403154 4 API calls 7053->7055 7056 404323 7055->7056 6603 403e87 6604 403e4c 6603->6604 6605 403e62 6604->6605 6606 403e7b 6604->6606 6609 403e67 6604->6609 6608 403cc8 4 API calls 6605->6608 6607 402674 4 API calls 6606->6607 6610 403e78 6607->6610 6608->6609 6609->6610 6611 402674 4 API calls 6609->6611 6611->6610 6612 408488 6613 40849a 6612->6613 6616 4084a1 6612->6616 6623 4083c4 6613->6623 6615 4084d5 6619 408502 6615->6619 6621 408230 33 API calls 6615->6621 6616->6615 6617 4084c9 6616->6617 6618 4084cb 6616->6618 6637 4082e0 6617->6637 6634 408230 6618->6634 6621->6619 6624 4083d9 6623->6624 6625 408230 33 API calls 6624->6625 6626 4083e8 6624->6626 6625->6626 6627 408422 6626->6627 6628 408230 33 API calls 6626->6628 6629 408436 6627->6629 6630 408230 33 API calls 6627->6630 6628->6627 6633 408462 6629->6633 6644 40836c 6629->6644 6630->6629 6633->6616 6647 405d4c 6634->6647 6636 408252 6636->6615 6638 40561c 33 API calls 6637->6638 6639 40830b 6638->6639 6655 408298 6639->6655 6641 408313 6642 403198 4 API calls 6641->6642 6643 408328 6642->6643 6643->6615 6645 40837b VirtualFree 6644->6645 6646 40838d VirtualAlloc 6644->6646 6645->6646 6646->6633 6648 405d58 6647->6648 6649 40561c 33 API calls 6648->6649 6650 405d85 6649->6650 6651 4031e8 18 API calls 6650->6651 6652 405d90 6651->6652 6653 403198 4 API calls 6652->6653 6654 405da5 6653->6654 6654->6636 6656 405d4c 33 API calls 6655->6656 6657 4082ba 6656->6657 6657->6641 7061 40af8d 7062 40af90 SetLastError 7061->7062 7063 409b20 35 API calls 7062->7063 7064 40afa5 7063->7064 7065 40afaa 7064->7065 7066 402f24 5 API calls 7064->7066 7067 40afb4 CreateWindowExA SetWindowLongA 7065->7067 7066->7065 7068 40561c 33 API calls 7067->7068 7069 40b037 7068->7069 7070 4032fc 18 API calls 7069->7070 7071 40b045 7070->7071 7072 4032fc 18 API calls 7071->7072 7073 40b052 7072->7073 7074 407004 19 API calls 7073->7074 7075 40b05e 7074->7075 7076 4032fc 18 API calls 7075->7076 7077 40b067 7076->7077 7078 409ec4 43 API calls 7077->7078 7079 40b079 7078->7079 7080 40b08c 7079->7080 7081 409da4 19 API calls 7079->7081 7082 40b0c5 7080->7082 7083 4099b0 9 API calls 7080->7083 7081->7080 7084 40b0de 7082->7084 7087 40b0d8 RemoveDirectoryA 7082->7087 7083->7082 7085 40b0f2 7084->7085 7086 40b0e7 DestroyWindow 7084->7086 7088 40b11a 7085->7088 7089 40357c 4 API calls 7085->7089 7086->7085 7087->7084 7090 40b110 7089->7090 7091 4025ac 4 API calls 7090->7091 7091->7088 7092 403991 7093 403983 7092->7093 7094 40374c VariantClear 7093->7094 7095 40398b 7094->7095 6667 403a97 6668 403aac 6667->6668 6669 403bbc GetStdHandle 6668->6669 6670 403b0e CreateFileA 6668->6670 6680 403ab2 6668->6680 6671 403c17 GetLastError 6669->6671 6675 403bba 6669->6675 6670->6671 6672 403b2c 6670->6672 6671->6680 6674 403b3b GetFileSize 6672->6674 6672->6675 6674->6671 6676 403b4e SetFilePointer 6674->6676 6677 403be7 GetFileType 6675->6677 6675->6680 6676->6671 6681 403b6a ReadFile 6676->6681 6679 403c02 CloseHandle 6677->6679 6677->6680 6679->6680 6681->6671 6682 403b8c 6681->6682 6682->6675 6683 403b9f SetFilePointer 6682->6683 6683->6671 6684 403bb0 SetEndOfFile 6683->6684 6684->6671 6684->6675 6697 402caa 6698 403154 4 API calls 6697->6698 6699 402caf 6698->6699 6700 4028ac 6701 402594 18 API calls 6700->6701 6702 4028b6 6701->6702 6703 407aae GetFileSize 6704 407ada 6703->6704 6705 407aca GetLastError 6703->6705 6705->6704 6706 407ad3 6705->6706 6707 407940 35 API calls 6706->6707 6707->6704 6714 40aeb6 6715 40aedb 6714->6715 6716 407dcc InterlockedExchange 6715->6716 6717 40af05 6716->6717 6718 40af15 6717->6718 6719 409fc0 18 API calls 6717->6719 6724 407b60 SetEndOfFile 6718->6724 6719->6718 6721 40af31 6722 4025ac 4 API calls 6721->6722 6723 40af68 6722->6723 6725 407b70 6724->6725 6726 407b77 6724->6726 6727 407940 35 API calls 6725->6727 6726->6721 6727->6726 6732 401ab9 6733 401a96 6732->6733 6734 401aa9 RtlDeleteCriticalSection 6733->6734 6735 401a9f RtlLeaveCriticalSection 6733->6735 6735->6734

    Executed Functions

    Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 387 405694-4056b9 GetLocaleInfoA 388 4056bb-4056cb call 403278 387->388 389 4056cd-4056d1 call 40322c 387->389 393 4056d6-4056db 388->393 389->393
    APIs
    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
    • Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED
    Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
    • GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$HandleModulePolicyProcessVersion
    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
    • API String ID: 3297890031-1119018034
    • Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
    • Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D
    Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
    • API String ID: 1646373207-2130885113
    • Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
    • Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D
    Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 121 4019dc-4019e7 122 401abb-401abd 121->122 123 4019ed-401a02 121->123 124 401a04-401a09 RtlEnterCriticalSection 123->124 125 401a0e-401a2d LocalFree 123->125 124->125 126 401a41-401a47 125->126 127 401a49-401a6e call 4012dc * 3 126->127 128 401a2f-401a3f VirtualFree 126->128 135 401a70-401a85 LocalFree 127->135 136 401a87-401a9d 127->136 128->126 135->135 135->136 138 401aa9-401ab3 RtlDeleteCriticalSection 136->138 139 401a9f-401aa4 RtlLeaveCriticalSection 136->139 139->138
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
    • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
    • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
    • String ID:
    • API String ID: 3782394904-0
    • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
    • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
    Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 140 40a050-40a074 GetSystemInfo VirtualQuery 141 40a104-40a10b 140->141 142 40a07a 140->142 143 40a0f9-40a0fe 142->143 143->141 144 40a07c-40a083 143->144 145 40a0e5-40a0f7 VirtualQuery 144->145 146 40a085-40a089 144->146 145->141 145->143 146->145 147 40a08b-40a093 146->147 148 40a0a4-40a0b5 VirtualProtect 147->148 149 40a095-40a098 147->149 151 40a0b7 148->151 152 40a0b9-40a0bb 148->152 149->148 150 40a09a-40a09d 149->150 150->148 154 40a09f-40a0a2 150->154 151->152 153 40a0ca-40a0cd 152->153 155 40a0bd-40a0c6 call 40a048 153->155 156 40a0cf-40a0d1 153->156 154->148 154->152 155->153 156->145 158 40a0d3-40a0e0 VirtualProtect 156->158 158->145
    APIs
    • GetSystemInfo.KERNEL32(?), ref: 0040A062
    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$ProtectQuery$InfoSystem
    • String ID:
    • API String ID: 2441996862-0
    • Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
    • Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A
    Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 403d02-403d10 161 403d12-403d19 160->161 162 403d29-403d30 160->162 163 403ddf-403de5 ExitProcess 161->163 164 403d1f 161->164 165 403d32-403d3c 162->165 166 403d3e-403d45 162->166 164->162 167 403d21-403d23 164->167 165->162 168 403d47-403d51 166->168 169 403db8-403dcc call 403cc8 * 2 call 4019dc 166->169 167->162 170 403dea-403e19 call 4030b4 167->170 173 403d56-403d62 168->173 186 403dd1-403dd8 169->186 173->173 176 403d64-403d6e 173->176 177 403d73-403d84 176->177 177->177 180 403d86-403d8d 177->180 182 403da4-403db3 call 403fe4 call 403f67 180->182 183 403d8f-403da2 MessageBoxA 180->183 182->169 183->169 186->170 188 403dda call 4030b4 186->188 188->163
    APIs
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
    • ExitProcess.KERNEL32 ref: 00403DE5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExitMessageProcess
    • String ID: Error$Runtime error at 00000000
    • API String ID: 1220098344-2970929446
    • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
    • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
    Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 191 401918-40193a RtlInitializeCriticalSection 192 401946-40197c call 4012dc * 3 LocalAlloc 191->192 193 40193c-401941 RtlEnterCriticalSection 191->193 200 4019ad-4019c1 192->200 201 40197e 192->201 193->192 205 4019c3-4019c8 RtlLeaveCriticalSection 200->205 206 4019cd 200->206 202 401983-401995 201->202 202->202 204 401997-4019a6 202->204 204->200 205->206
    APIs
    • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
    • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
    • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
    • String ID:
    • API String ID: 730355536-0
    • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
    • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
    Function 00402C08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 402c08-402c13 208 402cc5-402cca 207->208 209 402c19-402c25 207->209 210 402c56-402c7d RtlUnwind call 403154 209->210 211 402c27-402c34 call 40285c 209->211 215 402c82-402ca3 call 402b70 210->215 211->208 216 402c3a-402c3e 211->216 215->208 216->208 220 402c44-402c53 call 402b28 216->220 220->210
    APIs
    • RtlUnwind.KERNEL32(?,?,Function_00002C08,00000000,?,?,Function_00002C08,?), ref: 00402C74
      • Part of subcall function 00402B28: RaiseException.KERNEL32(0EEDFAD4,00000000,00000002), ref: 00402B3E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionRaiseUnwind
    • String ID: ,`@
    • API String ID: 478881706-3711388833
    • Opcode ID: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction ID: 97d3f2471094b4ca6c51ddda2b863264321d4d076ae0fb00dec9115aef34ba71
    • Opcode Fuzzy Hash: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction Fuzzy Hash: 70013974204200AFE310EF15CA89F2BB7A9FB88754F55C56AF5086B3E1C778EC01CA69
    Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 223 401fd4-401fe6 224 401fe8 call 401918 223->224 225 401ffb-402010 223->225 229 401fed-401fef 224->229 227 402012-402017 RtlEnterCriticalSection 225->227 228 40201c-402025 225->228 227->228 230 402027 228->230 231 40202c-402032 228->231 229->225 232 401ff1-401ff6 229->232 230->231 233 402038-40203c 231->233 234 4020cb-4020d1 231->234 235 40214f-402158 232->235 238 402041-402050 233->238 239 40203e 233->239 236 4020d3-4020e0 234->236 237 40211d-40211f call 401ee0 234->237 240 4020e2-4020ea 236->240 241 4020ef-40211b call 402f54 236->241 244 402124-40213b 237->244 238->234 242 402052-402060 238->242 239->238 240->241 241->235 246 402062-402066 242->246 247 40207c-402080 242->247 255 402147 244->255 256 40213d-402142 RtlLeaveCriticalSection 244->256 248 402068 246->248 249 40206b-40207a 246->249 251 402082 247->251 252 402085-4020a0 247->252 248->249 254 4020a2-4020c6 call 402f54 249->254 251->252 252->254 254->235 256->255
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
      • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
      • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
      • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
      • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
    • String ID:
    • API String ID: 296031713-0
    • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
    • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
    Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 259 407454-4074a7 SetErrorMode call 403414 LoadLibraryA
    APIs
    • SetErrorMode.KERNEL32(00008000), ref: 0040745E
    • LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLibraryLoadMode
    • String ID:
    • API String ID: 2987862817-0
    • Opcode ID: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
    • Opcode Fuzzy Hash: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569
    Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 401430-40143d 329 401446-40144c 328->329 330 40143f-401444 328->330 331 401452-40146a VirtualAlloc 329->331 330->331 332 40146c-40147a call 4012e4 331->332 333 40148f-401492 331->333 332->333 336 40147c-40148d VirtualFree 332->336 336->333
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
    • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
    Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727
      • Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DefaultInfoLoadLocaleStringSystem
    • String ID:
    • API String ID: 1658689577-0
    • Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
    • Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94
    Function 00409BD4 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00409C18
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction ID: d81cb0aa80d85b52c51bcf804432e731ae41fb5784218249075f4083c33b45f1
    • Opcode Fuzzy Hash: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction Fuzzy Hash: F6F0E271608608BEEB11EB62CD03F5B77ACDB86B18F904477B900B65D2C67D6E00897D
    Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 383 407a2a-407a74 call 403414 CreateFileA
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
    • Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
    Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
    • Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
    Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID:
    • API String ID: 1306739567-0
    • Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
    • Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F
    Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
    • Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519
    Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
    • Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B
    Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharPrev
    • String ID:
    • API String ID: 122130370-0
    • Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
    • Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction Fuzzy Hash:
    Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
    • Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389

    Non-executed Functions

    Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 107509674-3733053543
    • Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
    • Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F
    Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressCloseHandleModuleProc
    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
    • API String ID: 4190037839-2401316094
    • Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
    • Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E
    Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
    • String ID:
    • API String ID: 1694776339-0
    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
    Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32 ref: 0040AF99
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3757039580-3001827809
    • Opcode ID: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
    • Opcode Fuzzy Hash: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D
    Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
      • Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C
      • Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
      • Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
      • Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3586484885-3001827809
    • Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
    • Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C
    Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
    Download Yara Rule
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
      • Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale$DefaultSystem
    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
    • API String ID: 1044490935-665933166
    • Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
    • Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C
    Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
    Download Yara Rule
    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
    • GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
    • String ID: D
    • API String ID: 3356880605-2746444292
    • Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
    • Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669
    Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocString
    • String ID:
    • API String ID: 262959230-0
    • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
    • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
    Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
    • GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CommandHandleLineModule
    • String ID: H'~$U1hd.@
    • API String ID: 2123368496-631764193
    • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
    • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD
    Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
    • SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Resource$FindLoadLockSizeof
    • String ID:
    • API String ID: 3473537107-0
    • Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
    • Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE
    Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
    • Opcode Fuzzy Hash: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD
    Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
    • Opcode Fuzzy Hash: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD
    Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
    • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID: .tmp
    • API String ID: 1375471231-2986845003
    • Opcode ID: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
    • Opcode Fuzzy Hash: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9
    Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Unwind
    • String ID: a@$,`@
    • API String ID: 3419175465-3299659662
    • Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
    • Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769
    Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195
    Strings
    • Setup, xrefs: 0040A185
    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
    • API String ID: 2030045667-3271211647
    • Opcode ID: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
    • Opcode Fuzzy Hash: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D
    Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
    Memory Dump Source
    • Source File: 00000002.00000002.1540774688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.1540752128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540794929.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.1540814838.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLastSleep
    • String ID:
    • API String ID: 1458359878-0
    • Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
    • Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9

    Execution Graph

    Execution Coverage:11.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1560
    Total number of Limit Nodes:12
    execution_graph 6736 409543 6737 409535 6736->6737 6738 409460 Wow64RevertWow64FsRedirection 6737->6738 6739 40953d 6738->6739 6740 408344 6741 40836c VirtualFree 6740->6741 6742 408351 6741->6742 6753 402b48 RaiseException 6754 40294a 6755 402952 6754->6755 6756 403554 4 API calls 6755->6756 6757 402967 6755->6757 6756->6755 6758 403f4a 6759 403f53 6758->6759 6760 403f5c 6758->6760 6761 403f07 4 API calls 6759->6761 6761->6760 6000 403a52 6001 403a74 6000->6001 6002 403a5a WriteFile 6000->6002 6002->6001 6003 403a78 GetLastError 6002->6003 6003->6001 6004 402654 6005 403154 4 API calls 6004->6005 6007 402614 6005->6007 6006 402632 6006->6006 6007->6006 6008 403154 4 API calls 6007->6008 6008->6006 6009 409258 6010 40927c 6009->6010 6013 409134 6010->6013 6014 403198 4 API calls 6013->6014 6015 409165 6013->6015 6014->6015 6017 40917c 6015->6017 6021 403278 18 API calls 6015->6021 6023 409190 6015->6023 6024 4032fc 18 API calls 6015->6024 6016 4031b8 4 API calls 6018 40921d 6016->6018 6019 4032c4 18 API calls 6017->6019 6020 409186 6019->6020 6022 4032fc 18 API calls 6020->6022 6021->6015 6022->6023 6023->6016 6024->6015 6766 405f5c 6767 405f64 6766->6767 6768 405f6c 6766->6768 6769 405f73 6767->6769 6770 405f6a 6767->6770 6771 405dc8 19 API calls 6769->6771 6773 405ed4 6770->6773 6771->6768 6774 405edc 6773->6774 6775 405ef6 6774->6775 6776 403154 4 API calls 6774->6776 6777 405f12 6775->6777 6778 405efb 6775->6778 6776->6774 6780 403154 4 API calls 6777->6780 6779 405dc8 19 API calls 6778->6779 6781 405f0e 6779->6781 6782 405f17 6780->6782 6784 403154 4 API calls 6781->6784 6783 405e38 33 API calls 6782->6783 6783->6781 6785 405f40 6784->6785 6786 403154 4 API calls 6785->6786 6787 405f4e 6786->6787 6787->6768 6025 402e64 6026 402e69 6025->6026 6027 402e7a RtlUnwind 6026->6027 6028 402e5e 6026->6028 6029 402e9d 6027->6029 5932 40b16f 5941 409bd4 5932->5941 5955 405b34 5941->5955 5943 409bef 5944 409c1d 5943->5944 5961 4076c0 5943->5961 5947 403198 4 API calls 5944->5947 5946 409c0d 5949 409c15 MessageBoxA 5946->5949 5948 409c32 5947->5948 5950 402f24 5948->5950 5949->5944 5951 403154 4 API calls 5950->5951 5952 402f29 5951->5952 5982 402bcc 5952->5982 5954 402f51 5954->5954 5956 403154 4 API calls 5955->5956 5957 405b39 5956->5957 5958 405b51 5957->5958 5959 403154 4 API calls 5957->5959 5958->5943 5960 405b47 5959->5960 5960->5943 5962 405b34 4 API calls 5961->5962 5963 4076cf 5962->5963 5964 4076d5 5963->5964 5966 4076e3 5963->5966 5965 40322c 4 API calls 5964->5965 5967 4076e1 5965->5967 5968 4076f3 5966->5968 5969 4076ff 5966->5969 5967->5946 5972 407684 5968->5972 5979 4032b8 5969->5979 5973 40322c 4 API calls 5972->5973 5974 407693 5973->5974 5975 4076b0 5974->5975 5976 406dd8 CharPrevA 5974->5976 5975->5967 5977 40769f 5976->5977 5977->5975 5978 4032fc 18 API calls 5977->5978 5978->5975 5980 403278 18 API calls 5979->5980 5981 4032c2 5980->5981 5981->5967 5983 402bd5 RaiseException 5982->5983 5984 402be6 5982->5984 5983->5984 5984->5954 6034 407a78 SetFilePointer 6035 407aab 6034->6035 6036 407a9b GetLastError 6034->6036 6036->6035 6037 407aa4 6036->6037 6038 407940 35 API calls 6037->6038 6038->6035 6792 40af7a 6793 40afaa 6792->6793 6794 40afb4 CreateWindowExA SetWindowLongA 6793->6794 6795 40561c 33 API calls 6794->6795 6796 40b037 6795->6796 6797 4032fc 18 API calls 6796->6797 6798 40b045 6797->6798 6799 4032fc 18 API calls 6798->6799 6800 40b052 6799->6800 6819 407004 GetCommandLineA 6800->6819 6803 4032fc 18 API calls 6804 40b067 6803->6804 6826 409ec4 6804->6826 6807 40b08c 6809 40b0c5 6807->6809 6842 4099b0 6807->6842 6808 409da4 19 API calls 6808->6807 6811 40b0de 6809->6811 6814 40b0d8 RemoveDirectoryA 6809->6814 6812 40b0f2 6811->6812 6813 40b0e7 DestroyWindow 6811->6813 6815 40b11a 6812->6815 6816 40357c 4 API calls 6812->6816 6813->6812 6814->6811 6817 40b110 6816->6817 6818 4025ac 4 API calls 6817->6818 6818->6815 6820 406f78 18 API calls 6819->6820 6821 407029 6820->6821 6822 4032c4 18 API calls 6821->6822 6823 407032 6822->6823 6824 403198 4 API calls 6823->6824 6825 407047 6824->6825 6825->6803 6827 4033b4 18 API calls 6826->6827 6828 409eff 6827->6828 6829 409f31 CreateProcessA 6828->6829 6830 409f44 CloseHandle 6829->6830 6831 409f3d 6829->6831 6833 409f4d 6830->6833 6850 409b20 GetLastError 6831->6850 6863 409e98 6833->6863 6836 409f69 6837 409e98 3 API calls 6836->6837 6838 409f6e GetExitCodeProcess CloseHandle 6837->6838 6839 409f8e 6838->6839 6840 403198 4 API calls 6839->6840 6841 409f96 6840->6841 6841->6807 6841->6808 6843 409a0a 6842->6843 6845 4099c3 6842->6845 6843->6809 6844 4099cb Sleep 6844->6845 6845->6843 6845->6844 6846 4099db Sleep 6845->6846 6848 4099f2 GetLastError 6845->6848 6867 409470 6845->6867 6846->6845 6848->6843 6849 4099fc GetLastError 6848->6849 6849->6843 6849->6845 6851 40511c 33 API calls 6850->6851 6852 409b67 6851->6852 6853 407738 19 API calls 6852->6853 6854 409b77 6853->6854 6855 40925c 18 API calls 6854->6855 6856 409b8c 6855->6856 6857 405d18 18 API calls 6856->6857 6858 409b9b 6857->6858 6859 4031b8 4 API calls 6858->6859 6860 409bba 6859->6860 6861 403198 4 API calls 6860->6861 6862 409bc2 6861->6862 6862->6830 6864 409eac PeekMessageA 6863->6864 6865 409ea0 TranslateMessage DispatchMessageA 6864->6865 6866 409ebe MsgWaitForMultipleObjects 6864->6866 6865->6864 6866->6833 6866->6836 6868 409424 2 API calls 6867->6868 6869 409486 6868->6869 6870 40948a 6869->6870 6871 4094a6 DeleteFileA GetLastError 6869->6871 6870->6845 6872 4094c4 6871->6872 6873 409460 Wow64RevertWow64FsRedirection 6872->6873 6874 4094cc 6873->6874 6874->6845 6875 407b7c WriteFile 6876 407ba3 6875->6876 6877 407b9c 6875->6877 6879 407bb4 6876->6879 6880 4078a0 34 API calls 6876->6880 6878 407940 35 API calls 6877->6878 6878->6876 6880->6879 6881 403f7d 6882 403fa2 6881->6882 6886 403f84 6881->6886 6884 403e8e 4 API calls 6882->6884 6882->6886 6883 403f8c 6884->6886 6885 402674 4 API calls 6887 403fca 6885->6887 6886->6883 6886->6885 5845 403d02 5847 403d12 5845->5847 5846 403ddf ExitProcess 5847->5846 5848 403db8 5847->5848 5849 403dea 5847->5849 5854 403da4 5847->5854 5855 403d8f MessageBoxA 5847->5855 5861 403cc8 5848->5861 5852 403cc8 4 API calls 5853 403dcc 5852->5853 5865 4019dc 5853->5865 5877 403fe4 5854->5877 5855->5848 5858 403dd1 5858->5846 5858->5849 5862 403cd6 5861->5862 5864 403ceb 5862->5864 5881 402674 5862->5881 5864->5852 5866 401abb 5865->5866 5867 4019ed 5865->5867 5866->5858 5868 401a04 RtlEnterCriticalSection 5867->5868 5869 401a0e LocalFree 5867->5869 5868->5869 5870 401a41 5869->5870 5871 401a2f VirtualFree 5870->5871 5872 401a49 5870->5872 5871->5870 5873 401a70 LocalFree 5872->5873 5874 401a87 5872->5874 5873->5873 5873->5874 5875 401aa9 RtlDeleteCriticalSection 5874->5875 5876 401a9f RtlLeaveCriticalSection 5874->5876 5875->5858 5876->5875 5878 403fe8 5877->5878 5884 403f07 5878->5884 5880 404006 5882 403154 4 API calls 5881->5882 5883 40267a 5882->5883 5883->5864 5894 403f09 5884->5894 5886 403e9c 5887 403f3c 5886->5887 5890 403ef2 5886->5890 5896 403ea9 5886->5896 5898 403e8e 5886->5898 5887->5880 5888 403ecf 5888->5880 5889 403154 4 API calls 5889->5894 5892 402674 4 API calls 5890->5892 5892->5888 5894->5886 5894->5889 5895 403f3d 5894->5895 5907 403e9c 5894->5907 5895->5880 5896->5888 5897 402674 4 API calls 5896->5897 5897->5888 5900 403e4c 5898->5900 5899 403e67 5905 403e78 5899->5905 5906 402674 4 API calls 5899->5906 5900->5899 5901 403e62 5900->5901 5902 403e7b 5900->5902 5904 403cc8 4 API calls 5901->5904 5903 402674 4 API calls 5902->5903 5903->5905 5904->5899 5905->5890 5905->5896 5906->5905 5908 403ed7 5907->5908 5914 403ea9 5907->5914 5909 403ef2 5908->5909 5910 403e8e 4 API calls 5908->5910 5911 402674 4 API calls 5909->5911 5912 403ee6 5910->5912 5913 403ecf 5911->5913 5912->5909 5912->5914 5913->5894 5914->5913 5915 402674 4 API calls 5914->5915 5915->5913 6888 406b04 IsDBCSLeadByte 6889 406b1c 6888->6889 6043 404206 6044 40420a 6043->6044 6045 4041cc 6043->6045 6046 404282 6044->6046 6047 403154 4 API calls 6044->6047 6048 404323 6047->6048 6890 40ad07 6891 409fc0 18 API calls 6890->6891 6892 40ad0c 6891->6892 6893 40ad11 6892->6893 6894 402f24 5 API calls 6892->6894 6895 409e14 29 API calls 6893->6895 6894->6893 6898 40ad16 6895->6898 6896 40ad69 6927 4026c4 GetSystemTime 6896->6927 6898->6896 6901 40928c 18 API calls 6898->6901 6899 40ad6e 6900 409808 46 API calls 6899->6900 6902 40ad76 6900->6902 6904 40ad45 6901->6904 6903 4031e8 18 API calls 6902->6903 6905 40ad83 6903->6905 6906 40ad4d MessageBoxA 6904->6906 6907 406db0 19 API calls 6905->6907 6906->6896 6909 40ad5a 6906->6909 6908 40ad90 6907->6908 6910 406b48 19 API calls 6908->6910 6911 405cec 19 API calls 6909->6911 6912 40ada0 6910->6912 6911->6896 6913 406ac0 19 API calls 6912->6913 6914 40adb1 6913->6914 6915 403340 18 API calls 6914->6915 6916 40adbf 6915->6916 6917 4031e8 18 API calls 6916->6917 6918 40adcf 6917->6918 6919 407994 37 API calls 6918->6919 6920 40ae0e 6919->6920 6921 402594 18 API calls 6920->6921 6922 40ae2e 6921->6922 6923 407edc 19 API calls 6922->6923 6924 40ae70 6923->6924 6925 40816c 35 API calls 6924->6925 6926 40ae97 6925->6926 6927->6899 5916 402c08 5919 402c82 5916->5919 5920 402c19 5916->5920 5917 402c56 RtlUnwind 5918 403154 4 API calls 5917->5918 5918->5919 5920->5917 5920->5919 5923 402b28 5920->5923 5924 402b31 RaiseException 5923->5924 5925 402b47 5923->5925 5924->5925 5925->5917 6049 403018 6050 403070 6049->6050 6051 403025 6049->6051 6052 40302a RtlUnwind 6051->6052 6053 40304e 6052->6053 6055 402f78 6053->6055 6056 402be8 6053->6056 6057 402bf1 RaiseException 6056->6057 6058 402c04 6056->6058 6057->6058 6058->6050 6945 40b127 6946 40b099 6945->6946 6947 40b0c5 6946->6947 6948 4099b0 9 API calls 6946->6948 6949 40b0de 6947->6949 6952 40b0d8 RemoveDirectoryA 6947->6952 6948->6947 6950 40b0f2 6949->6950 6951 40b0e7 DestroyWindow 6949->6951 6953 40b11a 6950->6953 6954 40357c 4 API calls 6950->6954 6951->6950 6952->6949 6955 40b110 6954->6955 6956 4025ac 4 API calls 6955->6956 6956->6953 6071 403a28 ReadFile 6072 403a46 6071->6072 6073 403a49 GetLastError 6071->6073 6074 40602a 6075 40602c 6074->6075 6076 406068 6075->6076 6077 406062 6075->6077 6078 40607f 6075->6078 6079 405dc8 19 API calls 6076->6079 6077->6076 6080 4060d4 6077->6080 6083 405164 19 API calls 6078->6083 6081 40607b 6079->6081 6082 405e38 33 API calls 6080->6082 6085 403198 4 API calls 6081->6085 6082->6081 6084 4060a8 6083->6084 6086 405e38 33 API calls 6084->6086 6087 40610e 6085->6087 6086->6081 6088 40462b 6089 404638 SetErrorMode 6088->6089 6957 40b12c 6958 40b135 6957->6958 6961 40b160 6957->6961 6967 409920 6958->6967 6960 40b13a 6960->6961 6965 40b158 MessageBoxA 6960->6965 6962 403198 4 API calls 6961->6962 6963 40b198 6962->6963 6964 403198 4 API calls 6963->6964 6966 40b1a0 6964->6966 6965->6961 6968 409987 ExitWindowsEx 6967->6968 6969 40992c GetCurrentProcess OpenProcessToken 6967->6969 6971 40993e 6968->6971 6970 409942 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6969->6970 6969->6971 6970->6968 6970->6971 6971->6960 6976 403932 6977 403924 6976->6977 6980 40374c 6977->6980 6979 40392c 6981 403759 6980->6981 6982 403766 6980->6982 6981->6982 6983 403779 VariantClear 6981->6983 6982->6979 6983->6979 6104 409e36 6105 409e38 6104->6105 6106 409e5a 6105->6106 6107 409e76 CallWindowProcA 6105->6107 6107->6106 6112 409e38 6113 409e5a 6112->6113 6115 409e47 6112->6115 6114 409e76 CallWindowProcA 6114->6113 6115->6113 6115->6114 6116 4090c4 6117 4090cb 6116->6117 6118 403198 4 API calls 6117->6118 6128 409165 6118->6128 6119 409190 6120 4031b8 4 API calls 6119->6120 6122 40921d 6120->6122 6121 40917c 6123 4032c4 18 API calls 6121->6123 6124 409186 6123->6124 6126 4032fc 18 API calls 6124->6126 6125 403278 18 API calls 6125->6128 6126->6119 6127 4032fc 18 API calls 6127->6128 6128->6119 6128->6121 6128->6125 6128->6127 5927 4074cb 5928 4074bc SetErrorMode 5927->5928 6129 402ccc 6132 402cfe 6129->6132 6134 402cdd 6129->6134 6130 402d88 RtlUnwind 6131 403154 4 API calls 6130->6131 6131->6132 6133 402b28 RaiseException 6135 402d7f 6133->6135 6134->6130 6134->6132 6134->6133 6135->6130 6994 403fcd 6995 403f07 4 API calls 6994->6995 6996 403fd6 6995->6996 6997 403e9c 4 API calls 6996->6997 6998 403fe2 6997->6998 5124 40aad0 5167 4030dc 5124->5167 5126 40aae6 5170 4042e8 5126->5170 5128 40aaeb 5173 404654 GetModuleHandleA GetVersion 5128->5173 5132 40aaf5 5270 406a50 5132->5270 5134 40aafa 5279 409558 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5134->5279 5141 40ab3d 5307 4070b4 5141->5307 5153 40abe8 5364 407954 5153->5364 5154 40abaa 5154->5153 5357 409fc0 5154->5357 5156 40ac0e 5157 40ac29 5156->5157 5158 409fc0 18 API calls 5156->5158 5368 407edc 5157->5368 5158->5157 5160 40ac4e 5378 408fbc 5160->5378 5164 40ac94 5165 408fbc 35 API calls 5164->5165 5166 40accd 5164->5166 5165->5164 5397 403094 5167->5397 5169 4030e1 GetModuleHandleA GetCommandLineA 5169->5126 5172 404323 5170->5172 5398 403154 5170->5398 5172->5128 5174 4046a5 5173->5174 5175 404685 GetProcAddress 5173->5175 5177 4048d2 GetProcAddress 5174->5177 5178 4046ad GetProcAddress 5174->5178 5175->5174 5176 404696 5175->5176 5176->5174 5179 4048e1 5177->5179 5180 4048e8 GetProcAddress 5177->5180 5181 4046bc 5178->5181 5179->5180 5182 4048f7 SetProcessDEPPolicy 5180->5182 5183 4048fb 5180->5183 5415 4045a0 GetSystemDirectoryA 5181->5415 5182->5183 5411 403198 5183->5411 5187 4031e8 18 API calls 5189 4046d8 5187->5189 5189->5177 5190 40470b 5189->5190 5418 4032fc 5189->5418 5432 40322c 5190->5432 5194 4032fc 18 API calls 5195 404726 5194->5195 5436 4045cc SetErrorMode 5195->5436 5198 40322c 4 API calls 5199 40473c 5198->5199 5200 4032fc 18 API calls 5199->5200 5201 404749 5200->5201 5202 4045cc 2 API calls 5201->5202 5203 404751 5202->5203 5204 40322c 4 API calls 5203->5204 5205 40475f 5204->5205 5206 4032fc 18 API calls 5205->5206 5207 40476c 5206->5207 5208 4045cc 2 API calls 5207->5208 5209 404774 5208->5209 5210 40322c 4 API calls 5209->5210 5211 404782 5210->5211 5212 4032fc 18 API calls 5211->5212 5213 40478f 5212->5213 5214 4045cc 2 API calls 5213->5214 5215 404797 5214->5215 5216 40322c 4 API calls 5215->5216 5217 4047a5 5216->5217 5218 4032fc 18 API calls 5217->5218 5219 4047b2 5218->5219 5220 4045cc 2 API calls 5219->5220 5221 4047ba 5220->5221 5222 40322c 4 API calls 5221->5222 5223 4047c8 5222->5223 5224 4032fc 18 API calls 5223->5224 5225 4047d5 5224->5225 5226 4045cc 2 API calls 5225->5226 5227 4047dd 5226->5227 5228 40322c 4 API calls 5227->5228 5229 4047eb 5228->5229 5230 4032fc 18 API calls 5229->5230 5231 4047f8 5230->5231 5232 4045cc 2 API calls 5231->5232 5233 404800 5232->5233 5234 40322c 4 API calls 5233->5234 5235 40480e 5234->5235 5236 4032fc 18 API calls 5235->5236 5237 40481b 5236->5237 5238 4045cc 2 API calls 5237->5238 5239 404823 5238->5239 5240 40322c 4 API calls 5239->5240 5241 404831 5240->5241 5242 4032fc 18 API calls 5241->5242 5243 40483e 5242->5243 5244 4045cc 2 API calls 5243->5244 5245 404846 5244->5245 5246 40322c 4 API calls 5245->5246 5247 404854 5246->5247 5248 4032fc 18 API calls 5247->5248 5249 404861 5248->5249 5250 4045cc 2 API calls 5249->5250 5251 404869 5250->5251 5252 40322c 4 API calls 5251->5252 5253 404877 5252->5253 5254 4032fc 18 API calls 5253->5254 5255 404884 5254->5255 5256 4045cc 2 API calls 5255->5256 5257 40488c 5256->5257 5258 40322c 4 API calls 5257->5258 5259 40489a 5258->5259 5260 4032fc 18 API calls 5259->5260 5261 4048a7 5260->5261 5262 4045cc 2 API calls 5261->5262 5263 4048af 5262->5263 5264 40322c 4 API calls 5263->5264 5265 4048bd 5264->5265 5266 4032fc 18 API calls 5265->5266 5267 4048ca 5266->5267 5268 4045cc 2 API calls 5267->5268 5268->5177 5269 404aac 6F661CD0 5269->5132 5542 406130 5270->5542 5280 4095ad 5279->5280 5648 40717c GetSystemDirectoryA 5280->5648 5284 4095d4 5285 4032fc 18 API calls 5284->5285 5286 4095e1 5285->5286 5661 407454 SetErrorMode 5286->5661 5291 4031b8 4 API calls 5292 409615 5291->5292 5293 40a050 GetSystemInfo VirtualQuery 5292->5293 5294 40a104 5293->5294 5297 40a07a 5293->5297 5299 409c40 5294->5299 5295 40a0e5 VirtualQuery 5295->5294 5295->5297 5296 40a0a4 VirtualProtect 5296->5297 5297->5294 5297->5295 5297->5296 5298 40a0d3 VirtualProtect 5297->5298 5298->5295 5693 407058 GetCommandLineA 5299->5693 5301 409d28 5303 4031b8 4 API calls 5301->5303 5302 4070b4 20 API calls 5306 409c5d 5302->5306 5304 409d42 5303->5304 5304->5141 5334 40a160 5304->5334 5305 403454 18 API calls 5305->5306 5306->5301 5306->5302 5306->5305 5308 4070db GetModuleFileNameA 5307->5308 5309 4070ff GetCommandLineA 5307->5309 5310 403278 18 API calls 5308->5310 5311 407104 5309->5311 5312 4070fd 5310->5312 5313 407109 5311->5313 5316 406f78 18 API calls 5311->5316 5317 407111 5311->5317 5314 40712c 5312->5314 5315 403198 4 API calls 5313->5315 5318 403198 4 API calls 5314->5318 5315->5317 5316->5311 5319 40322c 4 API calls 5317->5319 5320 407141 5318->5320 5319->5314 5321 4031e8 5320->5321 5322 4031ec 5321->5322 5325 4031fc 5321->5325 5324 403254 18 API calls 5322->5324 5322->5325 5323 403228 5327 407994 5323->5327 5324->5325 5325->5323 5326 4025ac 4 API calls 5325->5326 5326->5323 5328 40799e 5327->5328 5714 407a2a 5328->5714 5717 407a2c 5328->5717 5329 4079ca 5330 4079de 5329->5330 5720 407940 GetLastError 5329->5720 5341 40a10c FindResourceA 5330->5341 5335 40322c 4 API calls 5334->5335 5336 40a183 5335->5336 5337 40a192 MessageBoxA 5336->5337 5338 40a1a7 5337->5338 5339 403198 4 API calls 5338->5339 5340 40a1af 5339->5340 5340->5141 5342 40a121 5341->5342 5343 40a126 SizeofResource 5341->5343 5344 409fc0 18 API calls 5342->5344 5345 40a133 5343->5345 5346 40a138 LoadResource 5343->5346 5344->5343 5347 409fc0 18 API calls 5345->5347 5348 40a146 5346->5348 5349 40a14b LockResource 5346->5349 5347->5346 5350 409fc0 18 API calls 5348->5350 5351 40a157 5349->5351 5352 40a15c 5349->5352 5350->5349 5353 409fc0 18 API calls 5351->5353 5352->5154 5354 407dcc 5352->5354 5353->5352 5819 407d78 5354->5819 5358 409fe1 5357->5358 5359 409fc9 5357->5359 5361 405d18 18 API calls 5358->5361 5360 405d18 18 API calls 5359->5360 5362 409fdb 5360->5362 5363 409ff2 5361->5363 5362->5153 5363->5153 5365 407968 5364->5365 5366 407978 5365->5366 5367 4078a0 34 API calls 5365->5367 5366->5156 5367->5366 5370 407ee9 5368->5370 5369 405d18 18 API calls 5371 407f3d 5369->5371 5370->5369 5370->5371 5372 407dcc InterlockedExchange 5371->5372 5373 407f4f 5372->5373 5374 405d18 18 API calls 5373->5374 5375 407f65 5373->5375 5374->5375 5376 407fa8 5375->5376 5377 405d18 18 API calls 5375->5377 5376->5160 5377->5376 5382 409036 5378->5382 5391 408fed 5378->5391 5379 409081 5823 40816c 5379->5823 5381 409098 5385 4031b8 4 API calls 5381->5385 5382->5379 5384 4034f0 18 API calls 5382->5384 5389 403420 18 API calls 5382->5389 5390 4031e8 18 API calls 5382->5390 5393 40816c 35 API calls 5382->5393 5383 4034f0 18 API calls 5383->5391 5384->5382 5387 4090b2 5385->5387 5386 4031e8 18 API calls 5386->5391 5394 4050a8 5387->5394 5388 403420 18 API calls 5388->5391 5389->5382 5390->5382 5391->5382 5391->5383 5391->5386 5391->5388 5392 40816c 35 API calls 5391->5392 5392->5391 5393->5382 5395 402594 18 API calls 5394->5395 5396 4050b3 5395->5396 5396->5164 5397->5169 5399 403164 5398->5399 5400 40318c TlsGetValue 5398->5400 5399->5172 5401 403196 5400->5401 5402 40316f 5400->5402 5401->5172 5406 40310c 5402->5406 5404 403174 TlsGetValue 5405 403184 5404->5405 5405->5172 5407 403120 LocalAlloc 5406->5407 5408 403116 5406->5408 5409 40313e TlsSetValue 5407->5409 5410 403132 5407->5410 5408->5407 5409->5410 5410->5404 5412 4031b7 5411->5412 5413 40319e 5411->5413 5412->5269 5413->5412 5440 4025ac 5413->5440 5444 40458c 5415->5444 5419 403300 5418->5419 5420 40333f 5418->5420 5421 4031e8 5419->5421 5422 40330a 5419->5422 5420->5190 5425 4031fc 5421->5425 5429 403254 18 API calls 5421->5429 5423 403334 5422->5423 5424 40331d 5422->5424 5428 4034f0 18 API calls 5423->5428 5527 4034f0 5424->5527 5427 403228 5425->5427 5431 4025ac 4 API calls 5425->5431 5427->5190 5430 403322 5428->5430 5429->5425 5430->5190 5431->5427 5434 403230 5432->5434 5433 403252 5433->5194 5434->5433 5435 4025ac 4 API calls 5434->5435 5435->5433 5540 403414 5436->5540 5439 40461e 5439->5198 5441 4025b0 5440->5441 5442 4025ba 5440->5442 5441->5442 5443 403154 4 API calls 5441->5443 5442->5412 5443->5442 5447 4032c4 5444->5447 5450 403278 5447->5450 5449 403288 5451 403198 4 API calls 5449->5451 5453 403254 5450->5453 5452 4032a0 5451->5452 5452->5187 5454 403274 5453->5454 5455 403258 5453->5455 5454->5449 5458 402594 5455->5458 5457 403261 5457->5449 5459 402598 5458->5459 5461 4025a2 5458->5461 5464 401fd4 5459->5464 5460 40259e 5460->5461 5462 403154 4 API calls 5460->5462 5461->5457 5461->5461 5462->5461 5465 401fe8 5464->5465 5466 401fed 5464->5466 5475 401918 RtlInitializeCriticalSection 5465->5475 5468 402012 RtlEnterCriticalSection 5466->5468 5469 40201c 5466->5469 5472 401ff1 5466->5472 5468->5469 5469->5472 5482 401ee0 5469->5482 5472->5460 5473 402147 5473->5460 5474 40213d RtlLeaveCriticalSection 5474->5473 5476 40193c RtlEnterCriticalSection 5475->5476 5477 401946 5475->5477 5476->5477 5478 401964 LocalAlloc 5477->5478 5479 40197e 5478->5479 5480 4019c3 RtlLeaveCriticalSection 5479->5480 5481 4019cd 5479->5481 5480->5481 5481->5466 5485 401ef0 5482->5485 5483 401f1c 5487 401f40 5483->5487 5493 401d00 5483->5493 5485->5483 5485->5487 5488 401e58 5485->5488 5487->5473 5487->5474 5497 4016d8 5488->5497 5492 401e75 5492->5485 5494 401d4e 5493->5494 5495 401d1e 5493->5495 5494->5495 5514 401c68 5494->5514 5495->5487 5500 4016f4 5497->5500 5498 4016fe 5501 4015c4 VirtualAlloc 5498->5501 5499 401430 LocalAlloc VirtualAlloc VirtualFree 5499->5500 5500->5498 5500->5499 5502 40175b 5500->5502 5503 40132c LocalAlloc 5500->5503 5504 40174f 5500->5504 5505 40170a 5501->5505 5502->5492 5507 401dcc 5502->5507 5503->5500 5506 40150c VirtualFree 5504->5506 5505->5502 5506->5502 5508 401d80 9 API calls 5507->5508 5509 401de0 5508->5509 5510 40132c LocalAlloc 5509->5510 5511 401df0 5510->5511 5512 401b44 9 API calls 5511->5512 5513 401df8 5511->5513 5512->5513 5513->5492 5515 401c7a 5514->5515 5516 401c9d 5515->5516 5517 401caf 5515->5517 5518 40188c LocalAlloc VirtualFree VirtualFree 5516->5518 5519 40188c LocalAlloc VirtualFree VirtualFree 5517->5519 5520 401cad 5518->5520 5519->5520 5521 401cc5 5520->5521 5522 401b44 9 API calls 5520->5522 5521->5495 5523 401cd4 5522->5523 5524 401cee 5523->5524 5525 401b98 9 API calls 5523->5525 5526 4013a0 LocalAlloc 5524->5526 5525->5524 5526->5521 5528 40352d 5527->5528 5529 4034fd 5527->5529 5531 403198 4 API calls 5528->5531 5530 403526 5529->5530 5532 403509 5529->5532 5533 403254 18 API calls 5530->5533 5534 403517 5531->5534 5536 4025c4 5532->5536 5533->5528 5534->5430 5537 4025ca 5536->5537 5538 403154 4 API calls 5537->5538 5539 4025dc 5537->5539 5538->5539 5539->5534 5541 403418 LoadLibraryA 5540->5541 5541->5439 5614 405dc8 5542->5614 5545 405708 GetSystemDefaultLCID 5547 40573e 5545->5547 5546 405164 19 API calls 5546->5547 5547->5546 5548 405694 19 API calls 5547->5548 5549 4031e8 18 API calls 5547->5549 5552 4057a0 5547->5552 5548->5547 5549->5547 5550 405164 19 API calls 5550->5552 5551 405694 19 API calls 5551->5552 5552->5550 5552->5551 5553 4031e8 18 API calls 5552->5553 5554 405823 5552->5554 5553->5552 5630 4031b8 5554->5630 5557 40584c GetSystemDefaultLCID 5634 405694 GetLocaleInfoA 5557->5634 5560 4031e8 18 API calls 5561 40588c 5560->5561 5562 405694 19 API calls 5561->5562 5563 4058a1 5562->5563 5564 405694 19 API calls 5563->5564 5565 4058c5 5564->5565 5640 4056e0 GetLocaleInfoA 5565->5640 5568 4056e0 GetLocaleInfoA 5569 4058f5 5568->5569 5570 405694 19 API calls 5569->5570 5571 40590f 5570->5571 5572 4056e0 GetLocaleInfoA 5571->5572 5573 40592c 5572->5573 5574 405694 19 API calls 5573->5574 5575 405946 5574->5575 5576 4031e8 18 API calls 5575->5576 5577 405953 5576->5577 5578 405694 19 API calls 5577->5578 5579 405968 5578->5579 5580 4031e8 18 API calls 5579->5580 5581 405975 5580->5581 5582 4056e0 GetLocaleInfoA 5581->5582 5583 405983 5582->5583 5584 405694 19 API calls 5583->5584 5585 40599d 5584->5585 5586 4031e8 18 API calls 5585->5586 5587 4059aa 5586->5587 5588 405694 19 API calls 5587->5588 5589 4059bf 5588->5589 5590 4031e8 18 API calls 5589->5590 5591 4059cc 5590->5591 5592 405694 19 API calls 5591->5592 5593 4059e1 5592->5593 5594 4059fe 5593->5594 5595 4059ef 5593->5595 5597 40322c 4 API calls 5594->5597 5596 40322c 4 API calls 5595->5596 5598 4059fc 5596->5598 5597->5598 5599 405694 19 API calls 5598->5599 5600 405a20 5599->5600 5601 405a3d 5600->5601 5602 405a2e 5600->5602 5604 403198 4 API calls 5601->5604 5603 40322c 4 API calls 5602->5603 5605 405a3b 5603->5605 5604->5605 5642 4033b4 5605->5642 5607 405a5f 5608 4033b4 18 API calls 5607->5608 5609 405a79 5608->5609 5610 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5609->5610 5611 405a93 5610->5611 5612 40617c GetVersionExA 5611->5612 5613 406193 5612->5613 5613->5134 5615 405dd4 5614->5615 5622 405164 LoadStringA 5615->5622 5618 4031e8 18 API calls 5619 405e05 5618->5619 5620 403198 4 API calls 5619->5620 5621 405e1a 5620->5621 5621->5545 5625 403278 5622->5625 5626 403254 18 API calls 5625->5626 5627 403288 5626->5627 5628 403198 4 API calls 5627->5628 5629 4032a0 5628->5629 5629->5618 5632 4031be 5630->5632 5631 4031e3 5631->5557 5632->5631 5633 4025ac 4 API calls 5632->5633 5633->5632 5635 4056bb 5634->5635 5636 4056cd 5634->5636 5637 403278 18 API calls 5635->5637 5638 40322c 4 API calls 5636->5638 5639 4056cb 5637->5639 5638->5639 5639->5560 5641 4056fc 5640->5641 5641->5568 5643 4033bc 5642->5643 5644 403254 18 API calls 5643->5644 5645 4033cf 5644->5645 5646 4031e8 18 API calls 5645->5646 5647 4033f7 5646->5647 5669 405268 5648->5669 5651 406ac0 5652 406aca 5651->5652 5653 406aed 5651->5653 5672 406dd8 5652->5672 5655 40322c 4 API calls 5653->5655 5656 406af6 5655->5656 5656->5284 5657 406ad1 5657->5653 5658 406adc 5657->5658 5677 403340 5658->5677 5660 406aea 5660->5284 5662 403414 5661->5662 5663 40748c LoadLibraryA 5662->5663 5664 4074a2 5663->5664 5665 407738 FormatMessageA 5664->5665 5666 40775e 5665->5666 5667 403278 18 API calls 5666->5667 5668 40777b 5667->5668 5668->5291 5670 4032c4 18 API calls 5669->5670 5671 405277 5670->5671 5671->5651 5673 406de3 5672->5673 5674 406ddf 5672->5674 5692 406df8 CharPrevA 5673->5692 5674->5657 5676 406df4 5676->5657 5678 403344 5677->5678 5679 4033a5 5677->5679 5680 4031e8 5678->5680 5681 40334c 5678->5681 5684 403254 18 API calls 5680->5684 5686 4031fc 5680->5686 5681->5679 5683 40335b 5681->5683 5687 4031e8 18 API calls 5681->5687 5682 403228 5682->5660 5685 403254 18 API calls 5683->5685 5684->5686 5689 403375 5685->5689 5686->5682 5688 4025ac 4 API calls 5686->5688 5687->5683 5688->5682 5690 4031e8 18 API calls 5689->5690 5691 4033a1 5690->5691 5691->5660 5692->5676 5700 406f78 5693->5700 5695 40707b 5696 40708d 5695->5696 5697 406f78 18 API calls 5695->5697 5698 403198 4 API calls 5696->5698 5697->5695 5699 4070a2 5698->5699 5699->5306 5701 406fa4 5700->5701 5702 403278 18 API calls 5701->5702 5703 406fb1 5702->5703 5710 403420 5703->5710 5705 406fb9 5706 4031e8 18 API calls 5705->5706 5707 406fd1 5706->5707 5708 403198 4 API calls 5707->5708 5709 406ff3 5708->5709 5709->5695 5711 403426 5710->5711 5713 403437 5710->5713 5712 403254 18 API calls 5711->5712 5711->5713 5712->5713 5713->5705 5715 407a2c 5714->5715 5716 407a6b CreateFileA 5715->5716 5716->5329 5718 403414 5717->5718 5719 407a6b CreateFileA 5718->5719 5719->5329 5723 4078a0 5720->5723 5724 407738 19 API calls 5723->5724 5726 4078c8 5724->5726 5725 4078e8 5735 405d18 5725->5735 5726->5725 5732 40561c 5726->5732 5729 4078f7 5730 403198 4 API calls 5729->5730 5731 407914 5730->5731 5731->5330 5739 405630 5732->5739 5737 405d1f 5735->5737 5736 4031e8 18 API calls 5738 405d37 5736->5738 5737->5736 5738->5729 5740 40564d 5739->5740 5747 4052e0 5740->5747 5743 405679 5745 403278 18 API calls 5743->5745 5746 40562b 5745->5746 5746->5725 5749 4052fb 5747->5749 5748 40530d 5748->5743 5752 40506c 5748->5752 5749->5748 5755 405402 5749->5755 5762 4052d4 5749->5762 5753 405dc8 19 API calls 5752->5753 5754 40507d 5753->5754 5754->5743 5756 405413 5755->5756 5758 405461 5755->5758 5756->5758 5759 4054e7 5756->5759 5761 40547f 5758->5761 5765 40527c 5758->5765 5759->5761 5769 4052c0 5759->5769 5761->5749 5763 403198 4 API calls 5762->5763 5764 4052de 5763->5764 5764->5749 5766 40528a 5765->5766 5772 405084 5766->5772 5768 4052b8 5768->5758 5785 4039a4 5769->5785 5775 405e38 5772->5775 5774 40509d 5774->5768 5776 405e46 5775->5776 5777 405164 19 API calls 5776->5777 5778 405e70 5777->5778 5779 40561c 33 API calls 5778->5779 5780 405e7e 5779->5780 5781 4031e8 18 API calls 5780->5781 5782 405e89 5781->5782 5783 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5782->5783 5784 405ea3 5783->5784 5784->5774 5786 4039ab 5785->5786 5791 4038b4 5786->5791 5788 4039cb 5789 403198 4 API calls 5788->5789 5790 4039d2 5789->5790 5790->5761 5792 4038d5 5791->5792 5793 4038c8 5791->5793 5795 403934 5792->5795 5796 4038db 5792->5796 5794 403780 6 API calls 5793->5794 5808 4038d0 5794->5808 5797 403993 5795->5797 5798 40393b 5795->5798 5799 4038e1 5796->5799 5800 4038ee 5796->5800 5801 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5797->5801 5802 403941 5798->5802 5803 40394b 5798->5803 5804 403894 6 API calls 5799->5804 5805 403894 6 API calls 5800->5805 5801->5808 5806 403864 23 API calls 5802->5806 5807 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5803->5807 5804->5808 5809 4038fc 5805->5809 5806->5808 5810 40395d 5807->5810 5808->5788 5811 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5809->5811 5812 403864 23 API calls 5810->5812 5813 403917 5811->5813 5814 403976 5812->5814 5815 40374c VariantClear 5813->5815 5817 40374c VariantClear 5814->5817 5816 40392c 5815->5816 5816->5788 5818 40398b 5817->5818 5818->5788 5820 407d8a 5819->5820 5821 407d9b 5819->5821 5822 407d8f InterlockedExchange 5820->5822 5821->5154 5822->5821 5824 408187 5823->5824 5828 40817c 5823->5828 5829 408110 5824->5829 5827 405d18 18 API calls 5827->5828 5828->5381 5830 408163 5829->5830 5831 408124 5829->5831 5830->5827 5830->5828 5831->5830 5833 408060 5831->5833 5834 40806b 5833->5834 5837 40807c 5833->5837 5835 405d18 18 API calls 5834->5835 5835->5837 5836 407954 34 API calls 5838 408090 5836->5838 5837->5836 5839 407954 34 API calls 5838->5839 5840 4080b1 5839->5840 5841 407dcc InterlockedExchange 5840->5841 5842 4080c6 5841->5842 5843 4080dc 5842->5843 5844 405d18 18 API calls 5842->5844 5843->5831 5844->5843 6136 4024d0 6137 4024e4 6136->6137 6138 4024e9 6136->6138 6139 401918 4 API calls 6137->6139 6140 402518 6138->6140 6141 40250e RtlEnterCriticalSection 6138->6141 6143 4024ed 6138->6143 6139->6138 6151 402300 6140->6151 6141->6140 6145 402525 6147 402581 6145->6147 6148 402577 RtlLeaveCriticalSection 6145->6148 6146 401fd4 14 API calls 6149 402531 6146->6149 6148->6147 6149->6145 6161 40215c 6149->6161 6152 402314 6151->6152 6153 402335 6152->6153 6154 4023b8 6152->6154 6155 402344 6153->6155 6175 401b74 6153->6175 6154->6155 6158 402455 6154->6158 6178 401d80 6154->6178 6182 401e84 6154->6182 6155->6145 6155->6146 6158->6155 6160 401d00 9 API calls 6158->6160 6160->6155 6162 40217a 6161->6162 6163 402175 6161->6163 6165 4021b5 6162->6165 6166 4021ab RtlEnterCriticalSection 6162->6166 6167 40217e 6162->6167 6164 401918 4 API calls 6163->6164 6164->6162 6168 402244 6165->6168 6172 4021c1 6165->6172 6173 402270 6165->6173 6166->6165 6167->6145 6168->6167 6171 401d80 7 API calls 6168->6171 6169 4022e3 RtlLeaveCriticalSection 6170 4022ed 6169->6170 6170->6145 6171->6167 6172->6169 6172->6170 6173->6172 6174 401d00 7 API calls 6173->6174 6174->6172 6176 40215c 9 API calls 6175->6176 6177 401b95 6176->6177 6177->6155 6179 401d92 6178->6179 6180 401d89 6178->6180 6179->6154 6180->6179 6181 401b74 9 API calls 6180->6181 6181->6179 6187 401768 6182->6187 6184 401e99 6185 401ea6 6184->6185 6186 401dcc 9 API calls 6184->6186 6185->6154 6186->6185 6190 401787 6187->6190 6188 40183b 6196 4017e7 6188->6196 6202 4015c4 6188->6202 6189 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6189->6190 6190->6188 6190->6189 6192 40132c LocalAlloc 6190->6192 6193 401821 6190->6193 6195 4017d6 6190->6195 6192->6190 6194 40150c VirtualFree 6193->6194 6194->6196 6198 40150c 6195->6198 6196->6184 6201 40153b 6198->6201 6199 401594 6199->6196 6200 401568 VirtualFree 6200->6201 6201->6199 6201->6200 6203 40160a 6202->6203 6204 401626 VirtualAlloc 6203->6204 6205 40163a 6203->6205 6204->6203 6204->6205 6205->6196 6206 4028d2 6207 4028da 6206->6207 6209 4028ef 6207->6209 6212 403554 6207->6212 6210 4025ac 4 API calls 6209->6210 6211 4028f4 6210->6211 6213 403566 6212->6213 6215 403578 6213->6215 6216 403604 6213->6216 6215->6207 6217 40357c 6216->6217 6220 4035d0 6217->6220 6221 40359b 6217->6221 6224 4035a0 6217->6224 6226 4035b6 6217->6226 6218 4035b1 6222 403198 4 API calls 6218->6222 6219 4035b8 6223 4031b8 4 API calls 6219->6223 6220->6226 6229 40357c 6220->6229 6221->6224 6225 4035ec 6221->6225 6222->6226 6223->6226 6224->6218 6224->6219 6225->6226 6228 403554 4 API calls 6225->6228 6226->6213 6228->6225 6230 403591 6229->6230 6231 4035a0 6229->6231 6234 4035b6 6230->6234 6235 4035d0 6230->6235 6236 40359b 6230->6236 6232 4035b1 6231->6232 6233 4035b8 6231->6233 6237 403198 4 API calls 6232->6237 6238 4031b8 4 API calls 6233->6238 6234->6220 6235->6234 6239 40357c 4 API calls 6235->6239 6236->6231 6241 4035ec 6236->6241 6237->6234 6238->6234 6239->6235 6240 403554 4 API calls 6240->6241 6241->6234 6241->6240 6242 4094d2 6243 4094c4 6242->6243 6246 409460 6243->6246 6247 409465 Wow64RevertWow64FsRedirection 6246->6247 6248 40946f 6246->6248 6247->6248 6999 4019d3 7000 4019ba 6999->7000 7001 4019c3 RtlLeaveCriticalSection 7000->7001 7002 4019cd 7000->7002 7001->7002 6249 4094d4 SetLastError 6250 4094dd 6249->6250 7003 407bd6 7010 407bd8 7003->7010 7004 407b90 WriteFile 7005 407ba3 7004->7005 7006 407b9c 7004->7006 7008 407bb4 7005->7008 7009 4078a0 34 API calls 7005->7009 7007 407940 35 API calls 7006->7007 7007->7005 7009->7008 7010->7004 7011 407c94 7010->7011 6251 407ae0 ReadFile 6252 407b00 6251->6252 6253 407b17 6251->6253 6254 407b10 6252->6254 6255 407b06 GetLastError 6252->6255 6256 407940 35 API calls 6254->6256 6255->6253 6255->6254 6256->6253 7015 4075e2 7016 4075cc 7015->7016 7017 403198 4 API calls 7016->7017 7018 4075d4 7017->7018 7019 403198 4 API calls 7018->7019 7020 4075dc 7019->7020 7021 4093e4 7024 4092b0 7021->7024 7025 4092b9 7024->7025 7026 403198 4 API calls 7025->7026 7027 4092c7 7025->7027 7026->7025 7028 4055e8 7029 4055fb 7028->7029 7030 4052e0 33 API calls 7029->7030 7031 40560f 7030->7031 7032 402be9 RaiseException 7033 402c04 7032->7033 6257 40acec 6258 40ad11 6257->6258 6291 409e14 6258->6291 6260 40ad69 6303 4026c4 GetSystemTime 6260->6303 6262 40ad16 6262->6260 6296 40928c 6262->6296 6263 40ad6e 6304 409808 6263->6304 6267 40ad45 6270 40ad4d MessageBoxA 6267->6270 6268 4031e8 18 API calls 6269 40ad83 6268->6269 6322 406db0 6269->6322 6270->6260 6273 40ad5a 6270->6273 6299 405cec 6273->6299 6277 406ac0 19 API calls 6278 40adb1 6277->6278 6279 403340 18 API calls 6278->6279 6280 40adbf 6279->6280 6281 4031e8 18 API calls 6280->6281 6282 40adcf 6281->6282 6283 407994 37 API calls 6282->6283 6284 40ae0e 6283->6284 6285 402594 18 API calls 6284->6285 6286 40ae2e 6285->6286 6287 407edc 19 API calls 6286->6287 6288 40ae70 6287->6288 6289 40816c 35 API calls 6288->6289 6290 40ae97 6289->6290 6339 409a14 6291->6339 6416 40925c 6296->6416 6300 405cf1 6299->6300 6301 405dc8 19 API calls 6300->6301 6302 405d03 6301->6302 6302->6302 6303->6263 6320 409828 6304->6320 6307 40984d CreateDirectoryA 6308 4098c5 6307->6308 6309 409857 GetLastError 6307->6309 6310 40322c 4 API calls 6308->6310 6309->6320 6311 4098cf 6310->6311 6313 4031b8 4 API calls 6311->6313 6312 40928c 18 API calls 6312->6320 6315 4098e9 6313->6315 6317 4031b8 4 API calls 6315->6317 6316 407738 19 API calls 6316->6320 6318 4098f6 6317->6318 6318->6268 6319 40925c 18 API calls 6319->6320 6320->6307 6320->6312 6320->6316 6320->6319 6321 405d18 18 API calls 6320->6321 6420 4071a8 6320->6420 6443 4096fc 6320->6443 6462 40511c 6320->6462 6321->6320 6559 406ca8 6322->6559 6325 403454 18 API calls 6326 406dd2 6325->6326 6327 406b48 6326->6327 6564 406d6c 6327->6564 6330 406b86 6333 403454 18 API calls 6330->6333 6331 406b78 6332 403340 18 API calls 6331->6332 6334 406b84 6332->6334 6335 406b99 6333->6335 6337 403198 4 API calls 6334->6337 6336 403340 18 API calls 6335->6336 6336->6334 6338 406bbb 6337->6338 6338->6277 6345 409a33 6339->6345 6340 409a68 6342 409a75 GetUserDefaultLangID 6340->6342 6346 409a6a 6340->6346 6341 409a6c 6356 4074d8 GetModuleHandleA GetProcAddress 6341->6356 6342->6346 6344 409a47 6350 409da4 6344->6350 6345->6340 6345->6341 6345->6344 6346->6344 6347 409aa3 GetACP 6346->6347 6348 409ac7 6346->6348 6347->6344 6347->6346 6348->6344 6349 409aed GetACP 6348->6349 6349->6344 6349->6348 6351 409de6 6350->6351 6352 409dac 6350->6352 6351->6262 6352->6351 6353 403420 18 API calls 6352->6353 6354 409de0 6353->6354 6400 409334 6354->6400 6357 407512 6356->6357 6358 40751b 6356->6358 6369 403198 4 API calls 6357->6369 6359 407524 6358->6359 6360 40755c 6358->6360 6377 40741c 6359->6377 6362 40741c RegOpenKeyExA 6360->6362 6363 407575 6362->6363 6365 407592 6363->6365 6366 407410 20 API calls 6363->6366 6364 40753d 6364->6365 6380 407410 6364->6380 6367 40322c 4 API calls 6365->6367 6370 407589 RegCloseKey 6366->6370 6371 40759f 6367->6371 6373 4075d4 6369->6373 6370->6365 6375 4032fc 18 API calls 6371->6375 6374 403198 4 API calls 6373->6374 6376 4075dc 6374->6376 6375->6357 6376->6346 6378 407427 6377->6378 6379 40742d RegOpenKeyExA 6377->6379 6378->6379 6379->6364 6383 4072c4 6380->6383 6384 4072ea RegQueryValueExA 6383->6384 6387 40730d 6384->6387 6399 40732f 6384->6399 6385 403198 4 API calls 6388 4073fb RegCloseKey 6385->6388 6386 407327 6389 403198 4 API calls 6386->6389 6387->6386 6390 403278 18 API calls 6387->6390 6391 403420 18 API calls 6387->6391 6387->6399 6388->6365 6389->6399 6390->6387 6392 407364 RegQueryValueExA 6391->6392 6392->6384 6393 407380 6392->6393 6394 4034f0 18 API calls 6393->6394 6393->6399 6395 4073c2 6394->6395 6396 4073d4 6395->6396 6398 403420 18 API calls 6395->6398 6397 4031e8 18 API calls 6396->6397 6397->6399 6398->6396 6399->6385 6401 409342 6400->6401 6403 40935a 6401->6403 6413 4092cc 6401->6413 6404 4092cc 18 API calls 6403->6404 6405 40937e 6403->6405 6404->6405 6406 407dcc InterlockedExchange 6405->6406 6407 409399 6406->6407 6408 4092cc 18 API calls 6407->6408 6410 4093ac 6407->6410 6408->6410 6409 4092cc 18 API calls 6409->6410 6410->6409 6411 403278 18 API calls 6410->6411 6412 4093db 6410->6412 6411->6410 6412->6351 6414 405d18 18 API calls 6413->6414 6415 4092dd 6414->6415 6415->6403 6417 40927c 6416->6417 6418 409134 18 API calls 6417->6418 6419 409285 6418->6419 6419->6267 6465 406ee0 6420->6465 6423 4071da 6424 406ee0 19 API calls 6423->6424 6427 407226 6423->6427 6426 4071ea 6424->6426 6428 4071f6 6426->6428 6430 406ebc 21 API calls 6426->6430 6479 406d10 6427->6479 6428->6427 6431 40721b 6428->6431 6433 406ee0 19 API calls 6428->6433 6430->6428 6431->6427 6476 407150 GetWindowsDirectoryA 6431->6476 6436 40720f 6433->6436 6435 406ac0 19 API calls 6437 40723b 6435->6437 6436->6431 6439 406ebc 21 API calls 6436->6439 6438 40322c 4 API calls 6437->6438 6440 407245 6438->6440 6439->6431 6441 4031b8 4 API calls 6440->6441 6442 40725f 6441->6442 6442->6320 6444 40971c 6443->6444 6445 406ac0 19 API calls 6444->6445 6446 409735 6445->6446 6447 40322c 4 API calls 6446->6447 6450 409740 6447->6450 6449 406e00 20 API calls 6449->6450 6450->6449 6451 4033b4 18 API calls 6450->6451 6452 40928c 18 API calls 6450->6452 6454 405d18 18 API calls 6450->6454 6455 4097bc 6450->6455 6526 409688 6450->6526 6534 4094e8 6450->6534 6451->6450 6452->6450 6454->6450 6456 40322c 4 API calls 6455->6456 6457 4097c7 6456->6457 6458 4031b8 4 API calls 6457->6458 6459 4097e1 6458->6459 6460 403198 4 API calls 6459->6460 6461 4097e9 6460->6461 6461->6320 6463 405630 33 API calls 6462->6463 6464 40513a 6463->6464 6464->6320 6466 4034f0 18 API calls 6465->6466 6467 406ef3 6466->6467 6468 406f0a GetEnvironmentVariableA 6467->6468 6472 406f1d 6467->6472 6488 4072a0 6467->6488 6468->6467 6469 406f16 6468->6469 6470 403198 4 API calls 6469->6470 6470->6472 6472->6423 6473 406ebc 6472->6473 6492 406e64 6473->6492 6477 405268 18 API calls 6476->6477 6478 407171 6477->6478 6478->6427 6480 403414 6479->6480 6481 406d33 GetFullPathNameA 6480->6481 6482 406d56 6481->6482 6483 406d3f 6481->6483 6485 40322c 4 API calls 6482->6485 6483->6482 6484 406d47 6483->6484 6486 403278 18 API calls 6484->6486 6487 406d54 6485->6487 6486->6487 6487->6435 6489 4072ae 6488->6489 6490 4034f0 18 API calls 6489->6490 6491 4072bc 6490->6491 6491->6467 6499 406e00 6492->6499 6494 406e86 6495 406e8e GetFileAttributesA 6494->6495 6496 406ea3 6495->6496 6497 403198 4 API calls 6496->6497 6498 406eab 6497->6498 6498->6423 6509 406bcc 6499->6509 6501 406e38 6504 406e43 6501->6504 6505 406e4e 6501->6505 6503 406e11 6503->6501 6516 406df8 CharPrevA 6503->6516 6506 40322c 4 API calls 6504->6506 6517 403454 6505->6517 6508 406e4c 6506->6508 6508->6494 6512 406bdd 6509->6512 6510 406c41 6511 406b08 IsDBCSLeadByte 6510->6511 6513 406c3c 6510->6513 6511->6513 6512->6510 6514 406bfb 6512->6514 6513->6503 6514->6513 6524 406b08 IsDBCSLeadByte 6514->6524 6516->6503 6518 403486 6517->6518 6519 403459 6517->6519 6520 403198 4 API calls 6518->6520 6519->6518 6522 40346d 6519->6522 6521 40347c 6520->6521 6521->6508 6523 403278 18 API calls 6522->6523 6523->6521 6525 406b1c 6524->6525 6525->6514 6527 403198 4 API calls 6526->6527 6529 4096a9 6527->6529 6531 4096d6 6529->6531 6543 4032a8 6529->6543 6546 403494 6529->6546 6532 403198 4 API calls 6531->6532 6533 4096eb 6532->6533 6533->6450 6550 409424 6534->6550 6536 4094fe 6537 409502 6536->6537 6556 406ed0 6536->6556 6537->6450 6540 409535 6541 409460 Wow64RevertWow64FsRedirection 6540->6541 6542 40953d 6541->6542 6542->6450 6544 403278 18 API calls 6543->6544 6545 4032b5 6544->6545 6545->6529 6547 403498 6546->6547 6549 4034c3 6546->6549 6548 4034f0 18 API calls 6547->6548 6548->6549 6549->6529 6551 409432 6550->6551 6552 40942e 6550->6552 6553 409454 SetLastError 6551->6553 6554 40943b Wow64DisableWow64FsRedirection 6551->6554 6552->6536 6555 40944f 6553->6555 6554->6555 6555->6536 6557 406e64 21 API calls 6556->6557 6558 406eda GetLastError 6557->6558 6558->6540 6560 406bcc IsDBCSLeadByte 6559->6560 6562 406cbd 6560->6562 6561 406d07 6561->6325 6562->6561 6563 406b08 IsDBCSLeadByte 6562->6563 6563->6562 6565 406d7b 6564->6565 6566 406ca8 IsDBCSLeadByte 6565->6566 6568 406d86 6566->6568 6567 406b72 6567->6330 6567->6331 6568->6567 6569 406b08 IsDBCSLeadByte 6568->6569 6569->6568 6574 402af2 6575 402afe 6574->6575 6578 402ed0 6575->6578 6579 403154 4 API calls 6578->6579 6581 402ee0 6579->6581 6580 402b03 6581->6580 6583 402b0c 6581->6583 6584 402b25 6583->6584 6585 402b15 RaiseException 6583->6585 6584->6580 6585->6584 5926 406df8 CharPrevA 7044 402dfa 7045 402e26 7044->7045 7046 402e0d 7044->7046 7048 402ba4 7046->7048 7049 402bc9 7048->7049 7050 402bad 7048->7050 7049->7045 7051 402bb5 RaiseException 7050->7051 7051->7049 5929 4079fc 5930 407a08 CloseHandle 5929->5930 5931 407a11 5929->5931 5930->5931 6596 403a80 CloseHandle 6597 403a90 6596->6597 6598 403a91 GetLastError 6596->6598 6599 404283 6600 4042c3 6599->6600 6601 403154 4 API calls 6600->6601 6602 404323 6601->6602 7052 404185 7053 4041ff 7052->7053 7054 4041cc 7053->7054 7055 403154 4 API calls 7053->7055 7056 404323 7055->7056 6603 403e87 6604 403e4c 6603->6604 6605 403e62 6604->6605 6606 403e7b 6604->6606 6609 403e67 6604->6609 6608 403cc8 4 API calls 6605->6608 6607 402674 4 API calls 6606->6607 6610 403e78 6607->6610 6608->6609 6609->6610 6611 402674 4 API calls 6609->6611 6611->6610 6612 408488 6613 40849a 6612->6613 6616 4084a1 6612->6616 6623 4083c4 6613->6623 6615 4084d5 6619 408502 6615->6619 6621 408230 33 API calls 6615->6621 6616->6615 6617 4084c9 6616->6617 6618 4084cb 6616->6618 6637 4082e0 6617->6637 6634 408230 6618->6634 6621->6619 6624 4083d9 6623->6624 6625 408230 33 API calls 6624->6625 6626 4083e8 6624->6626 6625->6626 6627 408422 6626->6627 6628 408230 33 API calls 6626->6628 6629 408436 6627->6629 6630 408230 33 API calls 6627->6630 6628->6627 6633 408462 6629->6633 6644 40836c 6629->6644 6630->6629 6633->6616 6647 405d4c 6634->6647 6636 408252 6636->6615 6638 40561c 33 API calls 6637->6638 6639 40830b 6638->6639 6655 408298 6639->6655 6641 408313 6642 403198 4 API calls 6641->6642 6643 408328 6642->6643 6643->6615 6645 40837b VirtualFree 6644->6645 6646 40838d VirtualAlloc 6644->6646 6645->6646 6646->6633 6648 405d58 6647->6648 6649 40561c 33 API calls 6648->6649 6650 405d85 6649->6650 6651 4031e8 18 API calls 6650->6651 6652 405d90 6651->6652 6653 403198 4 API calls 6652->6653 6654 405da5 6653->6654 6654->6636 6656 405d4c 33 API calls 6655->6656 6657 4082ba 6656->6657 6657->6641 7061 40af8d 7062 40af90 SetLastError 7061->7062 7063 409b20 35 API calls 7062->7063 7064 40afa5 7063->7064 7065 40afaa 7064->7065 7066 402f24 5 API calls 7064->7066 7067 40afb4 CreateWindowExA SetWindowLongA 7065->7067 7066->7065 7068 40561c 33 API calls 7067->7068 7069 40b037 7068->7069 7070 4032fc 18 API calls 7069->7070 7071 40b045 7070->7071 7072 4032fc 18 API calls 7071->7072 7073 40b052 7072->7073 7074 407004 19 API calls 7073->7074 7075 40b05e 7074->7075 7076 4032fc 18 API calls 7075->7076 7077 40b067 7076->7077 7078 409ec4 43 API calls 7077->7078 7079 40b079 7078->7079 7080 40b08c 7079->7080 7081 409da4 19 API calls 7079->7081 7082 40b0c5 7080->7082 7083 4099b0 9 API calls 7080->7083 7081->7080 7084 40b0de 7082->7084 7087 40b0d8 RemoveDirectoryA 7082->7087 7083->7082 7085 40b0f2 7084->7085 7086 40b0e7 DestroyWindow 7084->7086 7088 40b11a 7085->7088 7089 40357c 4 API calls 7085->7089 7086->7085 7087->7084 7090 40b110 7089->7090 7091 4025ac 4 API calls 7090->7091 7091->7088 7092 403991 7093 403983 7092->7093 7094 40374c VariantClear 7093->7094 7095 40398b 7094->7095 6667 403a97 6668 403aac 6667->6668 6669 403bbc GetStdHandle 6668->6669 6670 403b0e CreateFileA 6668->6670 6680 403ab2 6668->6680 6671 403c17 GetLastError 6669->6671 6675 403bba 6669->6675 6670->6671 6672 403b2c 6670->6672 6671->6680 6674 403b3b GetFileSize 6672->6674 6672->6675 6674->6671 6676 403b4e SetFilePointer 6674->6676 6677 403be7 GetFileType 6675->6677 6675->6680 6676->6671 6681 403b6a ReadFile 6676->6681 6679 403c02 CloseHandle 6677->6679 6677->6680 6679->6680 6681->6671 6682 403b8c 6681->6682 6682->6675 6683 403b9f SetFilePointer 6682->6683 6683->6671 6684 403bb0 SetEndOfFile 6683->6684 6684->6671 6684->6675 6697 402caa 6698 403154 4 API calls 6697->6698 6699 402caf 6698->6699 6700 4028ac 6701 402594 18 API calls 6700->6701 6702 4028b6 6701->6702 6703 407aae GetFileSize 6704 407ada 6703->6704 6705 407aca GetLastError 6703->6705 6705->6704 6706 407ad3 6705->6706 6707 407940 35 API calls 6706->6707 6707->6704 6714 40aeb6 6715 40aedb 6714->6715 6716 407dcc InterlockedExchange 6715->6716 6717 40af05 6716->6717 6718 40af15 6717->6718 6719 409fc0 18 API calls 6717->6719 6724 407b60 SetEndOfFile 6718->6724 6719->6718 6721 40af31 6722 4025ac 4 API calls 6721->6722 6723 40af68 6722->6723 6725 407b70 6724->6725 6726 407b77 6724->6726 6727 407940 35 API calls 6725->6727 6726->6721 6727->6726 6732 401ab9 6733 401a96 6732->6733 6734 401aa9 RtlDeleteCriticalSection 6733->6734 6735 401a9f RtlLeaveCriticalSection 6733->6735 6735->6734

    Executed Functions

    Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 387 405694-4056b9 GetLocaleInfoA 388 4056bb-4056cb call 403278 387->388 389 4056cd-4056d1 call 40322c 387->389 393 4056d6-4056db 388->393 389->393
    APIs
    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
    • Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
    • Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED
    Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
    • GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$HandleModulePolicyProcessVersion
    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
    • API String ID: 3297890031-1119018034
    • Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
    • Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
    • Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D
    Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
    • API String ID: 1646373207-2130885113
    • Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
    • Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
    • Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D
    Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 121 4019dc-4019e7 122 401abb-401abd 121->122 123 4019ed-401a02 121->123 124 401a04-401a09 RtlEnterCriticalSection 123->124 125 401a0e-401a2d LocalFree 123->125 124->125 126 401a41-401a47 125->126 127 401a49-401a6e call 4012dc * 3 126->127 128 401a2f-401a3f VirtualFree 126->128 135 401a70-401a85 LocalFree 127->135 136 401a87-401a9d 127->136 128->126 135->135 135->136 138 401aa9-401ab3 RtlDeleteCriticalSection 136->138 139 401a9f-401aa4 RtlLeaveCriticalSection 136->139 139->138
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
    • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
    • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
    • String ID:
    • API String ID: 3782394904-0
    • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
    • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
    • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
    Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 140 40a050-40a074 GetSystemInfo VirtualQuery 141 40a104-40a10b 140->141 142 40a07a 140->142 143 40a0f9-40a0fe 142->143 143->141 144 40a07c-40a083 143->144 145 40a0e5-40a0f7 VirtualQuery 144->145 146 40a085-40a089 144->146 145->141 145->143 146->145 147 40a08b-40a093 146->147 148 40a0a4-40a0b5 VirtualProtect 147->148 149 40a095-40a098 147->149 151 40a0b7 148->151 152 40a0b9-40a0bb 148->152 149->148 150 40a09a-40a09d 149->150 150->148 154 40a09f-40a0a2 150->154 151->152 153 40a0ca-40a0cd 152->153 155 40a0bd-40a0c6 call 40a048 153->155 156 40a0cf-40a0d1 153->156 154->148 154->152 155->153 156->145 158 40a0d3-40a0e0 VirtualProtect 156->158 158->145
    APIs
    • GetSystemInfo.KERNEL32(?), ref: 0040A062
    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$ProtectQuery$InfoSystem
    • String ID:
    • API String ID: 2441996862-0
    • Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
    • Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
    • Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A
    Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 403d02-403d10 161 403d12-403d19 160->161 162 403d29-403d30 160->162 163 403ddf-403de5 ExitProcess 161->163 164 403d1f 161->164 165 403d32-403d3c 162->165 166 403d3e-403d45 162->166 164->162 167 403d21-403d23 164->167 165->162 168 403d47-403d51 166->168 169 403db8-403dcc call 403cc8 * 2 call 4019dc 166->169 167->162 170 403dea-403e19 call 4030b4 167->170 173 403d56-403d62 168->173 186 403dd1-403dd8 169->186 173->173 176 403d64-403d6e 173->176 177 403d73-403d84 176->177 177->177 180 403d86-403d8d 177->180 182 403da4-403db3 call 403fe4 call 403f67 180->182 183 403d8f-403da2 MessageBoxA 180->183 182->169 183->169 186->170 188 403dda call 4030b4 186->188 188->163
    APIs
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
    • ExitProcess.KERNEL32 ref: 00403DE5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExitMessageProcess
    • String ID: Error$Runtime error at 00000000
    • API String ID: 1220098344-2970929446
    • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
    • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
    • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
    Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 191 401918-40193a RtlInitializeCriticalSection 192 401946-40197c call 4012dc * 3 LocalAlloc 191->192 193 40193c-401941 RtlEnterCriticalSection 191->193 200 4019ad-4019c1 192->200 201 40197e 192->201 193->192 205 4019c3-4019c8 RtlLeaveCriticalSection 200->205 206 4019cd 200->206 202 401983-401995 201->202 202->202 204 401997-4019a6 202->204 204->200 205->206
    APIs
    • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
    • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
    • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
    • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
    • String ID:
    • API String ID: 730355536-0
    • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
    • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
    • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
    Function 00402C08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 402c08-402c13 208 402cc5-402cca 207->208 209 402c19-402c25 207->209 210 402c56-402c7d RtlUnwind call 403154 209->210 211 402c27-402c34 call 40285c 209->211 215 402c82-402ca3 call 402b70 210->215 211->208 216 402c3a-402c3e 211->216 215->208 216->208 220 402c44-402c53 call 402b28 216->220 220->210
    APIs
    • RtlUnwind.KERNEL32(?,?,Function_00002C08,00000000,?,?,Function_00002C08,?), ref: 00402C74
      • Part of subcall function 00402B28: RaiseException.KERNEL32(0EEDFAD4,00000000,00000002), ref: 00402B3E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionRaiseUnwind
    • String ID: ,`@
    • API String ID: 478881706-3711388833
    • Opcode ID: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction ID: 97d3f2471094b4ca6c51ddda2b863264321d4d076ae0fb00dec9115aef34ba71
    • Opcode Fuzzy Hash: c790c7a442039b517183a7463376a734d307fb72ce7105d76f061ecf1436c93a
    • Instruction Fuzzy Hash: 70013974204200AFE310EF15CA89F2BB7A9FB88754F55C56AF5086B3E1C778EC01CA69
    Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 223 401fd4-401fe6 224 401fe8 call 401918 223->224 225 401ffb-402010 223->225 229 401fed-401fef 224->229 227 402012-402017 RtlEnterCriticalSection 225->227 228 40201c-402025 225->228 227->228 230 402027 228->230 231 40202c-402032 228->231 229->225 232 401ff1-401ff6 229->232 230->231 233 402038-40203c 231->233 234 4020cb-4020d1 231->234 235 40214f-402158 232->235 238 402041-402050 233->238 239 40203e 233->239 236 4020d3-4020e0 234->236 237 40211d-40211f call 401ee0 234->237 240 4020e2-4020ea 236->240 241 4020ef-40211b call 402f54 236->241 244 402124-40213b 237->244 238->234 242 402052-402060 238->242 239->238 240->241 241->235 246 402062-402066 242->246 247 40207c-402080 242->247 255 402147 244->255 256 40213d-402142 RtlLeaveCriticalSection 244->256 248 402068 246->248 249 40206b-40207a 246->249 251 402082 247->251 252 402085-4020a0 247->252 248->249 254 4020a2-4020c6 call 402f54 249->254 251->252 252->254 254->235 256->255
    APIs
    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
      • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
      • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
      • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
      • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
    • String ID:
    • API String ID: 296031713-0
    • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
    • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
    • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
    Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 259 407454-4074a7 SetErrorMode call 403414 LoadLibraryA
    APIs
    • SetErrorMode.KERNEL32(00008000), ref: 0040745E
    • LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLibraryLoadMode
    • String ID:
    • API String ID: 2987862817-0
    • Opcode ID: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
    • Opcode Fuzzy Hash: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
    • Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569
    Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 401430-40143d 329 401446-40144c 328->329 330 40143f-401444 328->330 331 401452-40146a VirtualAlloc 329->331 330->331 332 40146c-40147a call 4012e4 331->332 333 40148f-401492 331->333 332->333 336 40147c-40148d VirtualFree 332->336 336->333
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
    • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
    • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
    Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727
      • Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DefaultInfoLoadLocaleStringSystem
    • String ID:
    • API String ID: 1658689577-0
    • Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
    • Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
    • Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94
    Function 00409BD4 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00409C18
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction ID: d81cb0aa80d85b52c51bcf804432e731ae41fb5784218249075f4083c33b45f1
    • Opcode Fuzzy Hash: e404e2213cab1cb8d8c7ad519049062dbfaee2a85659122b32ec1a9431e87bfe
    • Instruction Fuzzy Hash: F6F0E271608608BEEB11EB62CD03F5B77ACDB86B18F904477B900B65D2C67D6E00897D
    Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 383 407a2a-407a74 call 403414 CreateFileA
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
    • Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
    • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
    Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
    • Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
    • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
    Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID:
    • API String ID: 1306739567-0
    • Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
    • Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
    • Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F
    Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
    • Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
    • Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519
    Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
    • Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
    • Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B
    Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharPrev
    • String ID:
    • API String ID: 122130370-0
    • Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
    • Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
    • Instruction Fuzzy Hash:
    Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
    • Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
    • Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389

    Non-executed Functions

    Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 107509674-3733053543
    • Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
    • Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
    • Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F
    Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressCloseHandleModuleProc
    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
    • API String ID: 4190037839-2401316094
    • Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
    • Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
    • Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E
    Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
    • String ID:
    • API String ID: 1694776339-0
    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
    Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32 ref: 0040AF99
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3757039580-3001827809
    • Opcode ID: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
    • Opcode Fuzzy Hash: 8b47794ece5a076888d6ba8e282ae78aa650e81203083d5a0dbdbb06a009e2cc
    • Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D
    Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
    • SetWindowLongA.USER32(00000000,000000FC,00409E38), ref: 0040AFED
      • Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C
      • Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
      • Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
      • Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
    • DestroyWindow.USER32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
    • API String ID: 3586484885-3001827809
    • Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
    • Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
    • Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C
    Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
    Download Yara Rule
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866
      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
      • Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale$DefaultSystem
    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
    • API String ID: 1044490935-665933166
    • Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
    • Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
    • Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C
    Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
    Download Yara Rule
    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000,00409F97), ref: 00409F34
    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0,00000000), ref: 00409F48
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
    • GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,00000000,00409FB0), ref: 00409F7C
      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,00000000), ref: 00409B44
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
    • String ID: D
    • API String ID: 3356880605-2746444292
    • Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
    • Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
    • Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669
    Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocString
    • String ID:
    • API String ID: 262959230-0
    • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
    • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
    Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
    • GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CommandHandleLineModule
    • String ID: @'R$U1hd.@
    • API String ID: 2123368496-4079106716
    • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
    • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
    • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD
    Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
    • SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Resource$FindLoadLockSizeof
    • String ID:
    • API String ID: 3473537107-0
    • Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
    • Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
    • Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE
    Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
    • Opcode Fuzzy Hash: 1a9f126479eefb79b953a8164ad266b4135b53319a1031089906e648eaa290f1
    • Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD
    Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: .tmp$xz@
    • API String ID: 2030045667-184514067
    • Opcode ID: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
    • Opcode Fuzzy Hash: e1506865f42f3e89b12404e73c43f8634e50fe20126f81ef68b30d74c7d8d1b2
    • Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD
    Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
    • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID: .tmp
    • API String ID: 1375471231-2986845003
    • Opcode ID: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
    • Opcode Fuzzy Hash: ce1eb634d50c5b54d4636012cf297858a918ae837a7d9093118b41330ad7dbd4
    • Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9
    Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Unwind
    • String ID: a@$,`@
    • API String ID: 3419175465-3299659662
    • Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
    • Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
    • Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769
    Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195
    Strings
    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
    • Setup, xrefs: 0040A185
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message
    • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
    • API String ID: 2030045667-3271211647
    • Opcode ID: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
    • Opcode Fuzzy Hash: f964c5d952e80919a557d204c7618e23288aff00c9616c12bc482df284809c8a
    • Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D
    Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
    Memory Dump Source
    • Source File: 00000003.00000002.1521818891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1521803553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521835228.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1521849825.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorLastSleep
    • String ID:
    • API String ID: 1458359878-0
    • Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
    • Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
    • Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9