Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HkppfZO2WW.exe

Overview

General Information

Sample name:HkppfZO2WW.exe
renamed because original name is a hash value
Original sample name:c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41.exe
Analysis ID:1562123
MD5:e8c247a498e6c947ac8fe25cb0374140
SHA1:2d40b90c9f9920e7890acbbadbc9fea85ce508c6
SHA256:c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41
Tags:exeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • HkppfZO2WW.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\HkppfZO2WW.exe" -install MD5: E8C247A498E6C947AC8FE25CB0374140)
    • javaw.exe (PID: 7292 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • HkppfZO2WW.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\HkppfZO2WW.exe" /install MD5: E8C247A498E6C947AC8FE25CB0374140)
    • javaw.exe (PID: 7600 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • HkppfZO2WW.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\HkppfZO2WW.exe" /load MD5: E8C247A498E6C947AC8FE25CB0374140)
    • javaw.exe (PID: 7664 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: HkppfZO2WW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: HkppfZO2WW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://ocsps.ssl.com0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://ocsps.ssl.com0P
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exeString found in binary or memory: https://www.ssl.com/repository0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_004030C00_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_004013B00_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_004013E90_2_004013E9
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 4_2_004030C04_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 4_2_004013B04_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 4_2_004013E94_2_004013E9
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 6_2_004030C06_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 6_2_004013B06_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 6_2_004013E96_2_004013E9
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: String function: 00404DF0 appears 36 times
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: String function: 00404D40 appears 45 times
Source: HkppfZO2WW.exeStatic PE information: invalid certificate
Source: HkppfZO2WW.exe, 00000000.00000000.2163550546.0000000000410000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000004.00000000.2188658719.0000000000410000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000006.00000000.2210752213.0000000000410000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exeBinary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: clean4.winEXE@9/0@0/0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_00401BF0 GetLastError,MessageBoxA,ShellExecuteA,printf,fclose,FormatMessageA,strcat,printf,LocalFree,fprintf,fprintf,MessageBoxA,0_2_00401BF0
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_00401E10 FindResourceExA,LoadResource,LockResource,SetLastError,0_2_00401E10
Source: HkppfZO2WW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HkppfZO2WW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: HkppfZO2WW.exeString found in binary or memory: exp/soundboard/loader.mp3
Source: HkppfZO2WW.exeString found in binary or memory: exp/soundboard/loader.mp3PK
Source: unknownProcess created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" -install
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" /install
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" /load
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -installJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /installJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /loadJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development KitJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeAutomated click: OK
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeAutomated click: OK
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeAutomated click: OK
Source: HkppfZO2WW.exeStatic file information: File size 9142400 > 1048576
Source: HkppfZO2WW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: C:\Users\user\Desktop\HkppfZO2WW.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 0_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,0_2_00401150
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 4_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,4_2_00401150
Source: C:\Users\user\Desktop\HkppfZO2WW.exeCode function: 6_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,6_2_00401150
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -installJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /installJump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /loadJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1562123 Sample: HkppfZO2WW.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 4 5 HkppfZO2WW.exe 2->5         started        7 HkppfZO2WW.exe 2->7         started        9 HkppfZO2WW.exe 2->9         started        process3 11 javaw.exe 5->11         started        13 javaw.exe 7->13         started        15 javaw.exe 9->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HkppfZO2WW.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsps.ssl.com0P0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
    		high
    http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
      		high
      http://ocsps.ssl.com0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
        		high
        http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
          		high
          http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
            		high
            https://www.ssl.com/repository0javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
              		high
              http://ocsps.ssl.com0Pjavaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exefalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1562123
              Start date and time:2024-11-25 08:35:48 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 42s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Cmdline fuzzy
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:HkppfZO2WW.exe
              renamed because original name is a hash value
              Original Sample Name:c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41.exe
              Detection:CLEAN
              Classification:clean4.winEXE@9/0@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 45
              • Number of non-executed functions: 63
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
              • VT rate limit hit for: HkppfZO2WW.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Entropy (8bit):7.969453019984369
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.94%
              • Win16/32 Executable Delphi generic (2074/23) 0.02%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:HkppfZO2WW.exe
              File size:9'142'400 bytes
              MD5:e8c247a498e6c947ac8fe25cb0374140
              SHA1:2d40b90c9f9920e7890acbbadbc9fea85ce508c6
              SHA256:c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41
              SHA512:999204796dcb777a16e321d8dc41406415713242c53000571772894090fb72cb1c954e9e001626f4eb2b634ac1bc3bf62acc8db95afaf9b7ef5f77325b7dac19
              SSDEEP:196608:s8+UuEJJls3EMUhdkzkgUvnzVr92NQ6C5HUHGGp+9:v+h3EJPkbUvZr92GGGGM
              TLSH:1D963382B691CE02D4195630D8F2C6F3A238FC4AFD508197AB5C3E073C78665B6B99F1
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?|T.................@...................P....@..................................D....@... ............................

              File Icon

              Icon Hash:0c4f9c9c05110f0c

              Static PE Info

              General

              Entrypoint:0x401290
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
              Time Stamp:0x547C3F9E [Mon Dec 1 10:14:54 2014 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:5c015bd7e84af79e092e9447b444a0b6

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA ECC R2, O=SSL Corp, L=Houston, S=Texas, C=US
              Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
              Error Number:-2146762495
              Not Before, Not After
              • 18/11/2024 04:47:36 18/11/2025 04:47:36
              Subject Chain
              • OID.1.3.6.1.4.1.311.60.2.1.3=UA, OID.2.5.4.15=Private Organization, CN=TRADE TRUST LLC, SERIALNUMBER=37058412, O=TRADE TRUST LLC, L=Dnipro, C=UA
              Version:3
              Thumbprint MD5:534B9DBCF3BB2DFA2DAD06DA0709841E
              Thumbprint SHA-1:FEA61825376A364886B5236EFCB3EDD1B23E9441
              Thumbprint SHA-256:BD193172C9C4775190F1C906FF5B47D9FB1A342DB35AC211A1A4AC8A9B07B914
              Serial:4C46DCF5B0C4357F05806830DBA932FD

              Entrypoint Preview

              Instruction
              push ebp
              mov ebp, esp
              sub esp, 08h
              mov dword ptr [esp], 00000002h
              call dword ptr [0041028Ch]
              call 00007F19351C7D7Dh
              nop
              lea esi, dword ptr [esi+00000000h]
              push ebp
              mov ecx, dword ptr [004102C4h]
              mov ebp, esp
              pop ebp
              jmp ecx
              lea esi, dword ptr [esi+00h]
              push ebp
              mov ecx, dword ptr [004102B0h]
              mov ebp, esp
              pop ebp
              jmp ecx
              nop
              nop
              nop
              nop
              push ebp
              mov edx, 00000080h
              mov ebp, esp
              push edi
              xor eax, eax
              lea edi, dword ptr [ebp-00000118h]
              push esi
              push ebx
              sub esp, 0000011Ch
              mov dword ptr [esp+08h], edx
              mov dword ptr [esp+04h], eax
              mov dword ptr [esp], edi
              call 00007F19351CB914h
              mov dword ptr [esp+04h], edi
              mov dword ptr [esp], 00000018h
              call 00007F19351C89DCh
              test eax, eax
              je 00007F19351C7F52h
              mov dword ptr [esp], 00000000h
              xor ecx, ecx
              xor ebx, ebx
              mov dword ptr [esp+04h], ebx
              xor esi, esi
              mov dword ptr [esp+0Ch], ecx
              mov dword ptr [esp+08h], esi
              call 00007F19351CBA6Eh
              sub esp, 10h
              test eax, eax
              mov ebx, eax
              je 00007F19351C7F27h
              lea esi, dword ptr [ebp-00000098h]
              mov esi, esi
              mov dword ptr [esp+04h], esi
              mov eax, 0000007Fh
              mov dword ptr [esp+08h], eax
              mov dword ptr [esp], ebx
              call 00007F19351CBA50h
              sub esp, 0Ch

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x100000xa94.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x5ad80.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x8b76d00x9b0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x101fc0x184.idata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x3fa80x4000ae3284f8efb52ca846c6bfe6f40e797eFalse0.509765625data6.099324153185884IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x50000xc00x200435ad75db0c8ae66ccdb872533bc122eFalse0.07421875data0.3263946603346658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rdata0x60000x4100x600f91a923d85c802d81b0a5f6cea028392False0.3802083333333333data4.414030430476667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .bss0x70000x8cb00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x100000xa940xc0031cec3fb8d8e0dfb2ee22273a813e49eFalse0.3636067708333333data4.476948124709663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x110000x5ad800x5ae006eab6cc60db09bcc9ee329ddf6405765False0.2977535032668501data4.9786374970558285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x113a00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.22518640707755125
              RT_ICON0x533c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.43468295279782326
              RT_ICON0x63bf00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.5722130373169579
              RT_ICON0x67e180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.6268672199170124
              RT_ICON0x6a3c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.7218574108818011
              RT_ICON0x6b4680x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.8670212765957447
              RT_RCDATA0x6b8d00x6data2.3333333333333335
              RT_RCDATA0x6b8d80x5ASCII text, with no line terminators2.6
              RT_RCDATA0x6b8e00x2data5.0
              RT_RCDATA0x6b8e40x3ASCII text, with no line terminators3.6666666666666665
              RT_RCDATA0x6b8e80x19ASCII text, with no line terminators1.32
              RT_RCDATA0x6b9040x32data1.16
              RT_RCDATA0x6b9380x73ASCII text, with no line terminators0.8695652173913043
              RT_RCDATA0x6b9ac0x35ASCII text, with no line terminators1.1320754716981132
              RT_RCDATA0x6b9e40x68data0.875
              RT_GROUP_ICON0x6ba4c0x5adata0.7666666666666667
              RT_VERSION0x6baa80x2d8data0.4739010989010989

              Imports

              DLLImport
              ADVAPI32.DLLRegCloseKey, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA
              KERNEL32.dllCloseHandle, CreateMutexA, CreateProcessA, ExitProcess, FindResourceExA, FormatMessageA, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetEnvironmentVariableA, GetExitCodeProcess, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GlobalMemoryStatusEx, LoadResource, LocalFree, LockResource, SetEnvironmentVariableA, SetLastError, SetUnhandledExceptionFilter, WaitForSingleObject
              msvcrt.dll__getmainargs, __p__environ, __p__fmode, __set_app_type, _cexit, _chdir, _close, _findclose, _findfirst, _findnext, _iob, _itoa, _onexit, _open, _read, _setmode, _stat, atexit, atoi, fclose, fopen, fprintf, fwrite, memset, printf, signal, strcat, strchr, strcmp, strcpy, strlen, strncat, strncpy, strpbrk, strrchr, strstr, strtok
              SHELL32.DLLShellExecuteA
              USER32.dllCreateWindowExA, DispatchMessageA, EnumWindows, FindWindowExA, GetMessageA, GetSystemMetrics, GetWindowLongA, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, KillTimer, LoadImageA, MessageBoxA, PostQuitMessage, SendMessageA, SetForegroundWindow, SetTimer, SetWindowPos, ShowWindow, TranslateMessage, UpdateWindow

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:02:36:43
              Start date:25/11/2024
              Path:C:\Users\user\Desktop\HkppfZO2WW.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\HkppfZO2WW.exe" -install
              Imagebase:0x400000
              File size:9'142'400 bytes
              MD5 hash:E8C247A498E6C947AC8FE25CB0374140
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:1
              Start time:02:36:43
              Start date:25/11/2024
              Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install
              Imagebase:0xed0000
              File size:257'664 bytes
              MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              General

              Target ID:4
              Start time:02:36:45
              Start date:25/11/2024
              Path:C:\Users\user\Desktop\HkppfZO2WW.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\HkppfZO2WW.exe" /install
              Imagebase:0x400000
              File size:9'142'400 bytes
              MD5 hash:E8C247A498E6C947AC8FE25CB0374140
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:02:36:45
              Start date:25/11/2024
              Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install
              Imagebase:0xed0000
              File size:257'664 bytes
              MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              General

              Target ID:6
              Start time:02:36:47
              Start date:25/11/2024
              Path:C:\Users\user\Desktop\HkppfZO2WW.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\HkppfZO2WW.exe" /load
              Imagebase:0x400000
              File size:9'142'400 bytes
              MD5 hash:E8C247A498E6C947AC8FE25CB0374140
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:7
              Start time:02:36:47
              Start date:25/11/2024
              Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load
              Imagebase:0xed0000
              File size:257'664 bytes
              MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:18.9%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:36.7%
                Total number of Nodes:739
                Total number of Limit Nodes:7
                execution_graph 1536 402240 strlen 1537 402261 1536->1537 1538 401b00 GetModuleHandleA GetProcAddress 1539 401b30 GetCurrentProcess 1538->1539 1540 401b43 1538->1540 1539->1540 1541 401b78 1540->1541 1542 401b63 fprintf 1540->1542 1542->1541 1543 401000 1544 40101e 1543->1544 1547 401061 1543->1547 1545 401080 1544->1545 1546 401025 1544->1546 1549 4010e2 signal 1545->1549 1550 401087 1545->1550 1548 40102a signal 1546->1548 1553 401071 1546->1553 1547->1546 1547->1548 1547->1550 1551 4010bb signal 1548->1551 1555 401041 1548->1555 1552 401129 signal 1549->1552 1549->1555 1554 40108e signal 1550->1554 1550->1555 1551->1555 1552->1555 1554->1555 1556 40110f signal 1554->1556 1556->1555 1557 402945 1558 402950 1557->1558 1559 4029a6 strcpy 1558->1559 1563 402964 1558->1563 1560 4029c2 strlen 1559->1560 1561 402a05 strlen 1559->1561 1564 4029d1 strcat _stat 1560->1564 1561->1564 1562 40299b 1563->1562 1565 40297c fprintf 1563->1565 1564->1563 1565->1562 1567 40124a _setmode 1568 4011bb 1567->1568 1569 4011e0 1568->1569 1570 4011c0 _setmode 1568->1570 1571 401200 __p__fmode 1569->1571 1572 4011e5 _setmode 1569->1572 1570->1569 1573 404a60 1571->1573 1572->1571 1574 401212 __p__environ 1573->1574 1575 404940 249 API calls 1574->1575 1576 401237 _cexit ExitProcess 1575->1576 1577 4049cc 1578 4049d0 GetModuleHandleA 1577->1578 1580 404a30 1578->1580 1581 4013b0 246 API calls 1580->1581 1582 404a4a 1581->1582 1583 40290c 1584 402910 strcat 1583->1584 1585 402931 strlen 1584->1585 1586 40293f 1584->1586 1585->1586 1239 401290 __set_app_type 1242 401150 SetUnhandledExceptionFilter 1239->1242 1256 404a90 1242->1256 1244 40116e __getmainargs 1245 401200 __p__fmode 1244->1245 1246 4011a8 1244->1246 1257 404a60 1245->1257 1248 4011bb 1246->1248 1250 40124a _setmode 1246->1250 1251 4011e0 1248->1251 1252 4011c0 _setmode 1248->1252 1250->1248 1251->1245 1254 4011e5 _setmode 1251->1254 1252->1251 1254->1245 1256->1244 1258 401212 __p__environ 1257->1258 1259 404940 1258->1259 1260 404954 1259->1260 1261 404959 GetCommandLineA GetStartupInfoA 1260->1261 1265 404972 GetModuleHandleA 1261->1265 1263 404a30 1267 4013b0 1263->1267 1265->1263 1266 401237 _cexit ExitProcess 1304 4030c0 1267->1304 1269 4013c7 1270 4017c9 memset 1269->1270 1290 4013d2 1269->1290 1271 401e10 4 API calls 1270->1271 1275 4017f6 1271->1275 1273 40182a FindWindowExA 1273->1275 1281 4017fa 1273->1281 1274 4017fc ShowWindow SetForegroundWindow 1531 401ae0 1274->1531 1275->1273 1278 401857 GetWindowTextA strstr 1275->1278 1275->1281 1276 401716 strstr 1276->1290 1278->1274 1280 401883 FindWindowExA 1278->1280 1279 401ec0 FindResourceExA LoadResource LockResource SetLastError 1279->1290 1280->1278 1280->1281 1281->1273 1281->1274 1282 40141e strstr 1282->1290 1283 40144e CreateWindowExA 1284 401661 SetTimer 1283->1284 1283->1290 1284->1290 1295 4013d5 1284->1295 1287 40176b atoi 1287->1290 1287->1295 1288 4016b9 1289 4016d7 GetMessageA 1288->1289 1292 4016c1 TranslateMessage DispatchMessageA 1289->1292 1293 4016f8 1289->1293 1290->1266 1290->1276 1290->1279 1290->1282 1290->1283 1290->1287 1290->1288 1294 401503 strstr 1290->1294 1290->1295 1492 4047a0 1290->1492 1518 401e10 FindResourceExA 1290->1518 1291 4017a2 fwrite 1291->1295 1292->1289 1297 401702 1293->1297 1298 40174e fprintf 1293->1298 1294->1295 1295->1290 1295->1291 1296 404760 3 API calls 1295->1296 1501 401bf0 GetLastError 1295->1501 1523 401ec0 FindResourceExA 1295->1523 1296->1295 1528 404760 CloseHandle CloseHandle 1297->1528 1298->1297 1301 401536 LoadImageA 1301->1295 1303 40156e 7 API calls 1301->1303 1302 401707 1302->1266 1303->1284 1534 404ba0 1304->1534 1306 4030cd memset GetModuleHandleA 1307 403120 memset GetModuleFileNameA 1306->1307 1308 40310d 1306->1308 1309 403418 1307->1309 1310 403169 strrchr 1307->1310 1308->1269 1309->1269 1310->1309 1311 403189 strstr 1310->1311 1312 403245 GetModuleHandleA GetProcAddress 1311->1312 1313 4031a5 memset strncpy strlen fopen 1311->1313 1315 403281 1312->1315 1316 40326e GetCurrentProcess 1312->1316 1313->1308 1314 403226 fprintf 1313->1314 1314->1312 1317 4032b6 1315->1317 1318 4032a1 fprintf 1315->1318 1319 40329c 1315->1319 1316->1315 1320 401e10 FindResourceExA LoadResource LockResource SetLastError 1317->1320 1318->1317 1319->1318 1321 4032d0 1320->1321 1322 401e10 FindResourceExA LoadResource LockResource SetLastError 1321->1322 1323 4032e0 1322->1323 1324 401e10 FindResourceExA LoadResource LockResource SetLastError 1323->1324 1325 4032f5 1324->1325 1325->1308 1326 401e10 FindResourceExA LoadResource LockResource SetLastError 1325->1326 1327 403314 1326->1327 1328 40336b memset GetCurrentDirectoryA 1327->1328 1329 40331d CreateMutexA GetLastError 1327->1329 1330 401e10 FindResourceExA LoadResource LockResource SetLastError 1328->1330 1329->1328 1331 4045ed 1329->1331 1332 4033b6 1330->1332 1331->1308 1333 404600 fwrite 1331->1333 1334 403750 strncpy strlen 1332->1334 1335 4033be 1332->1335 1333->1308 1336 403791 strcat _chdir 1334->1336 1337 403785 1334->1337 1338 401e10 FindResourceExA LoadResource LockResource SetLastError 1335->1338 1336->1335 1339 4037c0 fprintf 1336->1339 1337->1336 1340 4033d4 1338->1340 1339->1335 1341 4035cc memset 1340->1341 1342 4033dc 1340->1342 1343 402a30 25 API calls 1341->1343 1344 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1342->1344 1346 401e10 FindResourceExA LoadResource LockResource SetLastError 1342->1346 1345 403609 1343->1345 1344->1309 1349 4034b2 strlen strcat SetEnvironmentVariableA 1344->1349 1347 403954 fprintf 1345->1347 1348 403616 1345->1348 1351 4033fb 1346->1351 1356 40396e strcpy 1347->1356 1352 40362c strcpy 1348->1352 1357 4038fe strncpy strlen 1348->1357 1349->1309 1350 4034f4 memset 1349->1350 1353 401e10 FindResourceExA LoadResource LockResource SetLastError 1350->1353 1354 403403 1351->1354 1355 4037df 1351->1355 1358 40363c 1352->1358 1360 403521 1353->1360 1364 401e10 FindResourceExA LoadResource LockResource SetLastError 1354->1364 1361 401e10 FindResourceExA LoadResource LockResource SetLastError 1355->1361 1365 403993 strlen 1356->1365 1366 40423f strlen 1356->1366 1362 403933 1357->1362 1363 40393f strcat 1357->1363 1358->1356 1359 40364b 1358->1359 1367 403682 1359->1367 1373 403663 fprintf 1359->1373 1368 403554 strtok 1360->1368 1369 4037ff FindResourceExA 1361->1369 1362->1363 1363->1358 1364->1309 1370 4039a2 1365->1370 1371 4039a8 strcat _stat 1365->1371 1372 4041f7 1366->1372 1367->1342 1382 4036a6 FindResourceExA 1367->1382 1405 403694 1367->1405 1374 403aa3 FindResourceExA 1368->1374 1375 403563 strchr 1368->1375 1376 40422b SetLastError 1369->1376 1377 40383e LoadResource 1369->1377 1370->1371 1380 4039d6 1371->1380 1381 40425e strlen 1372->1381 1395 404202 strcat _stat 1372->1395 1373->1367 1378 403af2 LoadResource 1374->1378 1379 4045d9 SetLastError 1374->1379 1383 402a30 25 API calls 1375->1383 1376->1366 1384 403876 atoi 1377->1384 1385 403857 LockResource 1377->1385 1386 403b2a atoi 1378->1386 1387 403b0b LockResource 1378->1387 1379->1331 1388 401e10 FindResourceExA LoadResource LockResource SetLastError 1380->1388 1381->1372 1391 404640 SetLastError 1382->1391 1392 4036ee LoadResource 1382->1392 1389 4035a5 1383->1389 1393 402640 25 API calls 1384->1393 1385->1384 1390 403868 1385->1390 1396 403b45 strlen 1386->1396 1397 404286 strlen 1386->1397 1387->1386 1394 403b1c 1387->1394 1409 4039eb strcat 1388->1409 1398 4035ae fprintf 1389->1398 1399 40352f SetEnvironmentVariableA 1389->1399 1390->1384 1424 404386 1391->1424 1400 403707 LockResource 1392->1400 1392->1405 1401 40388e 1393->1401 1394->1386 1395->1376 1402 403b66 strcat GlobalMemoryStatusEx 1396->1402 1403 403b5a 1396->1403 1404 40429b 1397->1404 1398->1399 1399->1368 1400->1405 1401->1380 1406 403896 1401->1406 1407 402cd0 16 API calls 1402->1407 1403->1402 1419 401e10 FindResourceExA LoadResource LockResource SetLastError 1404->1419 1405->1342 1408 4041c7 strcpy 1406->1408 1413 4038dc 1406->1413 1414 4038b8 1406->1414 1415 4038bd fprintf 1406->1415 1412 403bdc 1407->1412 1408->1381 1411 4041e8 strlen 1408->1411 1417 403a89 1409->1417 1428 403a3e strcat 1409->1428 1411->1372 1418 402cd0 16 API calls 1412->1418 1413->1344 1416 4038e4 1413->1416 1414->1415 1415->1413 1420 401e10 FindResourceExA LoadResource LockResource SetLastError 1416->1420 1423 401e10 FindResourceExA LoadResource LockResource SetLastError 1417->1423 1421 403c0d 1418->1421 1422 4042cb 1419->1422 1420->1309 1425 401e10 FindResourceExA LoadResource LockResource SetLastError 1421->1425 1422->1308 1426 4042d5 memset 1422->1426 1423->1309 1427 4046b3 strcat 1424->1427 1439 404392 strtok 1424->1439 1443 4043aa fprintf 1424->1443 1444 4043bf strpbrk 1424->1444 1430 403c23 1425->1430 1431 402a30 25 API calls 1426->1431 1434 4046ee strcat 1427->1434 1428->1417 1432 40427a 1430->1432 1433 403c2b strlen 1430->1433 1438 404312 1431->1438 1432->1397 1435 403c4c 1433->1435 1434->1424 1436 404711 strlen 1434->1436 1435->1435 1437 403c72 strncpy strlen _open 1435->1437 1436->1424 1440 403e06 1437->1440 1451 403cd9 _read 1437->1451 1438->1424 1438->1434 1441 40472e strcat 1438->1441 1439->1424 1442 402a30 25 API calls 1440->1442 1441->1424 1448 404751 strlen 1441->1448 1445 403e3a memset memset FindResourceExA 1442->1445 1443->1444 1446 4043d8 strrchr strncpy _findfirst 1444->1446 1447 40458f strcat 1444->1447 1452 403eb1 LoadResource 1445->1452 1453 40462c SetLastError 1445->1453 1454 404423 strcpy strcat 1446->1454 1455 40449f _findclose 1446->1455 1449 4045a4 1447->1449 1448->1424 1449->1379 1449->1449 1462 403d4e 1451->1462 1456 403edb 1452->1456 1457 403eca LockResource 1452->1457 1453->1391 1458 404450 1454->1458 1455->1439 1460 401e10 FindResourceExA LoadResource LockResource SetLastError 1456->1460 1457->1456 1458->1458 1464 404489 _findnext 1458->1464 1465 4044bc fprintf 1458->1465 1459 403df8 _close 1459->1440 1463 403f23 1460->1463 1461 403ddd strlen 1461->1459 1462->1459 1462->1461 1466 401e10 FindResourceExA LoadResource LockResource SetLastError 1463->1466 1464->1454 1464->1455 1465->1464 1467 403f33 1466->1467 1467->1404 1468 403f3b 1467->1468 1469 403f48 1468->1469 1470 4040fd 1468->1470 1469->1469 1471 403f6e strcat 1469->1471 1470->1470 1472 404123 strncat strlen 1470->1472 1476 403fb3 1471->1476 1473 404183 1472->1473 1474 40418f strcat 1472->1474 1473->1474 1475 4041aa 1474->1475 1475->1408 1475->1475 1477 401e10 FindResourceExA LoadResource LockResource SetLastError 1476->1477 1483 403ff9 1477->1483 1478 404048 1479 404054 1478->1479 1482 4044e6 strcpy 1478->1482 1486 4044eb strstr 1478->1486 1480 404061 fprintf 1479->1480 1481 4040f3 1479->1481 1480->1481 1485 404084 fprintf 1480->1485 1481->1308 1482->1486 1483->1478 1484 404028 strcat 1483->1484 1484->1478 1485->1481 1489 4040a8 fprintf 1485->1489 1487 404508 strchr 1486->1487 1490 404532 1486->1490 1487->1478 1489->1481 1490->1479 1491 40456a strcat 1490->1491 1491->1479 1493 404ba0 1492->1493 1494 4047b0 memset strcat strlen strcat CreateProcessA 1493->1494 1495 404888 1494->1495 1496 404881 1494->1496 1495->1290 1496->1495 1497 4048a0 WaitForSingleObject GetExitCodeProcess 1496->1497 1498 404917 fprintf 1497->1498 1499 4048df CloseHandle CloseHandle 1497->1499 1498->1499 1499->1495 1500 40490a fclose 1499->1500 1500->1495 1502 401cc0 FormatMessageA 1501->1502 1503 401c05 1501->1503 1504 401da3 fprintf 1502->1504 1508 401d03 1502->1508 1505 401c91 printf 1503->1505 1506 401c13 MessageBoxA 1503->1506 1504->1508 1507 401c3a 1505->1507 1506->1507 1509 401c86 1507->1509 1513 401dc0 fprintf 1507->1513 1514 401c50 ShellExecuteA 1507->1514 1508->1508 1512 401d36 strcat 1508->1512 1510 401cb1 fclose 1509->1510 1511 401c8f 1509->1511 1510->1295 1511->1295 1515 401d72 printf 1512->1515 1516 401ddf MessageBoxA 1512->1516 1513->1516 1514->1509 1517 401d90 LocalFree 1515->1517 1516->1517 1517->1295 1519 401e96 SetLastError 1518->1519 1520 401e48 LoadResource 1518->1520 1522 401e72 1519->1522 1521 401e61 LockResource 1520->1521 1520->1522 1521->1522 1522->1290 1522->1522 1524 401f07 LoadResource 1523->1524 1525 401f69 SetLastError 1523->1525 1526 401f20 LockResource 1524->1526 1527 401f31 1524->1527 1525->1301 1526->1527 1527->1301 1529 404790 1528->1529 1530 404792 fclose 1528->1530 1529->1302 1530->1302 1532 401af1 fclose 1531->1532 1533 401aef 1531->1533 1532->1281 1533->1281 1535 404ba6 1534->1535 1587 402950 1588 402964 1587->1588 1589 4029a6 strcpy 1587->1589 1592 40299b 1588->1592 1594 40297c fprintf 1588->1594 1590 4029c2 strlen 1589->1590 1591 402a05 strlen 1589->1591 1593 4029d1 strcat _stat 1590->1593 1591->1593 1593->1588 1594->1592 1596 4012d0 memset 1597 401e10 4 API calls 1596->1597 1598 401309 1597->1598 1599 401311 FindWindowExA 1598->1599 1600 40138d 1598->1600 1599->1600 1601 401338 1599->1601 1602 401340 GetWindowTextA strstr 1601->1602 1603 401397 1602->1603 1604 401368 FindWindowExA 1602->1604 1604->1600 1604->1602 1605 402910 strcat 1606 402931 strlen 1605->1606 1607 40293f 1605->1607 1606->1607 1608 401b90 1609 401bc0 MessageBoxA 1608->1609 1610 401ba3 printf 1608->1610 1611 401f95 FindResourceExA 1612 401fe6 LoadResource 1611->1612 1613 402039 SetLastError atoi 1611->1613 1614 40202c atoi 1612->1614 1615 401fff LockResource 1612->1615 1615->1614 1616 402010 1615->1616 1616->1614 1617 40311c 1618 403120 memset GetModuleFileNameA 1617->1618 1619 403169 strrchr 1618->1619 1678 403418 1618->1678 1620 403189 strstr 1619->1620 1619->1678 1621 403245 GetModuleHandleA GetProcAddress 1620->1621 1622 4031a5 memset strncpy strlen fopen 1620->1622 1624 403281 1621->1624 1625 40326e GetCurrentProcess 1621->1625 1623 403226 fprintf 1622->1623 1642 40310d 1622->1642 1623->1621 1626 4032b6 1624->1626 1627 4032a1 fprintf 1624->1627 1625->1624 1628 401e10 4 API calls 1626->1628 1627->1626 1629 4032d0 1628->1629 1630 401e10 4 API calls 1629->1630 1631 4032e0 1630->1631 1632 401e10 4 API calls 1631->1632 1633 4032f5 1632->1633 1634 401e10 4 API calls 1633->1634 1633->1642 1635 403314 1634->1635 1636 40336b memset GetCurrentDirectoryA 1635->1636 1637 40331d CreateMutexA GetLastError 1635->1637 1638 401e10 4 API calls 1636->1638 1637->1636 1639 4045ed 1637->1639 1640 4033b6 1638->1640 1641 404600 fwrite 1639->1641 1639->1642 1643 403750 strncpy strlen 1640->1643 1644 4033be 1640->1644 1641->1642 1645 403791 strcat _chdir 1643->1645 1646 403785 1643->1646 1647 401e10 4 API calls 1644->1647 1645->1644 1648 4037c0 fprintf 1645->1648 1646->1645 1649 4033d4 1647->1649 1648->1644 1650 4035cc memset 1649->1650 1714 4033dc 1649->1714 1651 402a30 25 API calls 1650->1651 1653 403609 1651->1653 1652 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1657 4034b2 strlen strcat SetEnvironmentVariableA 1652->1657 1652->1678 1655 403954 fprintf 1653->1655 1656 403616 1653->1656 1654 401e10 4 API calls 1659 4033fb 1654->1659 1664 40396e strcpy 1655->1664 1660 40362c strcpy 1656->1660 1665 4038fe strncpy strlen 1656->1665 1658 4034f4 memset 1657->1658 1657->1678 1661 401e10 4 API calls 1658->1661 1662 403403 1659->1662 1663 4037df 1659->1663 1666 40363c 1660->1666 1668 403521 1661->1668 1672 401e10 4 API calls 1662->1672 1669 401e10 4 API calls 1663->1669 1673 403993 strlen 1664->1673 1674 40423f strlen 1664->1674 1670 403933 1665->1670 1671 40393f strcat 1665->1671 1666->1664 1667 40364b 1666->1667 1675 403682 1667->1675 1682 403663 fprintf 1667->1682 1676 403554 strtok 1668->1676 1677 4037ff FindResourceExA 1669->1677 1670->1671 1671->1666 1672->1678 1679 4039a2 1673->1679 1680 4039a8 strcat _stat 1673->1680 1681 4041f7 1674->1681 1691 4036a6 FindResourceExA 1675->1691 1675->1714 1683 403aa3 FindResourceExA 1676->1683 1684 403563 strchr 1676->1684 1685 40422b SetLastError 1677->1685 1686 40383e LoadResource 1677->1686 1679->1680 1689 4039d6 1680->1689 1690 40425e strlen 1681->1690 1704 404202 strcat _stat 1681->1704 1682->1675 1687 403af2 LoadResource 1683->1687 1688 4045d9 SetLastError 1683->1688 1799 402a30 1684->1799 1685->1674 1693 403876 atoi 1686->1693 1694 403857 LockResource 1686->1694 1695 403b2a atoi 1687->1695 1696 403b0b LockResource 1687->1696 1688->1639 1697 401e10 4 API calls 1689->1697 1690->1681 1700 404640 SetLastError 1691->1700 1701 4036ee LoadResource 1691->1701 1815 402640 1693->1815 1694->1693 1699 403868 1694->1699 1705 403b45 strlen 1695->1705 1706 404286 strlen 1695->1706 1696->1695 1703 403b1c 1696->1703 1717 4039eb strcat 1697->1717 1699->1693 1732 404386 1700->1732 1709 403707 LockResource 1701->1709 1701->1714 1703->1695 1704->1685 1711 403b66 strcat GlobalMemoryStatusEx 1705->1711 1712 403b5a 1705->1712 1713 40429b 1706->1713 1707 4035ae fprintf 1708 40352f SetEnvironmentVariableA 1707->1708 1708->1676 1709->1714 1710 40388e 1710->1689 1722 403896 1710->1722 1845 402cd0 FindResourceExA 1711->1845 1712->1711 1727 401e10 4 API calls 1713->1727 1714->1652 1714->1654 1716 4041c7 strcpy 1716->1690 1719 4041e8 strlen 1716->1719 1725 403a89 1717->1725 1736 403a3e strcat 1717->1736 1719->1681 1721 4038dc 1721->1652 1724 4038e4 1721->1724 1722->1716 1722->1721 1723 4038bd fprintf 1722->1723 1723->1721 1728 401e10 4 API calls 1724->1728 1731 401e10 4 API calls 1725->1731 1726 402cd0 16 API calls 1729 403c0d 1726->1729 1730 4042cb 1727->1730 1728->1678 1733 401e10 4 API calls 1729->1733 1730->1642 1734 4042d5 memset 1730->1734 1731->1678 1735 4046b3 strcat 1732->1735 1747 404392 strtok 1732->1747 1751 4043aa fprintf 1732->1751 1752 4043bf strpbrk 1732->1752 1738 403c23 1733->1738 1739 402a30 25 API calls 1734->1739 1742 4046ee strcat 1735->1742 1736->1725 1740 40427a 1738->1740 1741 403c2b strlen 1738->1741 1746 404312 1739->1746 1740->1706 1743 403c4c 1741->1743 1742->1732 1744 404711 strlen 1742->1744 1743->1743 1745 403c72 strncpy strlen _open 1743->1745 1744->1732 1748 403e06 1745->1748 1759 403cd9 _read 1745->1759 1746->1732 1746->1742 1749 40472e strcat 1746->1749 1747->1732 1750 402a30 25 API calls 1748->1750 1749->1732 1756 404751 strlen 1749->1756 1753 403e3a memset memset FindResourceExA 1750->1753 1751->1752 1754 4043d8 strrchr strncpy _findfirst 1752->1754 1755 40458f strcat 1752->1755 1760 403eb1 LoadResource 1753->1760 1761 40462c SetLastError 1753->1761 1762 404423 strcpy strcat 1754->1762 1763 40449f _findclose 1754->1763 1757 4045a4 1755->1757 1756->1732 1757->1688 1757->1757 1770 403d4e 1759->1770 1764 403edb 1760->1764 1765 403eca LockResource 1760->1765 1761->1700 1766 404450 1762->1766 1763->1747 1768 401e10 4 API calls 1764->1768 1765->1764 1766->1766 1772 404489 _findnext 1766->1772 1773 4044bc fprintf 1766->1773 1767 403df8 _close 1767->1748 1771 403f23 1768->1771 1769 403ddd strlen 1769->1767 1770->1767 1770->1769 1774 401e10 4 API calls 1771->1774 1772->1762 1772->1763 1773->1772 1775 403f33 1774->1775 1775->1713 1776 403f3b 1775->1776 1777 403f48 1776->1777 1778 4040fd 1776->1778 1777->1777 1779 403f6e strcat 1777->1779 1778->1778 1780 404123 strncat strlen 1778->1780 1783 403fb3 1779->1783 1781 404183 1780->1781 1782 40418f strcat 1780->1782 1781->1782 1784 4041aa 1782->1784 1783->1783 1785 401e10 4 API calls 1783->1785 1784->1716 1784->1784 1790 403ff9 1785->1790 1786 404048 1787 404054 1786->1787 1789 4044e6 strcpy 1786->1789 1793 4044eb strstr 1786->1793 1787->1642 1788 404061 fprintf 1787->1788 1788->1642 1792 404084 fprintf 1788->1792 1789->1793 1790->1786 1791 404028 strcat 1790->1791 1791->1786 1792->1642 1796 4040a8 fprintf 1792->1796 1794 404508 strchr 1793->1794 1797 404532 1793->1797 1794->1786 1796->1642 1797->1787 1798 40456a strcat 1797->1798 1798->1787 1800 402a40 1799->1800 1801 402bc0 1800->1801 1802 402a60 strchr 1800->1802 1807 402c41 strcat 1800->1807 1808 402c55 GetCurrentDirectoryA 1800->1808 1809 402bf9 fprintf 1800->1809 1810 402c73 strcat 1800->1810 1811 402b53 strstr 1800->1811 1862 402060 strstr 1800->1862 1801->1707 1801->1708 1803 402a7b strchr 1802->1803 1804 402cac strcat 1802->1804 1803->1801 1805 402a9d strncat strncat strlen 1803->1805 1804->1801 1805->1800 1806 402c20 strncat 1805->1806 1806->1800 1807->1800 1808->1800 1809->1800 1810->1800 1811->1800 1812 402b78 GetEnvironmentVariableA 1811->1812 1812->1800 1814 402bcd strcat 1812->1814 1814->1800 1816 402700 1815->1816 1817 40265e 1815->1817 1818 402430 18 API calls 1816->1818 1874 402430 1817->1874 1822 402715 1818->1822 1820 402673 1821 40268d 1820->1821 1825 402430 18 API calls 1820->1825 1823 402760 RegOpenKeyExA 1821->1823 1826 402737 1821->1826 1827 4026a7 1821->1827 1822->1821 1824 402430 18 API calls 1822->1824 1828 4026e4 1823->1828 1829 4027a0 memset RegQueryValueExA 1823->1829 1824->1821 1825->1821 1830 402430 18 API calls 1826->1830 1831 402430 18 API calls 1827->1831 1828->1710 1832 402887 RegCloseKey 1829->1832 1833 402808 1829->1833 1834 40274c 1830->1834 1835 4026bc 1831->1835 1832->1828 1839 402829 strlen 1833->1839 1840 40284f RegCloseKey 1833->1840 1836 4026da 1834->1836 1837 40286d 1834->1837 1835->1836 1838 402430 18 API calls 1835->1838 1836->1823 1836->1828 1841 402430 18 API calls 1837->1841 1838->1836 1842 402838 1839->1842 1843 40283e strcat 1839->1843 1840->1710 1844 402882 1841->1844 1842->1843 1843->1840 1844->1832 1846 402f58 SetLastError 1845->1846 1847 402d2b LoadResource 1845->1847 1848 402d44 LockResource 1847->1848 1849 402d6c atoi FindResourceExA 1847->1849 1848->1849 1854 402d55 1848->1854 1850 402f44 SetLastError 1849->1850 1851 402dbb LoadResource 1849->1851 1850->1846 1852 402dd4 LockResource 1851->1852 1853 402dfc atoi 1851->1853 1852->1853 1855 402de5 1852->1855 1856 402e4a 1853->1856 1854->1849 1854->1854 1855->1853 1857 402ecc 1856->1857 1858 402e7f 1856->1858 1859 402f1b fprintf 1856->1859 1857->1726 1860 402e88 strcat strlen _itoa strlen 1858->1860 1861 402ede fprintf 1858->1861 1859->1858 1860->1857 1861->1860 1863 402086 strstr 1862->1863 1864 4020f8 strchr strrchr 1862->1864 1863->1864 1867 4020a0 strstr 1863->1867 1865 4021b3 RegOpenKeyExA 1864->1865 1866 402135 RegOpenKeyExA 1864->1866 1869 40215e RegQueryValueExA RegCloseKey 1865->1869 1870 4021dc 1865->1870 1868 4021a4 1866->1868 1866->1869 1867->1864 1871 4020ba strstr 1867->1871 1868->1800 1869->1868 1870->1866 1871->1864 1872 4020d4 strstr 1871->1872 1872->1864 1873 4020ee 1872->1873 1873->1800 1875 4024a2 fprintf 1874->1875 1876 40244e 1874->1876 1878 40245a 1875->1878 1879 4024c3 1875->1879 1877 4024d0 RegOpenKeyExA 1876->1877 1876->1878 1877->1878 1882 4024fe 1877->1882 1880 402596 fprintf 1878->1880 1881 402467 RegOpenKeyExA 1878->1881 1879->1877 1883 402495 1881->1883 1884 402568 1881->1884 1891 402280 memset 1882->1891 1883->1820 1887 402280 11 API calls 1884->1887 1889 40257b RegCloseKey 1887->1889 1888 402534 1888->1883 1890 402541 fwrite 1888->1890 1889->1820 1890->1883 1892 4022fd RegEnumKeyExA 1891->1892 1893 402427 RegCloseKey 1892->1893 1894 40233f strcmp 1892->1894 1893->1878 1893->1888 1895 4022e5 1894->1895 1895->1892 1896 402406 fprintf 1895->1896 1897 4022d0 strcmp 1895->1897 1898 402361 strcmp 1895->1898 1900 4023be strcat 1895->1900 1896->1893 1897->1895 1897->1898 1898->1895 1899 40237a strcpy strcpy strlen 1898->1899 1899->1895 1899->1900 1900->1895 1901 4023e7 fprintf 1900->1901 1901->1895 1902 40489e 1903 4048a0 WaitForSingleObject GetExitCodeProcess 1902->1903 1904 404917 fprintf 1903->1904 1905 4048df CloseHandle CloseHandle 1903->1905 1904->1905 1906 404890 1905->1906 1907 40490a fclose 1905->1907 1907->1906 1908 401a60 memset strncpy strlen fopen 1909 4028a0 1910 4028e0 strlen 1909->1910 1911 4028b3 strlen 1909->1911 1914 4028f5 strcat 1910->1914 1915 4028ef 1910->1915 1912 4028c2 1911->1912 1913 4028c8 strcat 1911->1913 1912->1913 1915->1914 1916 4021e1 1917 4021f0 GetModuleFileNameA 1916->1917 1918 402220 strrchr 1917->1918 1919 402235 1917->1919 1918->1919 1920 401269 1921 401270 __set_app_type 1920->1921 1922 401150 258 API calls 1921->1922 1923 401288 1922->1923 1924 4013e9 1940 4013d5 1924->1940 1925 401716 strstr 1925->1940 1926 401ec0 FindResourceExA LoadResource LockResource SetLastError 1926->1940 1927 40141e strstr 1927->1940 1928 40144e CreateWindowExA 1929 401661 SetTimer 1928->1929 1928->1940 1929->1940 1930 4047a0 11 API calls 1930->1940 1931 401e10 4 API calls 1931->1940 1932 401bf0 12 API calls 1932->1940 1933 40176b atoi 1933->1940 1934 4016b9 1935 4016d7 GetMessageA 1934->1935 1937 4016c1 TranslateMessage DispatchMessageA 1935->1937 1938 4016f8 1935->1938 1936 4017a2 fwrite 1936->1940 1937->1935 1942 401702 1938->1942 1943 40174e fprintf 1938->1943 1939 401503 strstr 1939->1940 1940->1925 1940->1926 1940->1927 1940->1928 1940->1930 1940->1931 1940->1932 1940->1933 1940->1934 1940->1936 1940->1939 1941 404760 3 API calls 1940->1941 1944 401ec0 4 API calls 1940->1944 1941->1940 1945 404760 3 API calls 1942->1945 1943->1942 1946 401536 LoadImageA 1944->1946 1947 401707 1945->1947 1946->1940 1948 40156e 7 API calls 1946->1948 1948->1929 1949 402f6c 1950 402f70 GlobalMemoryStatusEx 1949->1950 1951 402cd0 16 API calls 1950->1951 1952 402fc0 1951->1952 1953 402cd0 16 API calls 1952->1953 1954 402ff1 1953->1954 1955 401270 __set_app_type 1956 401150 258 API calls 1955->1956 1957 401288 1956->1957 1958 402f70 GlobalMemoryStatusEx 1959 402cd0 16 API calls 1958->1959 1960 402fc0 1959->1960 1961 402cd0 16 API calls 1960->1961 1962 402ff1 1961->1962 1963 401930 1964 401960 GetExitCodeProcess 1963->1964 1965 40193f 1963->1965 1968 4019b3 1964->1968 1969 401986 KillTimer PostQuitMessage 1964->1969 1966 4019d0 ShowWindow 1965->1966 1967 40194c 1965->1967 1966->1964 1972 4019fd 1966->1972 1967->1964 1970 401a40 EnumWindows 1967->1970 1968->1969 1971 4019af 1968->1971 1969->1971 1970->1964 1972->1964 1973 401a0b KillTimer 1972->1973 1974 401bf0 12 API calls 1973->1974 1975 401a27 PostQuitMessage 1974->1975 1975->1964 1976 4018b0 GetWindowThreadProcessId 1977 4018e3 GetWindowLongA 1976->1977 1978 4018d7 1976->1978 1977->1978 1979 4018fe ShowWindow 1977->1979 1979->1978 1980 4025b0 1981 4025d0 1980->1981 1982 4025e1 1980->1982 1984 402430 18 API calls 1981->1984 1983 402430 18 API calls 1982->1983 1985 402612 1982->1985 1983->1985 1984->1982 1986 402ff9 1987 404ba0 1986->1987 1988 40300d memset GetEnvironmentVariableA strlen 1987->1988 1989 403076 strlen strcat SetEnvironmentVariableA 1988->1989 1990 403067 1988->1990 1991 401afc 1992 401b00 GetModuleHandleA GetProcAddress 1991->1992 1993 401b30 GetCurrentProcess 1992->1993 1994 401b43 1992->1994 1993->1994 1995 401b78 1994->1995 1996 401b63 fprintf 1994->1996 1996->1995 1997 401a3c 1998 401a40 EnumWindows 1997->1998 1999 401960 GetExitCodeProcess 1998->1999 2000 401986 KillTimer PostQuitMessage 1999->2000 2001 4019b3 1999->2001 2002 4019af 2000->2002 2001->2000 2001->2002 2003 40223c 2004 402240 strlen 2003->2004 2005 402261 2004->2005 2006 401cbc 2007 401cc0 FormatMessageA 2006->2007 2008 401da3 fprintf 2007->2008 2009 401d03 strcat 2007->2009 2008->2009 2011 401d72 printf 2009->2011 2012 401ddf MessageBoxA 2009->2012 2013 401d90 LocalFree 2011->2013 2012->2013 2020 401bbe 2021 401bc0 MessageBoxA 2020->2021

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_00402240 1 Function_004030C0 3 Function_00402640 1->3 15 Function_00402CD0 1->15 42 Function_00401E10 1->42 51 Function_00404BA0 1->51 58 Function_00402A30 1->58 2 Function_00404940 2->51 56 Function_004013B0 2->56 57 Function_00404B30 2->57 55 Function_00402430 3->55 4 Function_00401EC0 5 Function_00402945 6 Function_00402CC5 7 Function_00401149 8 Function_00404AC9 60 Function_004012B0 8->60 9 Function_0040124A 9->2 20 Function_00404A60 9->20 10 Function_004049CC 10->56 11 Function_00402950 12 Function_00404AD0 12->60 13 Function_00401150 13->2 13->20 41 Function_00404A90 13->41 14 Function_00404BD0 15->14 16 Function_004012D0 16->42 17 Function_00402055 18 Function_00404760 19 Function_00402060 21 Function_00401A60 22 Function_00401AE0 23 Function_004021E1 24 Function_00401269 24->13 25 Function_004013E9 25->4 25->18 29 Function_00401BF0 25->29 25->42 50 Function_004047A0 25->50 26 Function_00402F6C 26->15 27 Function_00401270 27->13 28 Function_00402F70 28->15 30 Function_00402FF9 30->51 31 Function_0040227C 32 Function_00401AFC 33 Function_004049FE 33->56 34 Function_00401B00 35 Function_00402280 36 Function_00401000 36->41 37 Function_00401B80 38 Function_00401E09 39 Function_0040290C 40 Function_00402910 43 Function_00401290 43->13 44 Function_00401B90 45 Function_00401F95 46 Function_00404C19 47 Function_0040311C 47->3 47->15 47->42 47->58 48 Function_0040479C 49 Function_0040489E 50->51 52 Function_004028A0 53 Function_00404AA0 54 Function_00404B29 55->35 56->1 56->4 56->18 56->22 56->29 56->42 56->50 57->60 58->19 58->51 59 Function_00401930 59->29 61 Function_004018B0 62 Function_004025B0 62->55 63 Function_00401EB7 64 Function_00401A3C 65 Function_0040223C 66 Function_004012BC 67 Function_00401CBC 68 Function_0040263E 69 Function_00401BBE

                Executed Functions

                Function 004030C0 Relevance: 302.4, APIs: 119, Strings: 53, Instructions: 1411stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Modulememset$Handlefprintf$AddressCurrentFileNameProcProcessfopenstrlenstrncpystrrchrstrstr
                • String ID: CmdLine:%s %s$ " :%s$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$(OK)$(n/a)$--l4j-$--l4j-debug$-Xms$-Xmx$-cla$-jar$-jar$1.7.0$:$Add classpath:%s$An error occurred while starting the application.$Args length:%d/32768 chars$Bc@$Bc@$Bundled JRE:%s$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$C:\Users\user\Desktop$Check launcher:%s %s$IsWow64Process$Launcher args:%s$Launcher:%s$Set var:%s = %s$WOW64:%s$Working dir:%s$\$``@$bin\java.exe$bin\javaw.exe$ini$j.lo$l4j.$nch4$sspa$th "$true$yes$~`@
                • API String ID: 2968499522-3589992203
                • Opcode ID: 1f20b5c9895d9af463517c6fa9c024e1b337b39d992afbb1f21ae2ed438d1340
                • Instruction ID: 0e89a22367f5d3f2eae708a14e8bb05f6e03d73e7b0ab72636a6b4786490bd8a
                • Opcode Fuzzy Hash: 1f20b5c9895d9af463517c6fa9c024e1b337b39d992afbb1f21ae2ed438d1340
                • Instruction Fuzzy Hash: CAD251B19087048BD714AF25C54026ABBE5EFC4304F05C9BFE5C8A7391DB7C9989DB8A
                Function 004013B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 332stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 285 4013b0-4013cc call 4030c0 288 4013d2-4013d3 285->288 289 4017c9-4017f8 memset call 401e10 285->289 290 4013f0-401400 call 401ec0 288->290 291 4013d5-4013da call 401bf0 288->291 296 40182a-40184f FindWindowExA 289->296 297 4017fa 289->297 302 401716-401729 strstr 290->302 303 401406-40141c call 401ec0 290->303 304 4013df-4013e6 291->304 296->297 301 401851 296->301 300 4017fc-401820 ShowWindow SetForegroundWindow call 401ae0 297->300 300->296 307 401857-40187d GetWindowTextA strstr 301->307 302->303 305 40172f-401734 302->305 313 401437-401444 303->313 314 40141e-401431 strstr 303->314 304->290 305->303 307->300 310 401883-4018a6 FindWindowExA 307->310 310->307 312 4018a8 310->312 312->297 316 401446-401448 313->316 317 40144e-4014bc CreateWindowExA 313->317 314->313 315 40178e-401793 314->315 315->313 316->317 318 40168f-401696 call 4047a0 316->318 319 401661-401689 SetTimer 317->319 320 4014c2-4014eb call 401e10 317->320 323 40169b-40169c 318->323 319->291 319->318 326 4014f1-401501 call 401ec0 320->326 327 40176b-40177c atoi 320->327 323->291 325 4016a2-4016a9 323->325 328 4016b9-4016bf 325->328 329 4016ab-4016b3 325->329 340 401503-401516 strstr 326->340 341 40151d-401568 call 401ec0 LoadImageA 326->341 331 401798 327->331 332 40177e-401783 327->332 334 4016d7-4016f6 GetMessageA 328->334 329->328 333 401739-401740 329->333 336 4017a2-4017c4 fwrite 331->336 332->315 333->336 337 401742-401749 call 404760 333->337 338 4016c1-4016d4 TranslateMessage DispatchMessageA 334->338 339 4016f8-401700 334->339 336->337 337->304 338->334 343 401702-401713 call 404760 339->343 344 40174e-401769 fprintf 339->344 340->341 345 401518 340->345 341->291 351 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 341->351 344->343 345->341 351->319
                APIs
                  • Part of subcall function 004030C0: memset.MSVCRT ref: 004030EE
                  • Part of subcall function 004030C0: GetModuleHandleA.KERNEL32(?,004013C7), ref: 004030FA
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                  • Part of subcall function 00401BF0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004013DA), ref: 00401BF6
                  • Part of subcall function 00401BF0: MessageBoxA.USER32 ref: 00401C32
                  • Part of subcall function 00401BF0: ShellExecuteA.SHELL32 ref: 00401C7E
                • memset.MSVCRT ref: 004017E1
                • ShowWindow.USER32 ref: 00401808
                • SetForegroundWindow.USER32 ref: 00401813
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$memsetstrstr$CreateErrorExecuteForegroundHandleImageLastLoadMessageModuleShellShow
                • String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$Exit code:%d$STATIC
                • API String ID: 1172715904-121186343
                • Opcode ID: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction ID: 22f332a72cef92a8da5d6acb595563ebd0f99b3e0e1198dea9edd092bcf45b6f
                • Opcode Fuzzy Hash: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction Fuzzy Hash: 6FD101B19083018BD714FF2AD54131EBAE5BFC4344F01C93FE989A73A1DB7899459B8A
                Function 004013E9 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 205stringwindowtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 635 4013e9 636 4013f0-401400 call 401ec0 635->636 639 401716-401729 strstr 636->639 640 401406-40141c call 401ec0 636->640 639->640 641 40172f-401734 639->641 644 401437-401444 640->644 645 40141e-401431 strstr 640->645 641->640 647 401446-401448 644->647 648 40144e-4014bc CreateWindowExA 644->648 645->644 646 40178e-401793 645->646 646->644 647->648 649 40168f-40169c call 4047a0 647->649 650 401661-401689 SetTimer 648->650 651 4014c2-4014eb call 401e10 648->651 652 4013d5-4013da call 401bf0 649->652 658 4016a2-4016a9 649->658 650->649 650->652 659 4014f1-401501 call 401ec0 651->659 660 40176b-40177c atoi 651->660 667 4013df-4013e6 652->667 662 4016b9-4016bf 658->662 663 4016ab-4016b3 658->663 675 401503-401516 strstr 659->675 676 40151d-401568 call 401ec0 LoadImageA 659->676 665 401798 660->665 666 40177e-401783 660->666 669 4016d7-4016f6 GetMessageA 662->669 663->662 668 401739-401740 663->668 671 4017a2-4017c4 fwrite 665->671 666->646 667->636 668->671 672 401742-401749 call 404760 668->672 673 4016c1-4016d4 TranslateMessage DispatchMessageA 669->673 674 4016f8-401700 669->674 671->672 672->667 673->669 678 401702-401713 call 404760 674->678 679 40174e-401769 fprintf 674->679 675->676 680 401518 675->680 676->652 686 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 676->686 679->678 680->676 686->650
                APIs
                  • Part of subcall function 00401EC0: FindResourceExA.KERNEL32 ref: 00401EFB
                  • Part of subcall function 00401EC0: LoadResource.KERNEL32 ref: 00401F14
                  • Part of subcall function 00401EC0: LockResource.KERNEL32 ref: 00401F23
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                • SendMessageA.USER32 ref: 0040158F
                • GetWindowRect.USER32 ref: 004015A4
                • GetSystemMetrics.USER32 ref: 004015B3
                • GetSystemMetrics.USER32 ref: 004015DC
                • SetWindowPos.USER32 ref: 0040162B
                • ShowWindow.USER32 ref: 00401643
                • UpdateWindow.USER32 ref: 00401654
                • SetTimer.USER32 ref: 0040167F
                  • Part of subcall function 004047A0: memset.MSVCRT ref: 004047DE
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040480B
                  • Part of subcall function 004047A0: strlen.MSVCRT ref: 00404813
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040482F
                  • Part of subcall function 004047A0: CreateProcessA.KERNEL32 ref: 00404875
                • GetMessageA.USER32 ref: 004016EC
                • strstr.MSVCRT ref: 00401722
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$Resourcestrstr$CreateLoadMessageMetricsSystemstrcat$FindImageLockProcessRectSendShowTimerUpdatememsetstrlen
                • String ID: --l4j-dont-wait$--l4j-no-splash-err$STATIC
                • API String ID: 4182365790-3920415740
                • Opcode ID: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction ID: ee7b831562b9b24d1f16b922444e8b63d9d8e08211f115b699755232a1a447d7
                • Opcode Fuzzy Hash: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction Fuzzy Hash: 338103B1A083018FD714EF7AD94131EBBE1BFC4344F05893EE988A7391DB7899458B86
                Function 00401150 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 3695137517-0
                • Opcode ID: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction ID: fab3366932fbaa3ebb4d58be2606cf2eda9a25db2a2b1f6ef0ea82b631d7fdb2
                • Opcode Fuzzy Hash: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction Fuzzy Hash: 11211DB49043049FC304EF65E58151E7BF1BF88354F408A7EE694A77A5D778A880CF9A
                Function 00401E10 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 794 401e10-401e46 FindResourceExA 795 401e96-401ea9 SetLastError 794->795 796 401e48-401e5f LoadResource 794->796 797 401eb0-401eb6 795->797 796->797 798 401e61-401e70 LockResource 796->798 798->797 799 401e72-401e7a 798->799 800 401e80-401e8a 799->800 800->800 801 401e8c-401e95 800->801
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 1074440638-0
                • Opcode ID: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction ID: f588b214a1d680624203c40b2ff752b88374fd5a224907c8dedae4407861157b
                • Opcode Fuzzy Hash: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction Fuzzy Hash: E4114FB16047019ADB00AB39C54175BBBE1BB84344F01853AED85A7391D638E905CBD6
                Function 0040311C Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 184stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resourcememset$fprintfstrlen$EnvironmentVariable$CurrentFindLoadLockModulestrcpy$AddressCreateDirectoryErrorFileHandleLastMutexNameProcProcessatoifopenstrcatstrchrstrncpystrrchrstrstrstrtok
                • String ID: CmdLine:%s %s$--l4j-debug$1.7.0$An error occurred while starting the application.$C:\Users\user\Desktop$IsWow64Process$WOW64:%s$``@$j.lo$nch4$yes$~`@
                • API String ID: 276419104-4214590570
                • Opcode ID: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction ID: f0a9dd12e9f155100ecc80547f8524881e04b64e39f325f861530ddbe7d78783
                • Opcode Fuzzy Hash: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction Fuzzy Hash: CE811CB09087009BD714AF25C58025EBAE5FFC4744F01C87FE9C8AB391DB7899859F8A
                Function 00402280 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 107stringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 687 402280-4022ce memset 688 4022fd-402339 RegEnumKeyExA 687->688 689 402427-40242e 688->689 690 40233f-402352 strcmp 688->690 691 402354-40235b 690->691 692 4022e5-4022ec 690->692 695 4022d0-4022e3 strcmp 691->695 696 402361-402374 strcmp 691->696 693 4022f2-4022f7 692->693 694 402406-40241d fprintf 692->694 693->688 694->689 695->692 695->696 696->692 697 40237a-4023b0 strcpy * 2 strlen 696->697 698 4023b2-4023b7 697->698 699 4023be-4023e1 strcat 697->699 698->699 699->693 700 4023e7-402401 fprintf 699->700 700->693
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fprintfstrcmpstrcpy$Enummemsetstrcatstrlen
                • String ID: 1.7.0$1.8.0_381$Ignore:%s\%s$Match:%s$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381
                • API String ID: 2366812193-779923612
                • Opcode ID: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction ID: 9ab0c8db1ba71b2b6d2ba768174804a11d38db5b54a87c79ea0cb8f479a381c0
                • Opcode Fuzzy Hash: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction Fuzzy Hash: AC411DF0A093049FD754AF69C58065ABBE4FF88314F41C87FEA88A7381D77889459F4A
                Function 004047A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 106stringprocesssynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • memset.MSVCRT ref: 004047DE
                • strcat.MSVCRT ref: 0040480B
                • strlen.MSVCRT ref: 00404813
                • strcat.MSVCRT ref: 0040482F
                • CreateProcessA.KERNEL32 ref: 00404875
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandleProcessstrcat$CodeCreateExitObjectSingleWaitfclosememsetstrlen
                • String ID: p@$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$D$Exit code:%d
                • API String ID: 1835003254-3076985505
                • Opcode ID: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction ID: 5caefe9559b27fe27b5d30c0e67c063fa4c1d1b371c170d15aebd52dad6435f1
                • Opcode Fuzzy Hash: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction Fuzzy Hash: BB411FB19087048FD710EF69D58111EBBE1BFC4314F01C93EE988A7391DB389959CB9A
                Function 00402640 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 711 402640-402658 712 402700-402717 call 402430 711->712 713 40265e-402676 call 402430 711->713 718 402690-402698 712->718 719 40271d-40272d call 402430 712->719 713->718 720 402678-40268d call 402430 713->720 721 402760-40279a RegOpenKeyExA 718->721 722 40269e-4026a1 718->722 729 402732 719->729 720->718 727 4026f0-4026f9 721->727 728 4027a0-402802 memset RegQueryValueExA 721->728 725 402737-40274e call 402430 722->725 726 4026a7-4026bf call 402430 722->726 738 402754-40275c 725->738 739 40286d-402882 call 402430 725->739 726->738 740 4026c5-4026e2 call 402430 726->740 733 402887-402898 RegCloseKey 728->733 734 402808-40280a 728->734 729->718 733->727 737 402810-40281e 734->737 737->737 741 402820-402827 737->741 738->727 742 40275e 738->742 739->733 740->721 751 4026e4-4026ea 740->751 744 402829-402836 strlen 741->744 745 40284f-40286c RegCloseKey 741->745 742->721 748 402838 744->748 749 40283e-40284a strcat 744->749 748->749 749->745 751->727
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpen$fprintffwrite
                • String ID: JavaHome$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381$jre
                • API String ID: 2632948728-210039947
                • Opcode ID: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction ID: 13784bda21131abe29e605e60e8874ea15ce2e043269139803be6fc73a734c89
                • Opcode Fuzzy Hash: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction Fuzzy Hash: F9516CB59083158BD714AF25C64425ABBE0FF80304F41C97FE9883B3C2C7BD99458B8A
                Function 00402430 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102registryfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 752 402430-40244c 753 4024a2-4024c1 fprintf 752->753 754 40244e-402458 752->754 756 40245a-402461 753->756 757 4024c3-4024c9 753->757 755 4024d0-4024f8 RegOpenKeyExA 754->755 754->756 755->756 760 4024fe-40252e call 402280 RegCloseKey 755->760 758 402596-4025a6 fprintf 756->758 759 402467-40248f RegOpenKeyExA 756->759 757->755 761 402495-4024a1 759->761 762 402568-402595 call 402280 RegCloseKey 759->762 760->756 766 402534-40253b 760->766 766->761 768 402541-402563 fwrite 766->768 768->761
                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 00402485
                • fprintf.MSVCRT ref: 004024B5
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 004024EE
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 0040251F
                • fwrite.MSVCRT ref: 0040255E
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 00402581
                • fprintf.MSVCRT ref: 004025A6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpenfprintf$fwrite
                • String ID: 32-bit search:%s...$64-bit search:%s...
                • API String ID: 2131660067-1681012534
                • Opcode ID: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction ID: db78835e4e37dc56512bf58087c2aef207271a2ad5982ab85f3d843889212adc
                • Opcode Fuzzy Hash: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction Fuzzy Hash: 6741FBB09083159BC700EF65D68525EFBF4FF88304F11887EE888A7391D778E9458B46
                Function 0040124A Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExitProcess__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 2747451157-0
                • Opcode ID: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction ID: d94ddfb0904ed1d1b1fcd9f17775da174976b76cb98335a262b590a7c617f90a
                • Opcode Fuzzy Hash: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction Fuzzy Hash: CF11E8B4604700DFC304EF65E5C541A77B1BFC8314B108A7EE694A77A6CB78A880CB89
                Function 00404940 Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 802 404940-404970 call 404ba0 call 404b30 GetCommandLineA GetStartupInfoA 807 404972 802->807 808 404978-40498b 802->808 809 404a16-404a2e GetModuleHandleA 807->809 810 404977 808->810 811 40498d-404990 808->811 812 404a30 809->812 813 404a34-404a51 call 4013b0 809->813 810->808 814 4049d0-4049e3 811->814 815 404992-4049a2 811->815 812->813 814->814 819 4049e5-4049e8 814->819 817 4049f0-4049fc 815->817 818 4049a4-4049aa 815->818 820 404a10-404a14 817->820 822 4049b0-4049b2 818->822 823 404a52-404a56 819->823 824 4049ea 819->824 820->809 825 404a00-404a0d 820->825 822->817 826 4049b4-4049c8 822->826 823->817 824->817 825->820 826->822 827 4049ca 826->827 827->817
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CommandHandleInfoLineModuleStartup
                • String ID:
                • API String ID: 1628297973-0
                • Opcode ID: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction ID: a5db5900d75afb6c5168a722f043656c093b3c7bcdd2ff3413d71d09629adc29
                • Opcode Fuzzy Hash: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction Fuzzy Hash: E2214CF67047054BDB14A67694E23ABBBD77FC0344F89813AC781322C3E23C5A91565A
                Function 004049CC Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 828 4049cc 829 4049d0-4049e3 828->829 829->829 830 4049e5-4049e8 829->830 831 404a52-404a56 830->831 832 4049ea 830->832 833 4049f0-4049fc 831->833 832->833 834 404a10-404a14 833->834 835 404a00-404a0d 834->835 836 404a16-404a2e GetModuleHandleA 834->836 835->834 837 404a30 836->837 838 404a34-404a51 call 4013b0 836->838 837->838
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction ID: 5d636c514429e280118d9dbd7938b1e1d94385514683ffc3c512b9d4b85b8e02
                • Opcode Fuzzy Hash: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction Fuzzy Hash: E5F0F4F1A087054BDB149B39919139BBBE2AF80344F44C43EDA86332C2E23C59918E06
                Function 004049FE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 841 4049fe 842 404a00-404a14 841->842 844 404a16-404a2e GetModuleHandleA 842->844 845 404a30 844->845 846 404a34-404a51 call 4013b0 844->846 845->846
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction ID: 25b03b7247f52adc190129cc9a2441f77ae864ffa51203875fe0df8adb52ff07
                • Opcode Fuzzy Hash: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction Fuzzy Hash: 91F0A0B2A083544ADB04AF7AC18136EFFE1AF84398F44C46DDA84226D2D27C85408F56
                Function 00401290 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 849 401290-4012a3 __set_app_type call 401150 851 4012a8-4012a9 849->851
                APIs
                • __set_app_type.MSVCRT ref: 0040129D
                  • Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,004012A8), ref: 00401161
                  • Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119A
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D5
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FB
                  • Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401200
                  • Part of subcall function 00401150: __p__environ.MSVCRT ref: 00401215
                  • Part of subcall function 00401150: _cexit.MSVCRT ref: 00401239
                  • Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401241
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode__set_app_type_cexit
                • String ID:
                • API String ID: 250851222-0
                • Opcode ID: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction ID: ee6e0f434122d3ee92d33c208706bcb836196eff62b72ac1d1d53b2e3b1dd9b5
                • Opcode Fuzzy Hash: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction Fuzzy Hash: D8C09B3444521497C3103BB5DC0E359BBE86B05301F51443DD5C567261D7743C454796

                Non-executed Functions

                Function 00401BF0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 134windowstringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Messageprintf$ErrorExecuteFormatFreeLastLocalShellfclosestrcat
                • String ID: An error occurred while starting the application.$Error:%s$Open URL:%s$open
                • API String ID: 519069059-3584283646
                • Opcode ID: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction ID: 5a562d4ed0a2dbc2a1e4330f613c05cbce52b9a6d063ec7aa8dcb6c58c2de855
                • Opcode Fuzzy Hash: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction Fuzzy Hash: 04511AB0A087009BD358EF69D55121BBAE1EFC4304F10CC3FA589A77A4D73DD9459B8A
                Function 00402A30 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 167stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 852 402a30-402a4f call 404ba0 855 402bc0 852->855 856 402a55-402a59 852->856 857 402bc5-402bcc 855->857 858 402a60-402a75 strchr 856->858 859 402a7b-402a97 strchr 858->859 860 402cac-402cc0 strcat 858->860 859->857 861 402a9d-402b05 strncat * 2 strlen 859->861 860->857 862 402c20-402c3c strncat 861->862 863 402b0b-402b1e 861->863 866 402ba0-402ba7 862->866 864 402c41-402c53 strcat 863->864 865 402b24-402b37 863->865 871 402bf0-402bf7 864->871 867 402c55-402c6e GetCurrentDirectoryA 865->867 868 402b3d-402b4d 865->868 869 402bf9-402c1e fprintf 866->869 870 402ba9-402bba 866->870 867->866 872 402c73-402c87 strcat 868->872 873 402b53-402b72 strstr 868->873 869->870 870->855 870->858 871->869 871->870 872->871 874 402b78-402b9e GetEnvironmentVariableA 873->874 875 402c8c-402ca7 call 402060 873->875 874->866 877 402bcd-402be9 strcat 874->877 875->866 877->871
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcat$strncat$strchr$CurrentDirectoryEnvironmentVariablefprintfstrlenstrstr
                • String ID: C:\Users\user\Desktop$EXEDIR$EXEFILE$HKEY$OLDPWD$PWD$Substitute:%s = %s
                • API String ID: 1816310627-1435958981
                • Opcode ID: 557825d837c7bee13b9dcc2b9774faa3785b3bb199ed70112449aa9433a5436a
                • Instruction ID: a3250f9e5731c696cfa46b821dc8bafca942bd9f0803d40a23b6cf00076f12fd
                • Opcode Fuzzy Hash: 557825d837c7bee13b9dcc2b9774faa3785b3bb199ed70112449aa9433a5436a
                • Instruction Fuzzy Hash: FF6140709047059BCB54EF25C98435ABBF1FF84314F01C87EE98C67381CB78A9859B96
                Function 00402CD0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 197stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 879 402cd0-402d25 FindResourceExA 880 402f58-402f64 SetLastError 879->880 881 402d2b-402d42 LoadResource 879->881 882 402d44-402d53 LockResource 881->882 883 402d6c-402db5 atoi FindResourceExA 881->883 882->883 884 402d55-402d59 882->884 885 402f44-402f50 SetLastError 883->885 886 402dbb-402dd2 LoadResource 883->886 889 402d60-402d6a 884->889 885->880 887 402dd4-402de3 LockResource 886->887 888 402dfc-402e4f atoi call 404bd0 886->888 887->888 890 402de5-402de9 887->890 894 402e51 888->894 895 402e53-402e55 888->895 889->883 889->889 892 402df0-402dfa 890->892 892->888 892->892 894->895 896 402e57-402e6f 895->896 897 402ecc-402ed3 895->897 898 402e71-402e79 896->898 899 402ed4-402edc 896->899 900 402f1b-402f3f fprintf 898->900 901 402e7f-402e86 898->901 902 402e88-402ec7 strcat strlen _itoa strlen 899->902 903 402ede-402f16 fprintf 899->903 900->901 901->902 901->903 902->897 903->902
                APIs
                Strings
                • -Xmx, xrefs: 00402CDC
                • Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 00402F23
                • Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 00402EF5
                • -Xms, xrefs: 00402CD5
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLockatoifprintfstrlen$_itoastrcat
                • String ID: -Xms$-Xmx$Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
                • API String ID: 636361558-2330190027
                • Opcode ID: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction ID: 9aecac28fc5dbd291391d4754e14ca6bb2a3230fcdd307f80071577cc15113ea
                • Opcode Fuzzy Hash: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction Fuzzy Hash: E87160B19083158BDB14EF29D58526EBBF1BFC8344F01843FE988AB391D7789805DB96
                Function 00402060 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118stringregistryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strstr$Open$CloseQueryValuestrchrstrrchr
                • String ID: HKEY$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                • API String ID: 356245303-4236897492
                • Opcode ID: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction ID: 7b57610d86410dffa4a0aa1252a1797adbc7715624c0aad137216de424c346f3
                • Opcode Fuzzy Hash: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction Fuzzy Hash: B44140B19083119FDB00EF69D58555EFBE0BF84314F05C83FEA98A7381D77989489B86
                Function 00402950 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 58stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strlen$_statfprintfstrcatstrcpy
                • String ID: (OK)$(n/a)$Check launcher:%s %s$bin\java.exe$bin\javaw.exe
                • API String ID: 882030775-291028976
                • Opcode ID: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction ID: 8018404b5ef50dabb5b93d2653235a7c06d24b677d78717b0f5c7ccaf4d26fd7
                • Opcode Fuzzy Hash: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction Fuzzy Hash: 2C1145B0A083449FD720AF6995C566ABAE0BF84304F05C47FA589A73D1DB7C88449B4A
                Function 00401AFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction ID: 11b031cada2c8f52232e6b9cc39170e82d59abd8a686cc32ef86a0f2d0e1404c
                • Opcode Fuzzy Hash: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction Fuzzy Hash: D601FBB0A043049BCB10FF75D68551A7AF4AF84344F01C43EAA89BB795E778E8158B9A
                Function 00401B00 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction ID: d525f3c9823b811787ccd3d125d57a95285788dfaaa60455273fc0be7c930dab
                • Opcode Fuzzy Hash: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction Fuzzy Hash: ABF031B0A043048BC700FF75D68551A7AF4AF84344F01C43EEA85BB7D5E778E814879A
                Function 00401A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33stringfileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fopenmemsetstrlenstrncpy
                • String ID: ``@$j.lo$nch4
                • API String ID: 80595551-9945926
                • Opcode ID: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction ID: 1e0e73c0bc485388541f9261c06b4dd11082136fe696d302e2fbee76c2dd3950
                • Opcode Fuzzy Hash: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction Fuzzy Hash: 6B01F6F0D083049BC724AF29D4C155DBBE0FF84308F42C83EB99C9B352DA3888949B96
                Function 00401930 Relevance: 10.6, APIs: 7, Instructions: 72timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: KillMessagePostQuitTimer$CodeEnumExitProcessShowWindowWindows
                • String ID:
                • API String ID: 1905518172-0
                • Opcode ID: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction ID: 2407081703d323812a7a2ee4af166e89deffda79c1e67c6e6d523c687404f7b2
                • Opcode Fuzzy Hash: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction Fuzzy Hash: 782162B06082058BD314FF39D65131B36E1BBC0384F00893EE985B73A5DB38D848DB9A
                Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: signal
                • String ID:
                • API String ID: 1946981877-0
                • Opcode ID: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction ID: 026972816123a001b062272259e12c6676799cf41c40ad00ae128651dbc386b1
                • Opcode Fuzzy Hash: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction Fuzzy Hash: FF3121B0A082409BD724AF69C58032EB6A0BF89314F15897FD9C5E77E1C67E8DC0975A
                Function 00401F95 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$atoi$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 3704303549-0
                • Opcode ID: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction ID: d2e30d868b6ce554d07eddf99e8fb6c9642cdc6314cd9da99df76be242991cc3
                • Opcode Fuzzy Hash: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction Fuzzy Hash: 5B117FB15047058BDB10BF39D54136EBBE1BFC4348F06853EDA88A7291D678E906CB86
                Function 00402FF9 Relevance: 9.1, APIs: 6, Instructions: 54stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: EnvironmentVariablestrlen$memsetstrcat
                • String ID:
                • API String ID: 2108680700-0
                • Opcode ID: 1aeff4ed8d99c1ae33423b22697d7e36fe73b048e479dcd255a7cf66a70f4411
                • Instruction ID: 86b5df9b3431fb8133a4f6ed8904d7532b204288b27cc5577f69cc4901c0064d
                • Opcode Fuzzy Hash: 1aeff4ed8d99c1ae33423b22697d7e36fe73b048e479dcd255a7cf66a70f4411
                • Instruction Fuzzy Hash: 6F1126B1D086089BCB00BFA9C04005DFBF5EF88314F1284BEE988A7351DB386A419B86
                Function 004028A0 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 34stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcatstrlen
                • String ID: bin\java.exe$bin\javaw.exe
                • API String ID: 1179760717-2770878578
                • Opcode ID: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction ID: c625f8ff6eb4937acacc3d066b804341fc1bdd91dfaabe361e5825c854feadc3
                • Opcode Fuzzy Hash: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction Fuzzy Hash: 6AF0C8B1C083409FD7217F65A8C461A7BD0AF40304F06847ED1481B393DB798454975A
                Function 00401EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID: true
                • API String ID: 1074440638-4261170317
                • Opcode ID: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction ID: 720aba9a36caa5c46db755dcfa968833f6afea8c066c512ca53f753ba12c794b
                • Opcode Fuzzy Hash: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction Fuzzy Hash: F72108B2A043155ADB10AB39E94036ABBE5FBC0350F01857FEE84A3380E7399619C796
                Function 00401CBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringwindowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FormatFreeLocalMessagefprintfprintfstrcat
                • String ID: An error occurred while starting the application.
                • API String ID: 3558087145-2110520379
                • Opcode ID: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction ID: 897b2e7710a6a7b3f267c2baffa0a05fecd79613af50bb048a3b26d972268dd0
                • Opcode Fuzzy Hash: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction Fuzzy Hash: 612177B1A086009BD318EF28C50021B77E2EF94304F04C83EE489A77A5D73DE9498B8A
                Function 004012D0 Relevance: 7.6, APIs: 5, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • memset.MSVCRT ref: 004012F4
                  • Part of subcall function 00401E10: FindResourceExA.KERNEL32(?,?,00405010), ref: 00401E3C
                  • Part of subcall function 00401E10: LoadResource.KERNEL32 ref: 00401E55
                  • Part of subcall function 00401E10: LockResource.KERNEL32 ref: 00401E64
                • FindWindowExA.USER32 ref: 0040132A
                • GetWindowTextA.USER32 ref: 00401350
                • strstr.MSVCRT ref: 0040135F
                • FindWindowExA.USER32 ref: 0040137F
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FindResourceWindow$LoadLockTextmemsetstrstr
                • String ID:
                • API String ID: 1871962372-0
                • Opcode ID: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction ID: 2c743d1d3da27c05cd938fc0b836d91f0b76d418a83aa4d99297ae1c1db7ab18
                • Opcode Fuzzy Hash: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction Fuzzy Hash: 7F215EB2A083005BD714BF6AD54125EFBE4EFC4354F01C83FEA88D3691E63885458B86
                Function 0040489E Relevance: 7.5, APIs: 5, Instructions: 37synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                • fprintf.MSVCRT ref: 0040492D
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandle$CodeExitObjectProcessSingleWaitfclosefprintf
                • String ID:
                • API String ID: 1585231095-0
                • Opcode ID: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction ID: eb652ffc412eefeed0e718282237602074e50451812d2df90e84619bac2913a3
                • Opcode Fuzzy Hash: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction Fuzzy Hash: 850121B59046048BE710FF79E98245EB7B1BBC4314F01893EDD8467691EA3498198B86
                Function 00402F6C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction ID: 83f1aa44919a4c99108a5316738b6ebc3d89b658feaab29e7295632cd6d8abda
                • Opcode Fuzzy Hash: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction Fuzzy Hash: 890192B0A097099FDB04EF69D18055EBBF1EF88304F10C82EE589AB380D778D9459B86
                Function 00402F70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction ID: 6e677b9b8fabcb62c193d886980ddecd66842c0ac049963db457ddd5af3e35c3
                • Opcode Fuzzy Hash: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction Fuzzy Hash: FF0193B0A093099FD704EF69D18055EBBF1EF88304F10C83EE589AB380D778D9459B86
                Function 00402945 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _statfprintfstrcatstrcpystrlen
                • String ID: (OK)$(n/a)$Check launcher:%s %s
                • API String ID: 619758015-4217937889
                • Opcode ID: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction ID: fa1afa973b0b716c6a45a6db043711451785159eaff392967d20973c2505f891
                • Opcode Fuzzy Hash: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction Fuzzy Hash: C3F05EB0A043085FDB109E59E980766B7E4FB84314F01C47EE94CA7380D778A8548B89
                Function 00401A3C Relevance: 6.0, APIs: 4, Instructions: 26timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2165632316.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2165473208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165752910.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2165829187.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CodeEnumExitKillMessagePostProcessQuitTimerWindows
                • String ID:
                • API String ID: 405088690-0
                • Opcode ID: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction ID: 5dfb1647a7b45fe9d990e1e5a37a50df87d11f83294e09497229981203e6544d
                • Opcode Fuzzy Hash: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction Fuzzy Hash: 83F0D0B59083008AD314BF34D6462197AE0BB84344F018A3ED9C5637D5D7789558DB9B

                Execution Graph

                Execution Coverage:18.9%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:0%
                Total number of Nodes:739
                Total number of Limit Nodes:7
                execution_graph 1536 402240 strlen 1537 402261 1536->1537 1538 401b00 GetModuleHandleA GetProcAddress 1539 401b30 GetCurrentProcess 1538->1539 1540 401b43 1538->1540 1539->1540 1541 401b78 1540->1541 1542 401b63 fprintf 1540->1542 1542->1541 1543 401000 1544 40101e 1543->1544 1547 401061 1543->1547 1545 401080 1544->1545 1546 401025 1544->1546 1549 4010e2 signal 1545->1549 1550 401087 1545->1550 1548 40102a signal 1546->1548 1553 401071 1546->1553 1547->1546 1547->1548 1547->1550 1551 4010bb signal 1548->1551 1555 401041 1548->1555 1552 401129 signal 1549->1552 1549->1555 1554 40108e signal 1550->1554 1550->1555 1551->1555 1552->1555 1554->1555 1556 40110f signal 1554->1556 1556->1555 1557 402945 1558 402950 1557->1558 1559 4029a6 strcpy 1558->1559 1563 402964 1558->1563 1560 4029c2 strlen 1559->1560 1561 402a05 strlen 1559->1561 1564 4029d1 strcat _stat 1560->1564 1561->1564 1562 40299b 1563->1562 1565 40297c fprintf 1563->1565 1564->1563 1565->1562 1567 40124a _setmode 1568 4011bb 1567->1568 1569 4011e0 1568->1569 1570 4011c0 _setmode 1568->1570 1571 401200 __p__fmode 1569->1571 1572 4011e5 _setmode 1569->1572 1570->1569 1573 404a60 1571->1573 1572->1571 1574 401212 __p__environ 1573->1574 1575 404940 249 API calls 1574->1575 1576 401237 _cexit ExitProcess 1575->1576 1577 4049cc 1578 4049d0 GetModuleHandleA 1577->1578 1580 404a30 1578->1580 1581 4013b0 246 API calls 1580->1581 1582 404a4a 1581->1582 1583 40290c 1584 402910 strcat 1583->1584 1585 402931 strlen 1584->1585 1586 40293f 1584->1586 1585->1586 1239 401290 __set_app_type 1242 401150 SetUnhandledExceptionFilter 1239->1242 1256 404a90 1242->1256 1244 40116e __getmainargs 1245 401200 __p__fmode 1244->1245 1246 4011a8 1244->1246 1257 404a60 1245->1257 1248 4011bb 1246->1248 1250 40124a _setmode 1246->1250 1251 4011e0 1248->1251 1252 4011c0 _setmode 1248->1252 1250->1248 1251->1245 1254 4011e5 _setmode 1251->1254 1252->1251 1254->1245 1256->1244 1258 401212 __p__environ 1257->1258 1259 404940 1258->1259 1260 404954 1259->1260 1261 404959 GetCommandLineA GetStartupInfoA 1260->1261 1265 404972 GetModuleHandleA 1261->1265 1263 404a30 1267 4013b0 1263->1267 1265->1263 1266 401237 _cexit ExitProcess 1304 4030c0 1267->1304 1269 4013c7 1270 4017c9 memset 1269->1270 1290 4013d2 1269->1290 1271 401e10 4 API calls 1270->1271 1275 4017f6 1271->1275 1273 40182a FindWindowExA 1273->1275 1281 4017fa 1273->1281 1274 4017fc ShowWindow SetForegroundWindow 1531 401ae0 1274->1531 1275->1273 1278 401857 GetWindowTextA strstr 1275->1278 1275->1281 1276 401716 strstr 1276->1290 1278->1274 1280 401883 FindWindowExA 1278->1280 1279 401ec0 FindResourceExA LoadResource LockResource SetLastError 1279->1290 1280->1278 1280->1281 1281->1273 1281->1274 1282 40141e strstr 1282->1290 1283 40144e CreateWindowExA 1284 401661 SetTimer 1283->1284 1283->1290 1284->1290 1295 4013d5 1284->1295 1287 40176b atoi 1287->1290 1287->1295 1288 4016b9 1289 4016d7 GetMessageA 1288->1289 1292 4016c1 TranslateMessage DispatchMessageA 1289->1292 1293 4016f8 1289->1293 1290->1266 1290->1276 1290->1279 1290->1282 1290->1283 1290->1287 1290->1288 1294 401503 strstr 1290->1294 1290->1295 1492 4047a0 1290->1492 1518 401e10 FindResourceExA 1290->1518 1291 4017a2 fwrite 1291->1295 1292->1289 1297 401702 1293->1297 1298 40174e fprintf 1293->1298 1294->1295 1295->1290 1295->1291 1296 404760 3 API calls 1295->1296 1501 401bf0 GetLastError 1295->1501 1523 401ec0 FindResourceExA 1295->1523 1296->1295 1528 404760 CloseHandle CloseHandle 1297->1528 1298->1297 1301 401536 LoadImageA 1301->1295 1303 40156e 7 API calls 1301->1303 1302 401707 1302->1266 1303->1284 1534 404ba0 1304->1534 1306 4030cd memset GetModuleHandleA 1307 403120 memset GetModuleFileNameA 1306->1307 1308 40310d 1306->1308 1309 403418 1307->1309 1310 403169 strrchr 1307->1310 1308->1269 1309->1269 1310->1309 1311 403189 strstr 1310->1311 1312 403245 GetModuleHandleA GetProcAddress 1311->1312 1313 4031a5 memset strncpy strlen fopen 1311->1313 1315 403281 1312->1315 1316 40326e GetCurrentProcess 1312->1316 1313->1308 1314 403226 fprintf 1313->1314 1314->1312 1317 4032b6 1315->1317 1318 4032a1 fprintf 1315->1318 1319 40329c 1315->1319 1316->1315 1320 401e10 FindResourceExA LoadResource LockResource SetLastError 1317->1320 1318->1317 1319->1318 1321 4032d0 1320->1321 1322 401e10 FindResourceExA LoadResource LockResource SetLastError 1321->1322 1323 4032e0 1322->1323 1324 401e10 FindResourceExA LoadResource LockResource SetLastError 1323->1324 1325 4032f5 1324->1325 1325->1308 1326 401e10 FindResourceExA LoadResource LockResource SetLastError 1325->1326 1327 403314 1326->1327 1328 40336b memset GetCurrentDirectoryA 1327->1328 1329 40331d CreateMutexA GetLastError 1327->1329 1330 401e10 FindResourceExA LoadResource LockResource SetLastError 1328->1330 1329->1328 1331 4045ed 1329->1331 1332 4033b6 1330->1332 1331->1308 1333 404600 fwrite 1331->1333 1334 403750 strncpy strlen 1332->1334 1335 4033be 1332->1335 1333->1308 1336 403791 strcat _chdir 1334->1336 1337 403785 1334->1337 1338 401e10 FindResourceExA LoadResource LockResource SetLastError 1335->1338 1336->1335 1339 4037c0 fprintf 1336->1339 1337->1336 1340 4033d4 1338->1340 1339->1335 1341 4035cc memset 1340->1341 1342 4033dc 1340->1342 1343 402a30 25 API calls 1341->1343 1344 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1342->1344 1346 401e10 FindResourceExA LoadResource LockResource SetLastError 1342->1346 1345 403609 1343->1345 1344->1309 1349 4034b2 strlen strcat SetEnvironmentVariableA 1344->1349 1347 403954 fprintf 1345->1347 1348 403616 1345->1348 1351 4033fb 1346->1351 1356 40396e strcpy 1347->1356 1352 40362c strcpy 1348->1352 1357 4038fe strncpy strlen 1348->1357 1349->1309 1350 4034f4 memset 1349->1350 1353 401e10 FindResourceExA LoadResource LockResource SetLastError 1350->1353 1354 403403 1351->1354 1355 4037df 1351->1355 1358 40363c 1352->1358 1360 403521 1353->1360 1364 401e10 FindResourceExA LoadResource LockResource SetLastError 1354->1364 1361 401e10 FindResourceExA LoadResource LockResource SetLastError 1355->1361 1365 403993 strlen 1356->1365 1366 40423f strlen 1356->1366 1362 403933 1357->1362 1363 40393f strcat 1357->1363 1358->1356 1359 40364b 1358->1359 1367 403682 1359->1367 1373 403663 fprintf 1359->1373 1368 403554 strtok 1360->1368 1369 4037ff FindResourceExA 1361->1369 1362->1363 1363->1358 1364->1309 1370 4039a2 1365->1370 1371 4039a8 strcat _stat 1365->1371 1372 4041f7 1366->1372 1367->1342 1382 4036a6 FindResourceExA 1367->1382 1405 403694 1367->1405 1374 403aa3 FindResourceExA 1368->1374 1375 403563 strchr 1368->1375 1376 40422b SetLastError 1369->1376 1377 40383e LoadResource 1369->1377 1370->1371 1380 4039d6 1371->1380 1381 40425e strlen 1372->1381 1395 404202 strcat _stat 1372->1395 1373->1367 1378 403af2 LoadResource 1374->1378 1379 4045d9 SetLastError 1374->1379 1383 402a30 25 API calls 1375->1383 1376->1366 1384 403876 atoi 1377->1384 1385 403857 LockResource 1377->1385 1386 403b2a atoi 1378->1386 1387 403b0b LockResource 1378->1387 1379->1331 1388 401e10 FindResourceExA LoadResource LockResource SetLastError 1380->1388 1381->1372 1391 404640 SetLastError 1382->1391 1392 4036ee LoadResource 1382->1392 1389 4035a5 1383->1389 1393 402640 25 API calls 1384->1393 1385->1384 1390 403868 1385->1390 1396 403b45 strlen 1386->1396 1397 404286 strlen 1386->1397 1387->1386 1394 403b1c 1387->1394 1409 4039eb strcat 1388->1409 1398 4035ae fprintf 1389->1398 1399 40352f SetEnvironmentVariableA 1389->1399 1390->1384 1424 404386 1391->1424 1400 403707 LockResource 1392->1400 1392->1405 1401 40388e 1393->1401 1394->1386 1395->1376 1402 403b66 strcat GlobalMemoryStatusEx 1396->1402 1403 403b5a 1396->1403 1404 40429b 1397->1404 1398->1399 1399->1368 1400->1405 1401->1380 1406 403896 1401->1406 1407 402cd0 16 API calls 1402->1407 1403->1402 1419 401e10 FindResourceExA LoadResource LockResource SetLastError 1404->1419 1405->1342 1408 4041c7 strcpy 1406->1408 1413 4038dc 1406->1413 1414 4038b8 1406->1414 1415 4038bd fprintf 1406->1415 1412 403bdc 1407->1412 1408->1381 1411 4041e8 strlen 1408->1411 1417 403a89 1409->1417 1428 403a3e strcat 1409->1428 1411->1372 1418 402cd0 16 API calls 1412->1418 1413->1344 1416 4038e4 1413->1416 1414->1415 1415->1413 1420 401e10 FindResourceExA LoadResource LockResource SetLastError 1416->1420 1423 401e10 FindResourceExA LoadResource LockResource SetLastError 1417->1423 1421 403c0d 1418->1421 1422 4042cb 1419->1422 1420->1309 1425 401e10 FindResourceExA LoadResource LockResource SetLastError 1421->1425 1422->1308 1426 4042d5 memset 1422->1426 1423->1309 1427 4046b3 strcat 1424->1427 1439 404392 strtok 1424->1439 1443 4043aa fprintf 1424->1443 1444 4043bf strpbrk 1424->1444 1430 403c23 1425->1430 1431 402a30 25 API calls 1426->1431 1434 4046ee strcat 1427->1434 1428->1417 1432 40427a 1430->1432 1433 403c2b strlen 1430->1433 1438 404312 1431->1438 1432->1397 1435 403c4c 1433->1435 1434->1424 1436 404711 strlen 1434->1436 1435->1435 1437 403c72 strncpy strlen _open 1435->1437 1436->1424 1440 403e06 1437->1440 1451 403cd9 _read 1437->1451 1438->1424 1438->1434 1441 40472e strcat 1438->1441 1439->1424 1442 402a30 25 API calls 1440->1442 1441->1424 1448 404751 strlen 1441->1448 1445 403e3a memset memset FindResourceExA 1442->1445 1443->1444 1446 4043d8 strrchr strncpy _findfirst 1444->1446 1447 40458f strcat 1444->1447 1452 403eb1 LoadResource 1445->1452 1453 40462c SetLastError 1445->1453 1454 404423 strcpy strcat 1446->1454 1455 40449f _findclose 1446->1455 1449 4045a4 1447->1449 1448->1424 1449->1379 1449->1449 1462 403d4e 1451->1462 1456 403edb 1452->1456 1457 403eca LockResource 1452->1457 1453->1391 1458 404450 1454->1458 1455->1439 1460 401e10 FindResourceExA LoadResource LockResource SetLastError 1456->1460 1457->1456 1458->1458 1464 404489 _findnext 1458->1464 1465 4044bc fprintf 1458->1465 1459 403df8 _close 1459->1440 1463 403f23 1460->1463 1461 403ddd strlen 1461->1459 1462->1459 1462->1461 1466 401e10 FindResourceExA LoadResource LockResource SetLastError 1463->1466 1464->1454 1464->1455 1465->1464 1467 403f33 1466->1467 1467->1404 1468 403f3b 1467->1468 1469 403f48 1468->1469 1470 4040fd 1468->1470 1469->1469 1471 403f6e strcat 1469->1471 1470->1470 1472 404123 strncat strlen 1470->1472 1476 403fb3 1471->1476 1473 404183 1472->1473 1474 40418f strcat 1472->1474 1473->1474 1475 4041aa 1474->1475 1475->1408 1475->1475 1477 401e10 FindResourceExA LoadResource LockResource SetLastError 1476->1477 1483 403ff9 1477->1483 1478 404048 1479 404054 1478->1479 1482 4044e6 strcpy 1478->1482 1486 4044eb strstr 1478->1486 1480 404061 fprintf 1479->1480 1481 4040f3 1479->1481 1480->1481 1485 404084 fprintf 1480->1485 1481->1308 1482->1486 1483->1478 1484 404028 strcat 1483->1484 1484->1478 1485->1481 1489 4040a8 fprintf 1485->1489 1487 404508 strchr 1486->1487 1490 404532 1486->1490 1487->1478 1489->1481 1490->1479 1491 40456a strcat 1490->1491 1491->1479 1493 404ba0 1492->1493 1494 4047b0 memset strcat strlen strcat CreateProcessA 1493->1494 1495 404888 1494->1495 1496 404881 1494->1496 1495->1290 1496->1495 1497 4048a0 WaitForSingleObject GetExitCodeProcess 1496->1497 1498 404917 fprintf 1497->1498 1499 4048df CloseHandle CloseHandle 1497->1499 1498->1499 1499->1495 1500 40490a fclose 1499->1500 1500->1495 1502 401cc0 FormatMessageA 1501->1502 1503 401c05 1501->1503 1504 401da3 fprintf 1502->1504 1508 401d03 1502->1508 1505 401c91 printf 1503->1505 1506 401c13 MessageBoxA 1503->1506 1504->1508 1507 401c3a 1505->1507 1506->1507 1509 401c86 1507->1509 1513 401dc0 fprintf 1507->1513 1514 401c50 ShellExecuteA 1507->1514 1508->1508 1512 401d36 strcat 1508->1512 1510 401cb1 fclose 1509->1510 1511 401c8f 1509->1511 1510->1295 1511->1295 1515 401d72 printf 1512->1515 1516 401ddf MessageBoxA 1512->1516 1513->1516 1514->1509 1517 401d90 LocalFree 1515->1517 1516->1517 1517->1295 1519 401e96 SetLastError 1518->1519 1520 401e48 LoadResource 1518->1520 1522 401e72 1519->1522 1521 401e61 LockResource 1520->1521 1520->1522 1521->1522 1522->1290 1522->1522 1524 401f07 LoadResource 1523->1524 1525 401f69 SetLastError 1523->1525 1526 401f20 LockResource 1524->1526 1527 401f31 1524->1527 1525->1301 1526->1527 1527->1301 1529 404790 1528->1529 1530 404792 fclose 1528->1530 1529->1302 1530->1302 1532 401af1 fclose 1531->1532 1533 401aef 1531->1533 1532->1281 1533->1281 1535 404ba6 1534->1535 1587 402950 1588 402964 1587->1588 1589 4029a6 strcpy 1587->1589 1592 40299b 1588->1592 1594 40297c fprintf 1588->1594 1590 4029c2 strlen 1589->1590 1591 402a05 strlen 1589->1591 1593 4029d1 strcat _stat 1590->1593 1591->1593 1593->1588 1594->1592 1596 4012d0 memset 1597 401e10 4 API calls 1596->1597 1598 401309 1597->1598 1599 401311 FindWindowExA 1598->1599 1600 40138d 1598->1600 1599->1600 1601 401338 1599->1601 1602 401340 GetWindowTextA strstr 1601->1602 1603 401397 1602->1603 1604 401368 FindWindowExA 1602->1604 1604->1600 1604->1602 1605 402910 strcat 1606 402931 strlen 1605->1606 1607 40293f 1605->1607 1606->1607 1608 401b90 1609 401bc0 MessageBoxA 1608->1609 1610 401ba3 printf 1608->1610 1611 401f95 FindResourceExA 1612 401fe6 LoadResource 1611->1612 1613 402039 SetLastError atoi 1611->1613 1614 40202c atoi 1612->1614 1615 401fff LockResource 1612->1615 1615->1614 1616 402010 1615->1616 1616->1614 1617 40311c 1618 403120 memset GetModuleFileNameA 1617->1618 1619 403169 strrchr 1618->1619 1678 403418 1618->1678 1620 403189 strstr 1619->1620 1619->1678 1621 403245 GetModuleHandleA GetProcAddress 1620->1621 1622 4031a5 memset strncpy strlen fopen 1620->1622 1624 403281 1621->1624 1625 40326e GetCurrentProcess 1621->1625 1623 403226 fprintf 1622->1623 1642 40310d 1622->1642 1623->1621 1626 4032b6 1624->1626 1627 4032a1 fprintf 1624->1627 1625->1624 1628 401e10 4 API calls 1626->1628 1627->1626 1629 4032d0 1628->1629 1630 401e10 4 API calls 1629->1630 1631 4032e0 1630->1631 1632 401e10 4 API calls 1631->1632 1633 4032f5 1632->1633 1634 401e10 4 API calls 1633->1634 1633->1642 1635 403314 1634->1635 1636 40336b memset GetCurrentDirectoryA 1635->1636 1637 40331d CreateMutexA GetLastError 1635->1637 1638 401e10 4 API calls 1636->1638 1637->1636 1639 4045ed 1637->1639 1640 4033b6 1638->1640 1641 404600 fwrite 1639->1641 1639->1642 1643 403750 strncpy strlen 1640->1643 1644 4033be 1640->1644 1641->1642 1645 403791 strcat _chdir 1643->1645 1646 403785 1643->1646 1647 401e10 4 API calls 1644->1647 1645->1644 1648 4037c0 fprintf 1645->1648 1646->1645 1649 4033d4 1647->1649 1648->1644 1650 4035cc memset 1649->1650 1714 4033dc 1649->1714 1651 402a30 25 API calls 1650->1651 1653 403609 1651->1653 1652 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1657 4034b2 strlen strcat SetEnvironmentVariableA 1652->1657 1652->1678 1655 403954 fprintf 1653->1655 1656 403616 1653->1656 1654 401e10 4 API calls 1659 4033fb 1654->1659 1664 40396e strcpy 1655->1664 1660 40362c strcpy 1656->1660 1665 4038fe strncpy strlen 1656->1665 1658 4034f4 memset 1657->1658 1657->1678 1661 401e10 4 API calls 1658->1661 1662 403403 1659->1662 1663 4037df 1659->1663 1666 40363c 1660->1666 1668 403521 1661->1668 1672 401e10 4 API calls 1662->1672 1669 401e10 4 API calls 1663->1669 1673 403993 strlen 1664->1673 1674 40423f strlen 1664->1674 1670 403933 1665->1670 1671 40393f strcat 1665->1671 1666->1664 1667 40364b 1666->1667 1675 403682 1667->1675 1682 403663 fprintf 1667->1682 1676 403554 strtok 1668->1676 1677 4037ff FindResourceExA 1669->1677 1670->1671 1671->1666 1672->1678 1679 4039a2 1673->1679 1680 4039a8 strcat _stat 1673->1680 1681 4041f7 1674->1681 1691 4036a6 FindResourceExA 1675->1691 1675->1714 1683 403aa3 FindResourceExA 1676->1683 1684 403563 strchr 1676->1684 1685 40422b SetLastError 1677->1685 1686 40383e LoadResource 1677->1686 1679->1680 1689 4039d6 1680->1689 1690 40425e strlen 1681->1690 1704 404202 strcat _stat 1681->1704 1682->1675 1687 403af2 LoadResource 1683->1687 1688 4045d9 SetLastError 1683->1688 1799 402a30 1684->1799 1685->1674 1693 403876 atoi 1686->1693 1694 403857 LockResource 1686->1694 1695 403b2a atoi 1687->1695 1696 403b0b LockResource 1687->1696 1688->1639 1697 401e10 4 API calls 1689->1697 1690->1681 1700 404640 SetLastError 1691->1700 1701 4036ee LoadResource 1691->1701 1815 402640 1693->1815 1694->1693 1699 403868 1694->1699 1705 403b45 strlen 1695->1705 1706 404286 strlen 1695->1706 1696->1695 1703 403b1c 1696->1703 1717 4039eb strcat 1697->1717 1699->1693 1732 404386 1700->1732 1709 403707 LockResource 1701->1709 1701->1714 1703->1695 1704->1685 1711 403b66 strcat GlobalMemoryStatusEx 1705->1711 1712 403b5a 1705->1712 1713 40429b 1706->1713 1707 4035ae fprintf 1708 40352f SetEnvironmentVariableA 1707->1708 1708->1676 1709->1714 1710 40388e 1710->1689 1722 403896 1710->1722 1845 402cd0 FindResourceExA 1711->1845 1712->1711 1727 401e10 4 API calls 1713->1727 1714->1652 1714->1654 1716 4041c7 strcpy 1716->1690 1719 4041e8 strlen 1716->1719 1725 403a89 1717->1725 1736 403a3e strcat 1717->1736 1719->1681 1721 4038dc 1721->1652 1724 4038e4 1721->1724 1722->1716 1722->1721 1723 4038bd fprintf 1722->1723 1723->1721 1728 401e10 4 API calls 1724->1728 1731 401e10 4 API calls 1725->1731 1726 402cd0 16 API calls 1729 403c0d 1726->1729 1730 4042cb 1727->1730 1728->1678 1733 401e10 4 API calls 1729->1733 1730->1642 1734 4042d5 memset 1730->1734 1731->1678 1735 4046b3 strcat 1732->1735 1747 404392 strtok 1732->1747 1751 4043aa fprintf 1732->1751 1752 4043bf strpbrk 1732->1752 1738 403c23 1733->1738 1739 402a30 25 API calls 1734->1739 1742 4046ee strcat 1735->1742 1736->1725 1740 40427a 1738->1740 1741 403c2b strlen 1738->1741 1746 404312 1739->1746 1740->1706 1743 403c4c 1741->1743 1742->1732 1744 404711 strlen 1742->1744 1743->1743 1745 403c72 strncpy strlen _open 1743->1745 1744->1732 1748 403e06 1745->1748 1759 403cd9 _read 1745->1759 1746->1732 1746->1742 1749 40472e strcat 1746->1749 1747->1732 1750 402a30 25 API calls 1748->1750 1749->1732 1756 404751 strlen 1749->1756 1753 403e3a memset memset FindResourceExA 1750->1753 1751->1752 1754 4043d8 strrchr strncpy _findfirst 1752->1754 1755 40458f strcat 1752->1755 1760 403eb1 LoadResource 1753->1760 1761 40462c SetLastError 1753->1761 1762 404423 strcpy strcat 1754->1762 1763 40449f _findclose 1754->1763 1757 4045a4 1755->1757 1756->1732 1757->1688 1757->1757 1770 403d4e 1759->1770 1764 403edb 1760->1764 1765 403eca LockResource 1760->1765 1761->1700 1766 404450 1762->1766 1763->1747 1768 401e10 4 API calls 1764->1768 1765->1764 1766->1766 1772 404489 _findnext 1766->1772 1773 4044bc fprintf 1766->1773 1767 403df8 _close 1767->1748 1771 403f23 1768->1771 1769 403ddd strlen 1769->1767 1770->1767 1770->1769 1774 401e10 4 API calls 1771->1774 1772->1762 1772->1763 1773->1772 1775 403f33 1774->1775 1775->1713 1776 403f3b 1775->1776 1777 403f48 1776->1777 1778 4040fd 1776->1778 1777->1777 1779 403f6e strcat 1777->1779 1778->1778 1780 404123 strncat strlen 1778->1780 1783 403fb3 1779->1783 1781 404183 1780->1781 1782 40418f strcat 1780->1782 1781->1782 1784 4041aa 1782->1784 1783->1783 1785 401e10 4 API calls 1783->1785 1784->1716 1784->1784 1790 403ff9 1785->1790 1786 404048 1787 404054 1786->1787 1789 4044e6 strcpy 1786->1789 1793 4044eb strstr 1786->1793 1787->1642 1788 404061 fprintf 1787->1788 1788->1642 1792 404084 fprintf 1788->1792 1789->1793 1790->1786 1791 404028 strcat 1790->1791 1791->1786 1792->1642 1796 4040a8 fprintf 1792->1796 1794 404508 strchr 1793->1794 1797 404532 1793->1797 1794->1786 1796->1642 1797->1787 1798 40456a strcat 1797->1798 1798->1787 1800 402a40 1799->1800 1801 402bc0 1800->1801 1802 402a60 strchr 1800->1802 1807 402c41 strcat 1800->1807 1808 402c55 GetCurrentDirectoryA 1800->1808 1809 402bf9 fprintf 1800->1809 1810 402c73 strcat 1800->1810 1811 402b53 strstr 1800->1811 1862 402060 strstr 1800->1862 1801->1707 1801->1708 1803 402a7b strchr 1802->1803 1804 402cac strcat 1802->1804 1803->1801 1805 402a9d strncat strncat strlen 1803->1805 1804->1801 1805->1800 1806 402c20 strncat 1805->1806 1806->1800 1807->1800 1808->1800 1809->1800 1810->1800 1811->1800 1812 402b78 GetEnvironmentVariableA 1811->1812 1812->1800 1814 402bcd strcat 1812->1814 1814->1800 1816 402700 1815->1816 1817 40265e 1815->1817 1818 402430 18 API calls 1816->1818 1874 402430 1817->1874 1822 402715 1818->1822 1820 402673 1821 40268d 1820->1821 1825 402430 18 API calls 1820->1825 1823 402760 RegOpenKeyExA 1821->1823 1826 402737 1821->1826 1827 4026a7 1821->1827 1822->1821 1824 402430 18 API calls 1822->1824 1828 4026e4 1823->1828 1829 4027a0 memset RegQueryValueExA 1823->1829 1824->1821 1825->1821 1830 402430 18 API calls 1826->1830 1831 402430 18 API calls 1827->1831 1828->1710 1832 402887 RegCloseKey 1829->1832 1833 402808 1829->1833 1834 40274c 1830->1834 1835 4026bc 1831->1835 1832->1828 1839 402829 strlen 1833->1839 1840 40284f RegCloseKey 1833->1840 1836 4026da 1834->1836 1837 40286d 1834->1837 1835->1836 1838 402430 18 API calls 1835->1838 1836->1823 1836->1828 1841 402430 18 API calls 1837->1841 1838->1836 1842 402838 1839->1842 1843 40283e strcat 1839->1843 1840->1710 1844 402882 1841->1844 1842->1843 1843->1840 1844->1832 1846 402f58 SetLastError 1845->1846 1847 402d2b LoadResource 1845->1847 1848 402d44 LockResource 1847->1848 1849 402d6c atoi FindResourceExA 1847->1849 1848->1849 1854 402d55 1848->1854 1850 402f44 SetLastError 1849->1850 1851 402dbb LoadResource 1849->1851 1850->1846 1852 402dd4 LockResource 1851->1852 1853 402dfc atoi 1851->1853 1852->1853 1855 402de5 1852->1855 1856 402e4a 1853->1856 1854->1849 1854->1854 1855->1853 1857 402ecc 1856->1857 1858 402e7f 1856->1858 1859 402f1b fprintf 1856->1859 1857->1726 1860 402e88 strcat strlen _itoa strlen 1858->1860 1861 402ede fprintf 1858->1861 1859->1858 1860->1857 1861->1860 1863 402086 strstr 1862->1863 1864 4020f8 strchr strrchr 1862->1864 1863->1864 1867 4020a0 strstr 1863->1867 1865 4021b3 RegOpenKeyExA 1864->1865 1866 402135 RegOpenKeyExA 1864->1866 1869 40215e RegQueryValueExA RegCloseKey 1865->1869 1870 4021dc 1865->1870 1868 4021a4 1866->1868 1866->1869 1867->1864 1871 4020ba strstr 1867->1871 1868->1800 1869->1868 1870->1866 1871->1864 1872 4020d4 strstr 1871->1872 1872->1864 1873 4020ee 1872->1873 1873->1800 1875 4024a2 fprintf 1874->1875 1876 40244e 1874->1876 1878 40245a 1875->1878 1879 4024c3 1875->1879 1877 4024d0 RegOpenKeyExA 1876->1877 1876->1878 1877->1878 1882 4024fe 1877->1882 1880 402596 fprintf 1878->1880 1881 402467 RegOpenKeyExA 1878->1881 1879->1877 1883 402495 1881->1883 1884 402568 1881->1884 1891 402280 memset 1882->1891 1883->1820 1887 402280 11 API calls 1884->1887 1889 40257b RegCloseKey 1887->1889 1888 402534 1888->1883 1890 402541 fwrite 1888->1890 1889->1820 1890->1883 1892 4022fd RegEnumKeyExA 1891->1892 1893 402427 RegCloseKey 1892->1893 1894 40233f strcmp 1892->1894 1893->1878 1893->1888 1895 4022e5 1894->1895 1895->1892 1896 402406 fprintf 1895->1896 1897 4022d0 strcmp 1895->1897 1898 402361 strcmp 1895->1898 1900 4023be strcat 1895->1900 1896->1893 1897->1895 1897->1898 1898->1895 1899 40237a strcpy strcpy strlen 1898->1899 1899->1895 1899->1900 1900->1895 1901 4023e7 fprintf 1900->1901 1901->1895 1902 40489e 1903 4048a0 WaitForSingleObject GetExitCodeProcess 1902->1903 1904 404917 fprintf 1903->1904 1905 4048df CloseHandle CloseHandle 1903->1905 1904->1905 1906 404890 1905->1906 1907 40490a fclose 1905->1907 1907->1906 1908 401a60 memset strncpy strlen fopen 1909 4028a0 1910 4028e0 strlen 1909->1910 1911 4028b3 strlen 1909->1911 1914 4028f5 strcat 1910->1914 1915 4028ef 1910->1915 1912 4028c2 1911->1912 1913 4028c8 strcat 1911->1913 1912->1913 1915->1914 1916 4021e1 1917 4021f0 GetModuleFileNameA 1916->1917 1918 402220 strrchr 1917->1918 1919 402235 1917->1919 1918->1919 1920 401269 1921 401270 __set_app_type 1920->1921 1922 401150 258 API calls 1921->1922 1923 401288 1922->1923 1924 4013e9 1940 4013d5 1924->1940 1925 401716 strstr 1925->1940 1926 401ec0 FindResourceExA LoadResource LockResource SetLastError 1926->1940 1927 40141e strstr 1927->1940 1928 40144e CreateWindowExA 1929 401661 SetTimer 1928->1929 1928->1940 1929->1940 1930 4047a0 11 API calls 1930->1940 1931 401e10 4 API calls 1931->1940 1932 401bf0 12 API calls 1932->1940 1933 40176b atoi 1933->1940 1934 4016b9 1935 4016d7 GetMessageA 1934->1935 1937 4016c1 TranslateMessage DispatchMessageA 1935->1937 1938 4016f8 1935->1938 1936 4017a2 fwrite 1936->1940 1937->1935 1942 401702 1938->1942 1943 40174e fprintf 1938->1943 1939 401503 strstr 1939->1940 1940->1925 1940->1926 1940->1927 1940->1928 1940->1930 1940->1931 1940->1932 1940->1933 1940->1934 1940->1936 1940->1939 1941 404760 3 API calls 1940->1941 1944 401ec0 4 API calls 1940->1944 1941->1940 1945 404760 3 API calls 1942->1945 1943->1942 1946 401536 LoadImageA 1944->1946 1947 401707 1945->1947 1946->1940 1948 40156e 7 API calls 1946->1948 1948->1929 1949 402f6c 1950 402f70 GlobalMemoryStatusEx 1949->1950 1951 402cd0 16 API calls 1950->1951 1952 402fc0 1951->1952 1953 402cd0 16 API calls 1952->1953 1954 402ff1 1953->1954 1955 401270 __set_app_type 1956 401150 258 API calls 1955->1956 1957 401288 1956->1957 1958 402f70 GlobalMemoryStatusEx 1959 402cd0 16 API calls 1958->1959 1960 402fc0 1959->1960 1961 402cd0 16 API calls 1960->1961 1962 402ff1 1961->1962 1963 401930 1964 401960 GetExitCodeProcess 1963->1964 1965 40193f 1963->1965 1968 4019b3 1964->1968 1969 401986 KillTimer PostQuitMessage 1964->1969 1966 4019d0 ShowWindow 1965->1966 1967 40194c 1965->1967 1966->1964 1972 4019fd 1966->1972 1967->1964 1970 401a40 EnumWindows 1967->1970 1968->1969 1971 4019af 1968->1971 1969->1971 1970->1964 1972->1964 1973 401a0b KillTimer 1972->1973 1974 401bf0 12 API calls 1973->1974 1975 401a27 PostQuitMessage 1974->1975 1975->1964 1976 4018b0 GetWindowThreadProcessId 1977 4018e3 GetWindowLongA 1976->1977 1978 4018d7 1976->1978 1977->1978 1979 4018fe ShowWindow 1977->1979 1979->1978 1980 4025b0 1981 4025d0 1980->1981 1982 4025e1 1980->1982 1984 402430 18 API calls 1981->1984 1983 402430 18 API calls 1982->1983 1985 402612 1982->1985 1983->1985 1984->1982 1986 402ff9 1987 404ba0 1986->1987 1988 40300d memset GetEnvironmentVariableA strlen 1987->1988 1989 403076 strlen strcat SetEnvironmentVariableA 1988->1989 1990 403067 1988->1990 1991 401afc 1992 401b00 GetModuleHandleA GetProcAddress 1991->1992 1993 401b30 GetCurrentProcess 1992->1993 1994 401b43 1992->1994 1993->1994 1995 401b78 1994->1995 1996 401b63 fprintf 1994->1996 1996->1995 1997 401a3c 1998 401a40 EnumWindows 1997->1998 1999 401960 GetExitCodeProcess 1998->1999 2000 401986 KillTimer PostQuitMessage 1999->2000 2001 4019b3 1999->2001 2002 4019af 2000->2002 2001->2000 2001->2002 2003 40223c 2004 402240 strlen 2003->2004 2005 402261 2004->2005 2006 401cbc 2007 401cc0 FormatMessageA 2006->2007 2008 401da3 fprintf 2007->2008 2009 401d03 strcat 2007->2009 2008->2009 2011 401d72 printf 2009->2011 2012 401ddf MessageBoxA 2009->2012 2013 401d90 LocalFree 2011->2013 2012->2013 2020 401bbe 2021 401bc0 MessageBoxA 2020->2021

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_00402240 1 Function_004030C0 3 Function_00402640 1->3 15 Function_00402CD0 1->15 42 Function_00401E10 1->42 51 Function_00404BA0 1->51 58 Function_00402A30 1->58 2 Function_00404940 2->51 56 Function_004013B0 2->56 57 Function_00404B30 2->57 55 Function_00402430 3->55 4 Function_00401EC0 5 Function_00402945 6 Function_00402CC5 7 Function_00401149 8 Function_00404AC9 60 Function_004012B0 8->60 9 Function_0040124A 9->2 20 Function_00404A60 9->20 10 Function_004049CC 10->56 11 Function_00402950 12 Function_00404AD0 12->60 13 Function_00401150 13->2 13->20 41 Function_00404A90 13->41 14 Function_00404BD0 15->14 16 Function_004012D0 16->42 17 Function_00402055 18 Function_00404760 19 Function_00402060 21 Function_00401A60 22 Function_00401AE0 23 Function_004021E1 24 Function_00401269 24->13 25 Function_004013E9 25->4 25->18 29 Function_00401BF0 25->29 25->42 50 Function_004047A0 25->50 26 Function_00402F6C 26->15 27 Function_00401270 27->13 28 Function_00402F70 28->15 30 Function_00402FF9 30->51 31 Function_0040227C 32 Function_00401AFC 33 Function_004049FE 33->56 34 Function_00401B00 35 Function_00402280 36 Function_00401000 36->41 37 Function_00401B80 38 Function_00401E09 39 Function_0040290C 40 Function_00402910 43 Function_00401290 43->13 44 Function_00401B90 45 Function_00401F95 46 Function_00404C19 47 Function_0040311C 47->3 47->15 47->42 47->58 48 Function_0040479C 49 Function_0040489E 50->51 52 Function_004028A0 53 Function_00404AA0 54 Function_00404B29 55->35 56->1 56->4 56->18 56->22 56->29 56->42 56->50 57->60 58->19 58->51 59 Function_00401930 59->29 61 Function_004018B0 62 Function_004025B0 62->55 63 Function_00401EB7 64 Function_00401A3C 65 Function_0040223C 66 Function_004012BC 67 Function_00401CBC 68 Function_0040263E 69 Function_00401BBE

                Executed Functions

                Function 004030C0 Relevance: 302.4, APIs: 119, Strings: 53, Instructions: 1411stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Modulememset$Handlefprintf$AddressCurrentFileNameProcProcessfopenstrlenstrncpystrrchrstrstr
                • String ID: CmdLine:%s %s$ " :%s$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$(OK)$(n/a)$--l4j-$--l4j-debug$-Xms$-Xmx$-cla$-jar$-jar$1.7.0$:$Add classpath:%s$An error occurred while starting the application.$Args length:%d/32768 chars$Bc@$Bc@$Bundled JRE:%s$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$C:\Users\user\Desktop$Check launcher:%s %s$IsWow64Process$Launcher args:%s$Launcher:%s$Set var:%s = %s$WOW64:%s$Working dir:%s$\$``@$bin\java.exe$bin\javaw.exe$ini$j.lo$l4j.$nch4$sspa$th "$true$yes$~`@
                • API String ID: 2968499522-3589992203
                • Opcode ID: 1f20b5c9895d9af463517c6fa9c024e1b337b39d992afbb1f21ae2ed438d1340
                • Instruction ID: 0e89a22367f5d3f2eae708a14e8bb05f6e03d73e7b0ab72636a6b4786490bd8a
                • Opcode Fuzzy Hash: 1f20b5c9895d9af463517c6fa9c024e1b337b39d992afbb1f21ae2ed438d1340
                • Instruction Fuzzy Hash: CAD251B19087048BD714AF25C54026ABBE5EFC4304F05C9BFE5C8A7391DB7C9989DB8A
                Function 004013B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 332stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 285 4013b0-4013cc call 4030c0 288 4013d2-4013d3 285->288 289 4017c9-4017f8 memset call 401e10 285->289 290 4013f0-401400 call 401ec0 288->290 291 4013d5-4013da call 401bf0 288->291 296 40182a-40184f FindWindowExA 289->296 297 4017fa 289->297 302 401716-401729 strstr 290->302 303 401406-40141c call 401ec0 290->303 304 4013df-4013e6 291->304 296->297 301 401851 296->301 300 4017fc-401820 ShowWindow SetForegroundWindow call 401ae0 297->300 300->296 307 401857-40187d GetWindowTextA strstr 301->307 302->303 305 40172f-401734 302->305 313 401437-401444 303->313 314 40141e-401431 strstr 303->314 304->290 305->303 307->300 310 401883-4018a6 FindWindowExA 307->310 310->307 312 4018a8 310->312 312->297 316 401446-401448 313->316 317 40144e-4014bc CreateWindowExA 313->317 314->313 315 40178e-401793 314->315 315->313 316->317 318 40168f-401696 call 4047a0 316->318 319 401661-401689 SetTimer 317->319 320 4014c2-4014eb call 401e10 317->320 323 40169b-40169c 318->323 319->291 319->318 326 4014f1-401501 call 401ec0 320->326 327 40176b-40177c atoi 320->327 323->291 325 4016a2-4016a9 323->325 328 4016b9-4016bf 325->328 329 4016ab-4016b3 325->329 340 401503-401516 strstr 326->340 341 40151d-401568 call 401ec0 LoadImageA 326->341 331 401798 327->331 332 40177e-401783 327->332 334 4016d7-4016f6 GetMessageA 328->334 329->328 333 401739-401740 329->333 336 4017a2-4017c4 fwrite 331->336 332->315 333->336 337 401742-401749 call 404760 333->337 338 4016c1-4016d4 TranslateMessage DispatchMessageA 334->338 339 4016f8-401700 334->339 336->337 337->304 338->334 343 401702-401713 call 404760 339->343 344 40174e-401769 fprintf 339->344 340->341 345 401518 340->345 341->291 351 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 341->351 344->343 345->341 351->319
                APIs
                  • Part of subcall function 004030C0: memset.MSVCRT ref: 004030EE
                  • Part of subcall function 004030C0: GetModuleHandleA.KERNEL32(?,004013C7), ref: 004030FA
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                  • Part of subcall function 00401BF0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004013DA), ref: 00401BF6
                  • Part of subcall function 00401BF0: MessageBoxA.USER32 ref: 00401C32
                  • Part of subcall function 00401BF0: ShellExecuteA.SHELL32 ref: 00401C7E
                • memset.MSVCRT ref: 004017E1
                • ShowWindow.USER32 ref: 00401808
                • SetForegroundWindow.USER32 ref: 00401813
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$memsetstrstr$CreateErrorExecuteForegroundHandleImageLastLoadMessageModuleShellShow
                • String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$Exit code:%d$STATIC
                • API String ID: 1172715904-121186343
                • Opcode ID: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction ID: 22f332a72cef92a8da5d6acb595563ebd0f99b3e0e1198dea9edd092bcf45b6f
                • Opcode Fuzzy Hash: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction Fuzzy Hash: 6FD101B19083018BD714FF2AD54131EBAE5BFC4344F01C93FE989A73A1DB7899459B8A
                Function 004013E9 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 205stringwindowtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 635 4013e9 636 4013f0-401400 call 401ec0 635->636 639 401716-401729 strstr 636->639 640 401406-40141c call 401ec0 636->640 639->640 641 40172f-401734 639->641 644 401437-401444 640->644 645 40141e-401431 strstr 640->645 641->640 647 401446-401448 644->647 648 40144e-4014bc CreateWindowExA 644->648 645->644 646 40178e-401793 645->646 646->644 647->648 649 40168f-40169c call 4047a0 647->649 650 401661-401689 SetTimer 648->650 651 4014c2-4014eb call 401e10 648->651 652 4013d5-4013da call 401bf0 649->652 658 4016a2-4016a9 649->658 650->649 650->652 659 4014f1-401501 call 401ec0 651->659 660 40176b-40177c atoi 651->660 667 4013df-4013e6 652->667 662 4016b9-4016bf 658->662 663 4016ab-4016b3 658->663 675 401503-401516 strstr 659->675 676 40151d-401568 call 401ec0 LoadImageA 659->676 665 401798 660->665 666 40177e-401783 660->666 669 4016d7-4016f6 GetMessageA 662->669 663->662 668 401739-401740 663->668 671 4017a2-4017c4 fwrite 665->671 666->646 667->636 668->671 672 401742-401749 call 404760 668->672 673 4016c1-4016d4 TranslateMessage DispatchMessageA 669->673 674 4016f8-401700 669->674 671->672 672->667 673->669 678 401702-401713 call 404760 674->678 679 40174e-401769 fprintf 674->679 675->676 680 401518 675->680 676->652 686 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 676->686 679->678 680->676 686->650
                APIs
                  • Part of subcall function 00401EC0: FindResourceExA.KERNEL32 ref: 00401EFB
                  • Part of subcall function 00401EC0: LoadResource.KERNEL32 ref: 00401F14
                  • Part of subcall function 00401EC0: LockResource.KERNEL32 ref: 00401F23
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                • SendMessageA.USER32 ref: 0040158F
                • GetWindowRect.USER32 ref: 004015A4
                • GetSystemMetrics.USER32 ref: 004015B3
                • GetSystemMetrics.USER32 ref: 004015DC
                • SetWindowPos.USER32 ref: 0040162B
                • ShowWindow.USER32 ref: 00401643
                • UpdateWindow.USER32 ref: 00401654
                • SetTimer.USER32 ref: 0040167F
                  • Part of subcall function 004047A0: memset.MSVCRT ref: 004047DE
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040480B
                  • Part of subcall function 004047A0: strlen.MSVCRT ref: 00404813
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040482F
                  • Part of subcall function 004047A0: CreateProcessA.KERNEL32 ref: 00404875
                • GetMessageA.USER32 ref: 004016EC
                • strstr.MSVCRT ref: 00401722
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$Resourcestrstr$CreateLoadMessageMetricsSystemstrcat$FindImageLockProcessRectSendShowTimerUpdatememsetstrlen
                • String ID: --l4j-dont-wait$--l4j-no-splash-err$STATIC
                • API String ID: 4182365790-3920415740
                • Opcode ID: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction ID: ee7b831562b9b24d1f16b922444e8b63d9d8e08211f115b699755232a1a447d7
                • Opcode Fuzzy Hash: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction Fuzzy Hash: 338103B1A083018FD714EF7AD94131EBBE1BFC4344F05893EE988A7391DB7899458B86
                Function 00401150 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 3695137517-0
                • Opcode ID: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction ID: fab3366932fbaa3ebb4d58be2606cf2eda9a25db2a2b1f6ef0ea82b631d7fdb2
                • Opcode Fuzzy Hash: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction Fuzzy Hash: 11211DB49043049FC304EF65E58151E7BF1BF88354F408A7EE694A77A5D778A880CF9A
                Function 0040311C Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 184stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resourcememset$fprintfstrlen$EnvironmentVariable$CurrentFindLoadLockModulestrcpy$AddressCreateDirectoryErrorFileHandleLastMutexNameProcProcessatoifopenstrcatstrchrstrncpystrrchrstrstrstrtok
                • String ID: CmdLine:%s %s$--l4j-debug$1.7.0$An error occurred while starting the application.$C:\Users\user\Desktop$IsWow64Process$WOW64:%s$``@$j.lo$nch4$yes$~`@
                • API String ID: 276419104-4214590570
                • Opcode ID: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction ID: f0a9dd12e9f155100ecc80547f8524881e04b64e39f325f861530ddbe7d78783
                • Opcode Fuzzy Hash: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction Fuzzy Hash: CE811CB09087009BD714AF25C58025EBAE5FFC4744F01C87FE9C8AB391DB7899859F8A
                Function 00402280 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 107stringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 687 402280-4022ce memset 688 4022fd-402339 RegEnumKeyExA 687->688 689 402427-40242e 688->689 690 40233f-402352 strcmp 688->690 691 402354-40235b 690->691 692 4022e5-4022ec 690->692 695 4022d0-4022e3 strcmp 691->695 696 402361-402374 strcmp 691->696 693 4022f2-4022f7 692->693 694 402406-40241d fprintf 692->694 693->688 694->689 695->692 695->696 696->692 697 40237a-4023b0 strcpy * 2 strlen 696->697 698 4023b2-4023b7 697->698 699 4023be-4023e1 strcat 697->699 698->699 699->693 700 4023e7-402401 fprintf 699->700 700->693
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fprintfstrcmpstrcpy$Enummemsetstrcatstrlen
                • String ID: 1.7.0$1.8.0_381$Ignore:%s\%s$Match:%s$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381
                • API String ID: 2366812193-779923612
                • Opcode ID: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction ID: 9ab0c8db1ba71b2b6d2ba768174804a11d38db5b54a87c79ea0cb8f479a381c0
                • Opcode Fuzzy Hash: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction Fuzzy Hash: AC411DF0A093049FD754AF69C58065ABBE4FF88314F41C87FEA88A7381D77889459F4A
                Function 004047A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 106stringprocesssynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • memset.MSVCRT ref: 004047DE
                • strcat.MSVCRT ref: 0040480B
                • strlen.MSVCRT ref: 00404813
                • strcat.MSVCRT ref: 0040482F
                • CreateProcessA.KERNEL32 ref: 00404875
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandleProcessstrcat$CodeCreateExitObjectSingleWaitfclosememsetstrlen
                • String ID: p@$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$D$Exit code:%d
                • API String ID: 1835003254-3076985505
                • Opcode ID: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction ID: 5caefe9559b27fe27b5d30c0e67c063fa4c1d1b371c170d15aebd52dad6435f1
                • Opcode Fuzzy Hash: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction Fuzzy Hash: BB411FB19087048FD710EF69D58111EBBE1BFC4314F01C93EE988A7391DB389959CB9A
                Function 00402640 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 711 402640-402658 712 402700-402717 call 402430 711->712 713 40265e-402676 call 402430 711->713 718 402690-402698 712->718 719 40271d-40272d call 402430 712->719 713->718 720 402678-40268d call 402430 713->720 721 402760-40279a RegOpenKeyExA 718->721 722 40269e-4026a1 718->722 729 402732 719->729 720->718 727 4026f0-4026f9 721->727 728 4027a0-402802 memset RegQueryValueExA 721->728 725 402737-40274e call 402430 722->725 726 4026a7-4026bf call 402430 722->726 738 402754-40275c 725->738 739 40286d-402882 call 402430 725->739 726->738 740 4026c5-4026e2 call 402430 726->740 733 402887-402898 RegCloseKey 728->733 734 402808-40280a 728->734 729->718 733->727 737 402810-40281e 734->737 737->737 741 402820-402827 737->741 738->727 742 40275e 738->742 739->733 740->721 751 4026e4-4026ea 740->751 744 402829-402836 strlen 741->744 745 40284f-40286c RegCloseKey 741->745 742->721 748 402838 744->748 749 40283e-40284a strcat 744->749 748->749 749->745 751->727
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpen$fprintffwrite
                • String ID: JavaHome$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381$jre
                • API String ID: 2632948728-210039947
                • Opcode ID: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction ID: 13784bda21131abe29e605e60e8874ea15ce2e043269139803be6fc73a734c89
                • Opcode Fuzzy Hash: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction Fuzzy Hash: F9516CB59083158BD714AF25C64425ABBE0FF80304F41C97FE9883B3C2C7BD99458B8A
                Function 00402430 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102registryfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 752 402430-40244c 753 4024a2-4024c1 fprintf 752->753 754 40244e-402458 752->754 756 40245a-402461 753->756 757 4024c3-4024c9 753->757 755 4024d0-4024f8 RegOpenKeyExA 754->755 754->756 755->756 760 4024fe-40252e call 402280 RegCloseKey 755->760 758 402596-4025a6 fprintf 756->758 759 402467-40248f RegOpenKeyExA 756->759 757->755 761 402495-4024a1 759->761 762 402568-402595 call 402280 RegCloseKey 759->762 760->756 766 402534-40253b 760->766 766->761 768 402541-402563 fwrite 766->768 768->761
                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 00402485
                • fprintf.MSVCRT ref: 004024B5
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 004024EE
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 0040251F
                • fwrite.MSVCRT ref: 0040255E
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 00402581
                • fprintf.MSVCRT ref: 004025A6
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpenfprintf$fwrite
                • String ID: 32-bit search:%s...$64-bit search:%s...
                • API String ID: 2131660067-1681012534
                • Opcode ID: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction ID: db78835e4e37dc56512bf58087c2aef207271a2ad5982ab85f3d843889212adc
                • Opcode Fuzzy Hash: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction Fuzzy Hash: 6741FBB09083159BC700EF65D68525EFBF4FF88304F11887EE888A7391D778E9458B46
                Function 0040124A Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExitProcess__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 2747451157-0
                • Opcode ID: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction ID: d94ddfb0904ed1d1b1fcd9f17775da174976b76cb98335a262b590a7c617f90a
                • Opcode Fuzzy Hash: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction Fuzzy Hash: CF11E8B4604700DFC304EF65E5C541A77B1BFC8314B108A7EE694A77A6CB78A880CB89
                Function 00401E10 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 794 401e10-401e46 FindResourceExA 795 401e96-401ea9 SetLastError 794->795 796 401e48-401e5f LoadResource 794->796 797 401eb0-401eb6 795->797 796->797 798 401e61-401e70 LockResource 796->798 798->797 799 401e72-401e7a 798->799 800 401e80-401e8a 799->800 800->800 801 401e8c-401e95 800->801
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 1074440638-0
                • Opcode ID: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction ID: f588b214a1d680624203c40b2ff752b88374fd5a224907c8dedae4407861157b
                • Opcode Fuzzy Hash: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction Fuzzy Hash: E4114FB16047019ADB00AB39C54175BBBE1BB84344F01853AED85A7391D638E905CBD6
                Function 00404940 Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 802 404940-404970 call 404ba0 call 404b30 GetCommandLineA GetStartupInfoA 807 404972 802->807 808 404978-40498b 802->808 809 404a16-404a2e GetModuleHandleA 807->809 810 404977 808->810 811 40498d-404990 808->811 812 404a30 809->812 813 404a34-404a51 call 4013b0 809->813 810->808 814 4049d0-4049e3 811->814 815 404992-4049a2 811->815 812->813 814->814 819 4049e5-4049e8 814->819 817 4049f0-4049fc 815->817 818 4049a4-4049aa 815->818 820 404a10-404a14 817->820 822 4049b0-4049b2 818->822 823 404a52-404a56 819->823 824 4049ea 819->824 820->809 825 404a00-404a0d 820->825 822->817 826 4049b4-4049c8 822->826 823->817 824->817 825->820 826->822 827 4049ca 826->827 827->817
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CommandHandleInfoLineModuleStartup
                • String ID:
                • API String ID: 1628297973-0
                • Opcode ID: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction ID: a5db5900d75afb6c5168a722f043656c093b3c7bcdd2ff3413d71d09629adc29
                • Opcode Fuzzy Hash: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction Fuzzy Hash: E2214CF67047054BDB14A67694E23ABBBD77FC0344F89813AC781322C3E23C5A91565A
                Function 004049CC Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 828 4049cc 829 4049d0-4049e3 828->829 829->829 830 4049e5-4049e8 829->830 831 404a52-404a56 830->831 832 4049ea 830->832 833 4049f0-4049fc 831->833 832->833 834 404a10-404a14 833->834 835 404a00-404a0d 834->835 836 404a16-404a2e GetModuleHandleA 834->836 835->834 837 404a30 836->837 838 404a34-404a51 call 4013b0 836->838 837->838
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction ID: 5d636c514429e280118d9dbd7938b1e1d94385514683ffc3c512b9d4b85b8e02
                • Opcode Fuzzy Hash: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction Fuzzy Hash: E5F0F4F1A087054BDB149B39919139BBBE2AF80344F44C43EDA86332C2E23C59918E06
                Function 004049FE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 841 4049fe 842 404a00-404a14 841->842 844 404a16-404a2e GetModuleHandleA 842->844 845 404a30 844->845 846 404a34-404a51 call 4013b0 844->846 845->846
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction ID: 25b03b7247f52adc190129cc9a2441f77ae864ffa51203875fe0df8adb52ff07
                • Opcode Fuzzy Hash: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction Fuzzy Hash: 91F0A0B2A083544ADB04AF7AC18136EFFE1AF84398F44C46DDA84226D2D27C85408F56
                Function 00401290 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 849 401290-4012a3 __set_app_type call 401150 851 4012a8-4012a9 849->851
                APIs
                • __set_app_type.MSVCRT ref: 0040129D
                  • Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,004012A8), ref: 00401161
                  • Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119A
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D5
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FB
                  • Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401200
                  • Part of subcall function 00401150: __p__environ.MSVCRT ref: 00401215
                  • Part of subcall function 00401150: _cexit.MSVCRT ref: 00401239
                  • Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401241
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode__set_app_type_cexit
                • String ID:
                • API String ID: 250851222-0
                • Opcode ID: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction ID: ee6e0f434122d3ee92d33c208706bcb836196eff62b72ac1d1d53b2e3b1dd9b5
                • Opcode Fuzzy Hash: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction Fuzzy Hash: D8C09B3444521497C3103BB5DC0E359BBE86B05301F51443DD5C567261D7743C454796

                Non-executed Functions

                Function 00402A30 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 167stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 852 402a30-402a4f call 404ba0 855 402bc0 852->855 856 402a55-402a59 852->856 857 402bc5-402bcc 855->857 858 402a60-402a75 strchr 856->858 859 402a7b-402a97 strchr 858->859 860 402cac-402cc0 strcat 858->860 859->857 861 402a9d-402b05 strncat * 2 strlen 859->861 860->857 862 402c20-402c3c strncat 861->862 863 402b0b-402b1e 861->863 866 402ba0-402ba7 862->866 864 402c41-402c53 strcat 863->864 865 402b24-402b37 863->865 871 402bf0-402bf7 864->871 867 402c55-402c6e GetCurrentDirectoryA 865->867 868 402b3d-402b4d 865->868 869 402bf9-402c1e fprintf 866->869 870 402ba9-402bba 866->870 867->866 872 402c73-402c87 strcat 868->872 873 402b53-402b72 strstr 868->873 869->870 870->855 870->858 871->869 871->870 872->871 874 402b78-402b9e GetEnvironmentVariableA 873->874 875 402c8c-402ca7 call 402060 873->875 874->866 877 402bcd-402be9 strcat 874->877 875->866 877->871
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcat$strncat$strchr$CurrentDirectoryEnvironmentVariablefprintfstrlenstrstr
                • String ID: C:\Users\user\Desktop$EXEDIR$EXEFILE$HKEY$OLDPWD$PWD$Substitute:%s = %s
                • API String ID: 1816310627-1435958981
                • Opcode ID: 557825d837c7bee13b9dcc2b9774faa3785b3bb199ed70112449aa9433a5436a
                • Instruction ID: a3250f9e5731c696cfa46b821dc8bafca942bd9f0803d40a23b6cf00076f12fd
                • Opcode Fuzzy Hash: 557825d837c7bee13b9dcc2b9774faa3785b3bb199ed70112449aa9433a5436a
                • Instruction Fuzzy Hash: FF6140709047059BCB54EF25C98435ABBF1FF84314F01C87EE98C67381CB78A9859B96
                Function 00402CD0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 197stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 879 402cd0-402d25 FindResourceExA 880 402f58-402f64 SetLastError 879->880 881 402d2b-402d42 LoadResource 879->881 882 402d44-402d53 LockResource 881->882 883 402d6c-402db5 atoi FindResourceExA 881->883 882->883 884 402d55-402d59 882->884 885 402f44-402f50 SetLastError 883->885 886 402dbb-402dd2 LoadResource 883->886 889 402d60-402d6a 884->889 885->880 887 402dd4-402de3 LockResource 886->887 888 402dfc-402e4f atoi call 404bd0 886->888 887->888 890 402de5-402de9 887->890 894 402e51 888->894 895 402e53-402e55 888->895 889->883 889->889 892 402df0-402dfa 890->892 892->888 892->892 894->895 896 402e57-402e6f 895->896 897 402ecc-402ed3 895->897 898 402e71-402e79 896->898 899 402ed4-402edc 896->899 900 402f1b-402f3f fprintf 898->900 901 402e7f-402e86 898->901 902 402e88-402ec7 strcat strlen _itoa strlen 899->902 903 402ede-402f16 fprintf 899->903 900->901 901->902 901->903 902->897 903->902
                APIs
                Strings
                • Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 00402EF5
                • Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 00402F23
                • -Xms, xrefs: 00402CD5
                • -Xmx, xrefs: 00402CDC
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLockatoifprintfstrlen$_itoastrcat
                • String ID: -Xms$-Xmx$Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
                • API String ID: 636361558-2330190027
                • Opcode ID: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction ID: 9aecac28fc5dbd291391d4754e14ca6bb2a3230fcdd307f80071577cc15113ea
                • Opcode Fuzzy Hash: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction Fuzzy Hash: E87160B19083158BDB14EF29D58526EBBF1BFC8344F01843FE988AB391D7789805DB96
                Function 00402060 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118stringregistryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strstr$Open$CloseQueryValuestrchrstrrchr
                • String ID: HKEY$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                • API String ID: 356245303-4236897492
                • Opcode ID: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction ID: 7b57610d86410dffa4a0aa1252a1797adbc7715624c0aad137216de424c346f3
                • Opcode Fuzzy Hash: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction Fuzzy Hash: B44140B19083119FDB00EF69D58555EFBE0BF84314F05C83FEA98A7381D77989489B86
                Function 00401BF0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 134windowstringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Messageprintf$ErrorExecuteFormatFreeLastLocalShellfclosestrcat
                • String ID: An error occurred while starting the application.$Error:%s$Open URL:%s$open
                • API String ID: 519069059-3584283646
                • Opcode ID: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction ID: 5a562d4ed0a2dbc2a1e4330f613c05cbce52b9a6d063ec7aa8dcb6c58c2de855
                • Opcode Fuzzy Hash: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction Fuzzy Hash: 04511AB0A087009BD358EF69D55121BBAE1EFC4304F10CC3FA589A77A4D73DD9459B8A
                Function 00402950 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 58stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strlen$_statfprintfstrcatstrcpy
                • String ID: (OK)$(n/a)$Check launcher:%s %s$bin\java.exe$bin\javaw.exe
                • API String ID: 882030775-291028976
                • Opcode ID: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction ID: 8018404b5ef50dabb5b93d2653235a7c06d24b677d78717b0f5c7ccaf4d26fd7
                • Opcode Fuzzy Hash: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction Fuzzy Hash: 2C1145B0A083449FD720AF6995C566ABAE0BF84304F05C47FA589A73D1DB7C88449B4A
                Function 00401AFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction ID: 11b031cada2c8f52232e6b9cc39170e82d59abd8a686cc32ef86a0f2d0e1404c
                • Opcode Fuzzy Hash: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction Fuzzy Hash: D601FBB0A043049BCB10FF75D68551A7AF4AF84344F01C43EAA89BB795E778E8158B9A
                Function 00401B00 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction ID: d525f3c9823b811787ccd3d125d57a95285788dfaaa60455273fc0be7c930dab
                • Opcode Fuzzy Hash: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction Fuzzy Hash: ABF031B0A043048BC700FF75D68551A7AF4AF84344F01C43EEA85BB7D5E778E814879A
                Function 00401A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33stringfileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fopenmemsetstrlenstrncpy
                • String ID: ``@$j.lo$nch4
                • API String ID: 80595551-9945926
                • Opcode ID: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction ID: 1e0e73c0bc485388541f9261c06b4dd11082136fe696d302e2fbee76c2dd3950
                • Opcode Fuzzy Hash: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction Fuzzy Hash: 6B01F6F0D083049BC724AF29D4C155DBBE0FF84308F42C83EB99C9B352DA3888949B96
                Function 00401930 Relevance: 10.6, APIs: 7, Instructions: 72timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: KillMessagePostQuitTimer$CodeEnumExitProcessShowWindowWindows
                • String ID:
                • API String ID: 1905518172-0
                • Opcode ID: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction ID: 2407081703d323812a7a2ee4af166e89deffda79c1e67c6e6d523c687404f7b2
                • Opcode Fuzzy Hash: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction Fuzzy Hash: 782162B06082058BD314FF39D65131B36E1BBC0384F00893EE985B73A5DB38D848DB9A
                Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: signal
                • String ID:
                • API String ID: 1946981877-0
                • Opcode ID: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction ID: 026972816123a001b062272259e12c6676799cf41c40ad00ae128651dbc386b1
                • Opcode Fuzzy Hash: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction Fuzzy Hash: FF3121B0A082409BD724AF69C58032EB6A0BF89314F15897FD9C5E77E1C67E8DC0975A
                Function 00401F95 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$atoi$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 3704303549-0
                • Opcode ID: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction ID: d2e30d868b6ce554d07eddf99e8fb6c9642cdc6314cd9da99df76be242991cc3
                • Opcode Fuzzy Hash: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction Fuzzy Hash: 5B117FB15047058BDB10BF39D54136EBBE1BFC4348F06853EDA88A7291D678E906CB86
                Function 00402FF9 Relevance: 9.1, APIs: 6, Instructions: 54stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: EnvironmentVariablestrlen$memsetstrcat
                • String ID:
                • API String ID: 2108680700-0
                • Opcode ID: 1aeff4ed8d99c1ae33423b22697d7e36fe73b048e479dcd255a7cf66a70f4411
                • Instruction ID: 86b5df9b3431fb8133a4f6ed8904d7532b204288b27cc5577f69cc4901c0064d
                • Opcode Fuzzy Hash: 1aeff4ed8d99c1ae33423b22697d7e36fe73b048e479dcd255a7cf66a70f4411
                • Instruction Fuzzy Hash: 6F1126B1D086089BCB00BFA9C04005DFBF5EF88314F1284BEE988A7351DB386A419B86
                Function 004028A0 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 34stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcatstrlen
                • String ID: bin\java.exe$bin\javaw.exe
                • API String ID: 1179760717-2770878578
                • Opcode ID: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction ID: c625f8ff6eb4937acacc3d066b804341fc1bdd91dfaabe361e5825c854feadc3
                • Opcode Fuzzy Hash: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction Fuzzy Hash: 6AF0C8B1C083409FD7217F65A8C461A7BD0AF40304F06847ED1481B393DB798454975A
                Function 00401EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID: true
                • API String ID: 1074440638-4261170317
                • Opcode ID: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction ID: 720aba9a36caa5c46db755dcfa968833f6afea8c066c512ca53f753ba12c794b
                • Opcode Fuzzy Hash: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction Fuzzy Hash: F72108B2A043155ADB10AB39E94036ABBE5FBC0350F01857FEE84A3380E7399619C796
                Function 00401CBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringwindowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FormatFreeLocalMessagefprintfprintfstrcat
                • String ID: An error occurred while starting the application.
                • API String ID: 3558087145-2110520379
                • Opcode ID: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction ID: 897b2e7710a6a7b3f267c2baffa0a05fecd79613af50bb048a3b26d972268dd0
                • Opcode Fuzzy Hash: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction Fuzzy Hash: 612177B1A086009BD318EF28C50021B77E2EF94304F04C83EE489A77A5D73DE9498B8A
                Function 004012D0 Relevance: 7.6, APIs: 5, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • memset.MSVCRT ref: 004012F4
                  • Part of subcall function 00401E10: FindResourceExA.KERNEL32(?,?,00405010), ref: 00401E3C
                  • Part of subcall function 00401E10: LoadResource.KERNEL32 ref: 00401E55
                  • Part of subcall function 00401E10: LockResource.KERNEL32 ref: 00401E64
                • FindWindowExA.USER32 ref: 0040132A
                • GetWindowTextA.USER32 ref: 00401350
                • strstr.MSVCRT ref: 0040135F
                • FindWindowExA.USER32 ref: 0040137F
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FindResourceWindow$LoadLockTextmemsetstrstr
                • String ID:
                • API String ID: 1871962372-0
                • Opcode ID: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction ID: 2c743d1d3da27c05cd938fc0b836d91f0b76d418a83aa4d99297ae1c1db7ab18
                • Opcode Fuzzy Hash: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction Fuzzy Hash: 7F215EB2A083005BD714BF6AD54125EFBE4EFC4354F01C83FEA88D3691E63885458B86
                Function 0040489E Relevance: 7.5, APIs: 5, Instructions: 37synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                • fprintf.MSVCRT ref: 0040492D
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandle$CodeExitObjectProcessSingleWaitfclosefprintf
                • String ID:
                • API String ID: 1585231095-0
                • Opcode ID: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction ID: eb652ffc412eefeed0e718282237602074e50451812d2df90e84619bac2913a3
                • Opcode Fuzzy Hash: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction Fuzzy Hash: 850121B59046048BE710FF79E98245EB7B1BBC4314F01893EDD8467691EA3498198B86
                Function 00402F6C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction ID: 83f1aa44919a4c99108a5316738b6ebc3d89b658feaab29e7295632cd6d8abda
                • Opcode Fuzzy Hash: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction Fuzzy Hash: 890192B0A097099FDB04EF69D18055EBBF1EF88304F10C82EE589AB380D778D9459B86
                Function 00402F70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction ID: 6e677b9b8fabcb62c193d886980ddecd66842c0ac049963db457ddd5af3e35c3
                • Opcode Fuzzy Hash: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction Fuzzy Hash: FF0193B0A093099FD704EF69D18055EBBF1EF88304F10C83EE589AB380D778D9459B86
                Function 00402945 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _statfprintfstrcatstrcpystrlen
                • String ID: (OK)$(n/a)$Check launcher:%s %s
                • API String ID: 619758015-4217937889
                • Opcode ID: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction ID: fa1afa973b0b716c6a45a6db043711451785159eaff392967d20973c2505f891
                • Opcode Fuzzy Hash: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction Fuzzy Hash: C3F05EB0A043085FDB109E59E980766B7E4FB84314F01C47EE94CA7380D778A8548B89
                Function 00401A3C Relevance: 6.0, APIs: 4, Instructions: 26timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2191306183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000004.00000002.2191280273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191329852.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191363659.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CodeEnumExitKillMessagePostProcessQuitTimerWindows
                • String ID:
                • API String ID: 405088690-0
                • Opcode ID: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction ID: 5dfb1647a7b45fe9d990e1e5a37a50df87d11f83294e09497229981203e6544d
                • Opcode Fuzzy Hash: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction Fuzzy Hash: 83F0D0B59083008AD314BF34D6462197AE0BB84344F018A3ED9C5637D5D7789558DB9B

                Execution Graph

                Execution Coverage:18.9%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:0%
                Total number of Nodes:739
                Total number of Limit Nodes:7
                execution_graph 1536 402240 strlen 1537 402261 1536->1537 1538 401b00 GetModuleHandleA GetProcAddress 1539 401b30 GetCurrentProcess 1538->1539 1540 401b43 1538->1540 1539->1540 1541 401b78 1540->1541 1542 401b63 fprintf 1540->1542 1542->1541 1543 401000 1544 40101e 1543->1544 1547 401061 1543->1547 1545 401080 1544->1545 1546 401025 1544->1546 1549 4010e2 signal 1545->1549 1550 401087 1545->1550 1548 40102a signal 1546->1548 1553 401071 1546->1553 1547->1546 1547->1548 1547->1550 1551 4010bb signal 1548->1551 1555 401041 1548->1555 1552 401129 signal 1549->1552 1549->1555 1554 40108e signal 1550->1554 1550->1555 1551->1555 1552->1555 1554->1555 1556 40110f signal 1554->1556 1556->1555 1557 402945 1558 402950 1557->1558 1559 4029a6 strcpy 1558->1559 1563 402964 1558->1563 1560 4029c2 strlen 1559->1560 1561 402a05 strlen 1559->1561 1564 4029d1 strcat _stat 1560->1564 1561->1564 1562 40299b 1563->1562 1565 40297c fprintf 1563->1565 1564->1563 1565->1562 1567 40124a _setmode 1568 4011bb 1567->1568 1569 4011e0 1568->1569 1570 4011c0 _setmode 1568->1570 1571 401200 __p__fmode 1569->1571 1572 4011e5 _setmode 1569->1572 1570->1569 1573 404a60 1571->1573 1572->1571 1574 401212 __p__environ 1573->1574 1575 404940 249 API calls 1574->1575 1576 401237 _cexit ExitProcess 1575->1576 1577 4049cc 1578 4049d0 GetModuleHandleA 1577->1578 1580 404a30 1578->1580 1581 4013b0 246 API calls 1580->1581 1582 404a4a 1581->1582 1583 40290c 1584 402910 strcat 1583->1584 1585 402931 strlen 1584->1585 1586 40293f 1584->1586 1585->1586 1239 401290 __set_app_type 1242 401150 SetUnhandledExceptionFilter 1239->1242 1256 404a90 1242->1256 1244 40116e __getmainargs 1245 401200 __p__fmode 1244->1245 1246 4011a8 1244->1246 1257 404a60 1245->1257 1248 4011bb 1246->1248 1250 40124a _setmode 1246->1250 1251 4011e0 1248->1251 1252 4011c0 _setmode 1248->1252 1250->1248 1251->1245 1254 4011e5 _setmode 1251->1254 1252->1251 1254->1245 1256->1244 1258 401212 __p__environ 1257->1258 1259 404940 1258->1259 1260 404954 1259->1260 1261 404959 GetCommandLineA GetStartupInfoA 1260->1261 1265 404972 GetModuleHandleA 1261->1265 1263 404a30 1267 4013b0 1263->1267 1265->1263 1266 401237 _cexit ExitProcess 1304 4030c0 1267->1304 1269 4013c7 1270 4017c9 memset 1269->1270 1290 4013d2 1269->1290 1271 401e10 4 API calls 1270->1271 1275 4017f6 1271->1275 1273 40182a FindWindowExA 1273->1275 1281 4017fa 1273->1281 1274 4017fc ShowWindow SetForegroundWindow 1531 401ae0 1274->1531 1275->1273 1278 401857 GetWindowTextA strstr 1275->1278 1275->1281 1276 401716 strstr 1276->1290 1278->1274 1280 401883 FindWindowExA 1278->1280 1279 401ec0 FindResourceExA LoadResource LockResource SetLastError 1279->1290 1280->1278 1280->1281 1281->1273 1281->1274 1282 40141e strstr 1282->1290 1283 40144e CreateWindowExA 1284 401661 SetTimer 1283->1284 1283->1290 1284->1290 1295 4013d5 1284->1295 1287 40176b atoi 1287->1290 1287->1295 1288 4016b9 1289 4016d7 GetMessageA 1288->1289 1292 4016c1 TranslateMessage DispatchMessageA 1289->1292 1293 4016f8 1289->1293 1290->1266 1290->1276 1290->1279 1290->1282 1290->1283 1290->1287 1290->1288 1294 401503 strstr 1290->1294 1290->1295 1492 4047a0 1290->1492 1518 401e10 FindResourceExA 1290->1518 1291 4017a2 fwrite 1291->1295 1292->1289 1297 401702 1293->1297 1298 40174e fprintf 1293->1298 1294->1295 1295->1290 1295->1291 1296 404760 3 API calls 1295->1296 1501 401bf0 GetLastError 1295->1501 1523 401ec0 FindResourceExA 1295->1523 1296->1295 1528 404760 CloseHandle CloseHandle 1297->1528 1298->1297 1301 401536 LoadImageA 1301->1295 1303 40156e 7 API calls 1301->1303 1302 401707 1302->1266 1303->1284 1534 404ba0 1304->1534 1306 4030cd memset GetModuleHandleA 1307 403120 memset GetModuleFileNameA 1306->1307 1308 40310d 1306->1308 1309 403418 1307->1309 1310 403169 strrchr 1307->1310 1308->1269 1309->1269 1310->1309 1311 403189 strstr 1310->1311 1312 403245 GetModuleHandleA GetProcAddress 1311->1312 1313 4031a5 memset strncpy strlen fopen 1311->1313 1315 403281 1312->1315 1316 40326e GetCurrentProcess 1312->1316 1313->1308 1314 403226 fprintf 1313->1314 1314->1312 1317 4032b6 1315->1317 1318 4032a1 fprintf 1315->1318 1319 40329c 1315->1319 1316->1315 1320 401e10 FindResourceExA LoadResource LockResource SetLastError 1317->1320 1318->1317 1319->1318 1321 4032d0 1320->1321 1322 401e10 FindResourceExA LoadResource LockResource SetLastError 1321->1322 1323 4032e0 1322->1323 1324 401e10 FindResourceExA LoadResource LockResource SetLastError 1323->1324 1325 4032f5 1324->1325 1325->1308 1326 401e10 FindResourceExA LoadResource LockResource SetLastError 1325->1326 1327 403314 1326->1327 1328 40336b memset GetCurrentDirectoryA 1327->1328 1329 40331d CreateMutexA GetLastError 1327->1329 1330 401e10 FindResourceExA LoadResource LockResource SetLastError 1328->1330 1329->1328 1331 4045ed 1329->1331 1332 4033b6 1330->1332 1331->1308 1333 404600 fwrite 1331->1333 1334 403750 strncpy strlen 1332->1334 1335 4033be 1332->1335 1333->1308 1336 403791 strcat _chdir 1334->1336 1337 403785 1334->1337 1338 401e10 FindResourceExA LoadResource LockResource SetLastError 1335->1338 1336->1335 1339 4037c0 fprintf 1336->1339 1337->1336 1340 4033d4 1338->1340 1339->1335 1341 4035cc memset 1340->1341 1342 4033dc 1340->1342 1343 402a30 25 API calls 1341->1343 1344 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1342->1344 1346 401e10 FindResourceExA LoadResource LockResource SetLastError 1342->1346 1345 403609 1343->1345 1344->1309 1349 4034b2 strlen strcat SetEnvironmentVariableA 1344->1349 1347 403954 fprintf 1345->1347 1348 403616 1345->1348 1351 4033fb 1346->1351 1356 40396e strcpy 1347->1356 1352 40362c strcpy 1348->1352 1357 4038fe strncpy strlen 1348->1357 1349->1309 1350 4034f4 memset 1349->1350 1353 401e10 FindResourceExA LoadResource LockResource SetLastError 1350->1353 1354 403403 1351->1354 1355 4037df 1351->1355 1358 40363c 1352->1358 1360 403521 1353->1360 1364 401e10 FindResourceExA LoadResource LockResource SetLastError 1354->1364 1361 401e10 FindResourceExA LoadResource LockResource SetLastError 1355->1361 1365 403993 strlen 1356->1365 1366 40423f strlen 1356->1366 1362 403933 1357->1362 1363 40393f strcat 1357->1363 1358->1356 1359 40364b 1358->1359 1367 403682 1359->1367 1373 403663 fprintf 1359->1373 1368 403554 strtok 1360->1368 1369 4037ff FindResourceExA 1361->1369 1362->1363 1363->1358 1364->1309 1370 4039a2 1365->1370 1371 4039a8 strcat _stat 1365->1371 1372 4041f7 1366->1372 1367->1342 1382 4036a6 FindResourceExA 1367->1382 1405 403694 1367->1405 1374 403aa3 FindResourceExA 1368->1374 1375 403563 strchr 1368->1375 1376 40422b SetLastError 1369->1376 1377 40383e LoadResource 1369->1377 1370->1371 1380 4039d6 1371->1380 1381 40425e strlen 1372->1381 1395 404202 strcat _stat 1372->1395 1373->1367 1378 403af2 LoadResource 1374->1378 1379 4045d9 SetLastError 1374->1379 1383 402a30 25 API calls 1375->1383 1376->1366 1384 403876 atoi 1377->1384 1385 403857 LockResource 1377->1385 1386 403b2a atoi 1378->1386 1387 403b0b LockResource 1378->1387 1379->1331 1388 401e10 FindResourceExA LoadResource LockResource SetLastError 1380->1388 1381->1372 1391 404640 SetLastError 1382->1391 1392 4036ee LoadResource 1382->1392 1389 4035a5 1383->1389 1393 402640 25 API calls 1384->1393 1385->1384 1390 403868 1385->1390 1396 403b45 strlen 1386->1396 1397 404286 strlen 1386->1397 1387->1386 1394 403b1c 1387->1394 1409 4039eb strcat 1388->1409 1398 4035ae fprintf 1389->1398 1399 40352f SetEnvironmentVariableA 1389->1399 1390->1384 1424 404386 1391->1424 1400 403707 LockResource 1392->1400 1392->1405 1401 40388e 1393->1401 1394->1386 1395->1376 1402 403b66 strcat GlobalMemoryStatusEx 1396->1402 1403 403b5a 1396->1403 1404 40429b 1397->1404 1398->1399 1399->1368 1400->1405 1401->1380 1406 403896 1401->1406 1407 402cd0 16 API calls 1402->1407 1403->1402 1419 401e10 FindResourceExA LoadResource LockResource SetLastError 1404->1419 1405->1342 1408 4041c7 strcpy 1406->1408 1413 4038dc 1406->1413 1414 4038b8 1406->1414 1415 4038bd fprintf 1406->1415 1412 403bdc 1407->1412 1408->1381 1411 4041e8 strlen 1408->1411 1417 403a89 1409->1417 1428 403a3e strcat 1409->1428 1411->1372 1418 402cd0 16 API calls 1412->1418 1413->1344 1416 4038e4 1413->1416 1414->1415 1415->1413 1420 401e10 FindResourceExA LoadResource LockResource SetLastError 1416->1420 1423 401e10 FindResourceExA LoadResource LockResource SetLastError 1417->1423 1421 403c0d 1418->1421 1422 4042cb 1419->1422 1420->1309 1425 401e10 FindResourceExA LoadResource LockResource SetLastError 1421->1425 1422->1308 1426 4042d5 memset 1422->1426 1423->1309 1427 4046b3 strcat 1424->1427 1439 404392 strtok 1424->1439 1443 4043aa fprintf 1424->1443 1444 4043bf strpbrk 1424->1444 1430 403c23 1425->1430 1431 402a30 25 API calls 1426->1431 1434 4046ee strcat 1427->1434 1428->1417 1432 40427a 1430->1432 1433 403c2b strlen 1430->1433 1438 404312 1431->1438 1432->1397 1435 403c4c 1433->1435 1434->1424 1436 404711 strlen 1434->1436 1435->1435 1437 403c72 strncpy strlen _open 1435->1437 1436->1424 1440 403e06 1437->1440 1451 403cd9 _read 1437->1451 1438->1424 1438->1434 1441 40472e strcat 1438->1441 1439->1424 1442 402a30 25 API calls 1440->1442 1441->1424 1448 404751 strlen 1441->1448 1445 403e3a memset memset FindResourceExA 1442->1445 1443->1444 1446 4043d8 strrchr strncpy _findfirst 1444->1446 1447 40458f strcat 1444->1447 1452 403eb1 LoadResource 1445->1452 1453 40462c SetLastError 1445->1453 1454 404423 strcpy strcat 1446->1454 1455 40449f _findclose 1446->1455 1449 4045a4 1447->1449 1448->1424 1449->1379 1449->1449 1462 403d4e 1451->1462 1456 403edb 1452->1456 1457 403eca LockResource 1452->1457 1453->1391 1458 404450 1454->1458 1455->1439 1460 401e10 FindResourceExA LoadResource LockResource SetLastError 1456->1460 1457->1456 1458->1458 1464 404489 _findnext 1458->1464 1465 4044bc fprintf 1458->1465 1459 403df8 _close 1459->1440 1463 403f23 1460->1463 1461 403ddd strlen 1461->1459 1462->1459 1462->1461 1466 401e10 FindResourceExA LoadResource LockResource SetLastError 1463->1466 1464->1454 1464->1455 1465->1464 1467 403f33 1466->1467 1467->1404 1468 403f3b 1467->1468 1469 403f48 1468->1469 1470 4040fd 1468->1470 1469->1469 1471 403f6e strcat 1469->1471 1470->1470 1472 404123 strncat strlen 1470->1472 1476 403fb3 1471->1476 1473 404183 1472->1473 1474 40418f strcat 1472->1474 1473->1474 1475 4041aa 1474->1475 1475->1408 1475->1475 1477 401e10 FindResourceExA LoadResource LockResource SetLastError 1476->1477 1483 403ff9 1477->1483 1478 404048 1479 404054 1478->1479 1482 4044e6 strcpy 1478->1482 1486 4044eb strstr 1478->1486 1480 404061 fprintf 1479->1480 1481 4040f3 1479->1481 1480->1481 1485 404084 fprintf 1480->1485 1481->1308 1482->1486 1483->1478 1484 404028 strcat 1483->1484 1484->1478 1485->1481 1489 4040a8 fprintf 1485->1489 1487 404508 strchr 1486->1487 1490 404532 1486->1490 1487->1478 1489->1481 1490->1479 1491 40456a strcat 1490->1491 1491->1479 1493 404ba0 1492->1493 1494 4047b0 memset strcat strlen strcat CreateProcessA 1493->1494 1495 404888 1494->1495 1496 404881 1494->1496 1495->1290 1496->1495 1497 4048a0 WaitForSingleObject GetExitCodeProcess 1496->1497 1498 404917 fprintf 1497->1498 1499 4048df CloseHandle CloseHandle 1497->1499 1498->1499 1499->1495 1500 40490a fclose 1499->1500 1500->1495 1502 401cc0 FormatMessageA 1501->1502 1503 401c05 1501->1503 1504 401da3 fprintf 1502->1504 1508 401d03 1502->1508 1505 401c91 printf 1503->1505 1506 401c13 MessageBoxA 1503->1506 1504->1508 1507 401c3a 1505->1507 1506->1507 1509 401c86 1507->1509 1513 401dc0 fprintf 1507->1513 1514 401c50 ShellExecuteA 1507->1514 1508->1508 1512 401d36 strcat 1508->1512 1510 401cb1 fclose 1509->1510 1511 401c8f 1509->1511 1510->1295 1511->1295 1515 401d72 printf 1512->1515 1516 401ddf MessageBoxA 1512->1516 1513->1516 1514->1509 1517 401d90 LocalFree 1515->1517 1516->1517 1517->1295 1519 401e96 SetLastError 1518->1519 1520 401e48 LoadResource 1518->1520 1522 401e72 1519->1522 1521 401e61 LockResource 1520->1521 1520->1522 1521->1522 1522->1290 1522->1522 1524 401f07 LoadResource 1523->1524 1525 401f69 SetLastError 1523->1525 1526 401f20 LockResource 1524->1526 1527 401f31 1524->1527 1525->1301 1526->1527 1527->1301 1529 404790 1528->1529 1530 404792 fclose 1528->1530 1529->1302 1530->1302 1532 401af1 fclose 1531->1532 1533 401aef 1531->1533 1532->1281 1533->1281 1535 404ba6 1534->1535 1587 402950 1588 402964 1587->1588 1589 4029a6 strcpy 1587->1589 1592 40299b 1588->1592 1594 40297c fprintf 1588->1594 1590 4029c2 strlen 1589->1590 1591 402a05 strlen 1589->1591 1593 4029d1 strcat _stat 1590->1593 1591->1593 1593->1588 1594->1592 1596 4012d0 memset 1597 401e10 4 API calls 1596->1597 1598 401309 1597->1598 1599 401311 FindWindowExA 1598->1599 1600 40138d 1598->1600 1599->1600 1601 401338 1599->1601 1602 401340 GetWindowTextA strstr 1601->1602 1603 401397 1602->1603 1604 401368 FindWindowExA 1602->1604 1604->1600 1604->1602 1605 402910 strcat 1606 402931 strlen 1605->1606 1607 40293f 1605->1607 1606->1607 1608 401b90 1609 401bc0 MessageBoxA 1608->1609 1610 401ba3 printf 1608->1610 1611 401f95 FindResourceExA 1612 401fe6 LoadResource 1611->1612 1613 402039 SetLastError atoi 1611->1613 1614 40202c atoi 1612->1614 1615 401fff LockResource 1612->1615 1615->1614 1616 402010 1615->1616 1616->1614 1617 40311c 1618 403120 memset GetModuleFileNameA 1617->1618 1619 403169 strrchr 1618->1619 1678 403418 1618->1678 1620 403189 strstr 1619->1620 1619->1678 1621 403245 GetModuleHandleA GetProcAddress 1620->1621 1622 4031a5 memset strncpy strlen fopen 1620->1622 1624 403281 1621->1624 1625 40326e GetCurrentProcess 1621->1625 1623 403226 fprintf 1622->1623 1642 40310d 1622->1642 1623->1621 1626 4032b6 1624->1626 1627 4032a1 fprintf 1624->1627 1625->1624 1628 401e10 4 API calls 1626->1628 1627->1626 1629 4032d0 1628->1629 1630 401e10 4 API calls 1629->1630 1631 4032e0 1630->1631 1632 401e10 4 API calls 1631->1632 1633 4032f5 1632->1633 1634 401e10 4 API calls 1633->1634 1633->1642 1635 403314 1634->1635 1636 40336b memset GetCurrentDirectoryA 1635->1636 1637 40331d CreateMutexA GetLastError 1635->1637 1638 401e10 4 API calls 1636->1638 1637->1636 1639 4045ed 1637->1639 1640 4033b6 1638->1640 1641 404600 fwrite 1639->1641 1639->1642 1643 403750 strncpy strlen 1640->1643 1644 4033be 1640->1644 1641->1642 1645 403791 strcat _chdir 1643->1645 1646 403785 1643->1646 1647 401e10 4 API calls 1644->1647 1645->1644 1648 4037c0 fprintf 1645->1648 1646->1645 1649 4033d4 1647->1649 1648->1644 1650 4035cc memset 1649->1650 1714 4033dc 1649->1714 1651 402a30 25 API calls 1650->1651 1653 403609 1651->1653 1652 403431 strcpy strlen memset GetEnvironmentVariableA strlen 1657 4034b2 strlen strcat SetEnvironmentVariableA 1652->1657 1652->1678 1655 403954 fprintf 1653->1655 1656 403616 1653->1656 1654 401e10 4 API calls 1659 4033fb 1654->1659 1664 40396e strcpy 1655->1664 1660 40362c strcpy 1656->1660 1665 4038fe strncpy strlen 1656->1665 1658 4034f4 memset 1657->1658 1657->1678 1661 401e10 4 API calls 1658->1661 1662 403403 1659->1662 1663 4037df 1659->1663 1666 40363c 1660->1666 1668 403521 1661->1668 1672 401e10 4 API calls 1662->1672 1669 401e10 4 API calls 1663->1669 1673 403993 strlen 1664->1673 1674 40423f strlen 1664->1674 1670 403933 1665->1670 1671 40393f strcat 1665->1671 1666->1664 1667 40364b 1666->1667 1675 403682 1667->1675 1682 403663 fprintf 1667->1682 1676 403554 strtok 1668->1676 1677 4037ff FindResourceExA 1669->1677 1670->1671 1671->1666 1672->1678 1679 4039a2 1673->1679 1680 4039a8 strcat _stat 1673->1680 1681 4041f7 1674->1681 1691 4036a6 FindResourceExA 1675->1691 1675->1714 1683 403aa3 FindResourceExA 1676->1683 1684 403563 strchr 1676->1684 1685 40422b SetLastError 1677->1685 1686 40383e LoadResource 1677->1686 1679->1680 1689 4039d6 1680->1689 1690 40425e strlen 1681->1690 1704 404202 strcat _stat 1681->1704 1682->1675 1687 403af2 LoadResource 1683->1687 1688 4045d9 SetLastError 1683->1688 1799 402a30 1684->1799 1685->1674 1693 403876 atoi 1686->1693 1694 403857 LockResource 1686->1694 1695 403b2a atoi 1687->1695 1696 403b0b LockResource 1687->1696 1688->1639 1697 401e10 4 API calls 1689->1697 1690->1681 1700 404640 SetLastError 1691->1700 1701 4036ee LoadResource 1691->1701 1815 402640 1693->1815 1694->1693 1699 403868 1694->1699 1705 403b45 strlen 1695->1705 1706 404286 strlen 1695->1706 1696->1695 1703 403b1c 1696->1703 1717 4039eb strcat 1697->1717 1699->1693 1732 404386 1700->1732 1709 403707 LockResource 1701->1709 1701->1714 1703->1695 1704->1685 1711 403b66 strcat GlobalMemoryStatusEx 1705->1711 1712 403b5a 1705->1712 1713 40429b 1706->1713 1707 4035ae fprintf 1708 40352f SetEnvironmentVariableA 1707->1708 1708->1676 1709->1714 1710 40388e 1710->1689 1722 403896 1710->1722 1845 402cd0 FindResourceExA 1711->1845 1712->1711 1727 401e10 4 API calls 1713->1727 1714->1652 1714->1654 1716 4041c7 strcpy 1716->1690 1719 4041e8 strlen 1716->1719 1725 403a89 1717->1725 1736 403a3e strcat 1717->1736 1719->1681 1721 4038dc 1721->1652 1724 4038e4 1721->1724 1722->1716 1722->1721 1723 4038bd fprintf 1722->1723 1723->1721 1728 401e10 4 API calls 1724->1728 1731 401e10 4 API calls 1725->1731 1726 402cd0 16 API calls 1729 403c0d 1726->1729 1730 4042cb 1727->1730 1728->1678 1733 401e10 4 API calls 1729->1733 1730->1642 1734 4042d5 memset 1730->1734 1731->1678 1735 4046b3 strcat 1732->1735 1747 404392 strtok 1732->1747 1751 4043aa fprintf 1732->1751 1752 4043bf strpbrk 1732->1752 1738 403c23 1733->1738 1739 402a30 25 API calls 1734->1739 1742 4046ee strcat 1735->1742 1736->1725 1740 40427a 1738->1740 1741 403c2b strlen 1738->1741 1746 404312 1739->1746 1740->1706 1743 403c4c 1741->1743 1742->1732 1744 404711 strlen 1742->1744 1743->1743 1745 403c72 strncpy strlen _open 1743->1745 1744->1732 1748 403e06 1745->1748 1759 403cd9 _read 1745->1759 1746->1732 1746->1742 1749 40472e strcat 1746->1749 1747->1732 1750 402a30 25 API calls 1748->1750 1749->1732 1756 404751 strlen 1749->1756 1753 403e3a memset memset FindResourceExA 1750->1753 1751->1752 1754 4043d8 strrchr strncpy _findfirst 1752->1754 1755 40458f strcat 1752->1755 1760 403eb1 LoadResource 1753->1760 1761 40462c SetLastError 1753->1761 1762 404423 strcpy strcat 1754->1762 1763 40449f _findclose 1754->1763 1757 4045a4 1755->1757 1756->1732 1757->1688 1757->1757 1770 403d4e 1759->1770 1764 403edb 1760->1764 1765 403eca LockResource 1760->1765 1761->1700 1766 404450 1762->1766 1763->1747 1768 401e10 4 API calls 1764->1768 1765->1764 1766->1766 1772 404489 _findnext 1766->1772 1773 4044bc fprintf 1766->1773 1767 403df8 _close 1767->1748 1771 403f23 1768->1771 1769 403ddd strlen 1769->1767 1770->1767 1770->1769 1774 401e10 4 API calls 1771->1774 1772->1762 1772->1763 1773->1772 1775 403f33 1774->1775 1775->1713 1776 403f3b 1775->1776 1777 403f48 1776->1777 1778 4040fd 1776->1778 1777->1777 1779 403f6e strcat 1777->1779 1778->1778 1780 404123 strncat strlen 1778->1780 1783 403fb3 1779->1783 1781 404183 1780->1781 1782 40418f strcat 1780->1782 1781->1782 1784 4041aa 1782->1784 1783->1783 1785 401e10 4 API calls 1783->1785 1784->1716 1784->1784 1790 403ff9 1785->1790 1786 404048 1787 404054 1786->1787 1789 4044e6 strcpy 1786->1789 1793 4044eb strstr 1786->1793 1787->1642 1788 404061 fprintf 1787->1788 1788->1642 1792 404084 fprintf 1788->1792 1789->1793 1790->1786 1791 404028 strcat 1790->1791 1791->1786 1792->1642 1796 4040a8 fprintf 1792->1796 1794 404508 strchr 1793->1794 1797 404532 1793->1797 1794->1786 1796->1642 1797->1787 1798 40456a strcat 1797->1798 1798->1787 1800 402a40 1799->1800 1801 402bc0 1800->1801 1802 402a60 strchr 1800->1802 1807 402c41 strcat 1800->1807 1808 402c55 GetCurrentDirectoryA 1800->1808 1809 402bf9 fprintf 1800->1809 1810 402c73 strcat 1800->1810 1811 402b53 strstr 1800->1811 1862 402060 strstr 1800->1862 1801->1707 1801->1708 1803 402a7b strchr 1802->1803 1804 402cac strcat 1802->1804 1803->1801 1805 402a9d strncat strncat strlen 1803->1805 1804->1801 1805->1800 1806 402c20 strncat 1805->1806 1806->1800 1807->1800 1808->1800 1809->1800 1810->1800 1811->1800 1812 402b78 GetEnvironmentVariableA 1811->1812 1812->1800 1814 402bcd strcat 1812->1814 1814->1800 1816 402700 1815->1816 1817 40265e 1815->1817 1818 402430 18 API calls 1816->1818 1874 402430 1817->1874 1822 402715 1818->1822 1820 402673 1821 40268d 1820->1821 1825 402430 18 API calls 1820->1825 1823 402760 RegOpenKeyExA 1821->1823 1826 402737 1821->1826 1827 4026a7 1821->1827 1822->1821 1824 402430 18 API calls 1822->1824 1828 4026e4 1823->1828 1829 4027a0 memset RegQueryValueExA 1823->1829 1824->1821 1825->1821 1830 402430 18 API calls 1826->1830 1831 402430 18 API calls 1827->1831 1828->1710 1832 402887 RegCloseKey 1829->1832 1833 402808 1829->1833 1834 40274c 1830->1834 1835 4026bc 1831->1835 1832->1828 1839 402829 strlen 1833->1839 1840 40284f RegCloseKey 1833->1840 1836 4026da 1834->1836 1837 40286d 1834->1837 1835->1836 1838 402430 18 API calls 1835->1838 1836->1823 1836->1828 1841 402430 18 API calls 1837->1841 1838->1836 1842 402838 1839->1842 1843 40283e strcat 1839->1843 1840->1710 1844 402882 1841->1844 1842->1843 1843->1840 1844->1832 1846 402f58 SetLastError 1845->1846 1847 402d2b LoadResource 1845->1847 1848 402d44 LockResource 1847->1848 1849 402d6c atoi FindResourceExA 1847->1849 1848->1849 1854 402d55 1848->1854 1850 402f44 SetLastError 1849->1850 1851 402dbb LoadResource 1849->1851 1850->1846 1852 402dd4 LockResource 1851->1852 1853 402dfc atoi 1851->1853 1852->1853 1855 402de5 1852->1855 1856 402e4a 1853->1856 1854->1849 1854->1854 1855->1853 1857 402ecc 1856->1857 1858 402e7f 1856->1858 1859 402f1b fprintf 1856->1859 1857->1726 1860 402e88 strcat strlen _itoa strlen 1858->1860 1861 402ede fprintf 1858->1861 1859->1858 1860->1857 1861->1860 1863 402086 strstr 1862->1863 1864 4020f8 strchr strrchr 1862->1864 1863->1864 1867 4020a0 strstr 1863->1867 1865 4021b3 RegOpenKeyExA 1864->1865 1866 402135 RegOpenKeyExA 1864->1866 1869 40215e RegQueryValueExA RegCloseKey 1865->1869 1870 4021dc 1865->1870 1868 4021a4 1866->1868 1866->1869 1867->1864 1871 4020ba strstr 1867->1871 1868->1800 1869->1868 1870->1866 1871->1864 1872 4020d4 strstr 1871->1872 1872->1864 1873 4020ee 1872->1873 1873->1800 1875 4024a2 fprintf 1874->1875 1876 40244e 1874->1876 1878 40245a 1875->1878 1879 4024c3 1875->1879 1877 4024d0 RegOpenKeyExA 1876->1877 1876->1878 1877->1878 1882 4024fe 1877->1882 1880 402596 fprintf 1878->1880 1881 402467 RegOpenKeyExA 1878->1881 1879->1877 1883 402495 1881->1883 1884 402568 1881->1884 1891 402280 memset 1882->1891 1883->1820 1887 402280 11 API calls 1884->1887 1889 40257b RegCloseKey 1887->1889 1888 402534 1888->1883 1890 402541 fwrite 1888->1890 1889->1820 1890->1883 1892 4022fd RegEnumKeyExA 1891->1892 1893 402427 RegCloseKey 1892->1893 1894 40233f strcmp 1892->1894 1893->1878 1893->1888 1895 4022e5 1894->1895 1895->1892 1896 402406 fprintf 1895->1896 1897 4022d0 strcmp 1895->1897 1898 402361 strcmp 1895->1898 1900 4023be strcat 1895->1900 1896->1893 1897->1895 1897->1898 1898->1895 1899 40237a strcpy strcpy strlen 1898->1899 1899->1895 1899->1900 1900->1895 1901 4023e7 fprintf 1900->1901 1901->1895 1902 40489e 1903 4048a0 WaitForSingleObject GetExitCodeProcess 1902->1903 1904 404917 fprintf 1903->1904 1905 4048df CloseHandle CloseHandle 1903->1905 1904->1905 1906 404890 1905->1906 1907 40490a fclose 1905->1907 1907->1906 1908 401a60 memset strncpy strlen fopen 1909 4028a0 1910 4028e0 strlen 1909->1910 1911 4028b3 strlen 1909->1911 1914 4028f5 strcat 1910->1914 1915 4028ef 1910->1915 1912 4028c2 1911->1912 1913 4028c8 strcat 1911->1913 1912->1913 1915->1914 1916 4021e1 1917 4021f0 GetModuleFileNameA 1916->1917 1918 402220 strrchr 1917->1918 1919 402235 1917->1919 1918->1919 1920 401269 1921 401270 __set_app_type 1920->1921 1922 401150 258 API calls 1921->1922 1923 401288 1922->1923 1924 4013e9 1940 4013d5 1924->1940 1925 401716 strstr 1925->1940 1926 401ec0 FindResourceExA LoadResource LockResource SetLastError 1926->1940 1927 40141e strstr 1927->1940 1928 40144e CreateWindowExA 1929 401661 SetTimer 1928->1929 1928->1940 1929->1940 1930 4047a0 11 API calls 1930->1940 1931 401e10 4 API calls 1931->1940 1932 401bf0 12 API calls 1932->1940 1933 40176b atoi 1933->1940 1934 4016b9 1935 4016d7 GetMessageA 1934->1935 1937 4016c1 TranslateMessage DispatchMessageA 1935->1937 1938 4016f8 1935->1938 1936 4017a2 fwrite 1936->1940 1937->1935 1942 401702 1938->1942 1943 40174e fprintf 1938->1943 1939 401503 strstr 1939->1940 1940->1925 1940->1926 1940->1927 1940->1928 1940->1930 1940->1931 1940->1932 1940->1933 1940->1934 1940->1936 1940->1939 1941 404760 3 API calls 1940->1941 1944 401ec0 4 API calls 1940->1944 1941->1940 1945 404760 3 API calls 1942->1945 1943->1942 1946 401536 LoadImageA 1944->1946 1947 401707 1945->1947 1946->1940 1948 40156e 7 API calls 1946->1948 1948->1929 1949 402f6c 1950 402f70 GlobalMemoryStatusEx 1949->1950 1951 402cd0 16 API calls 1950->1951 1952 402fc0 1951->1952 1953 402cd0 16 API calls 1952->1953 1954 402ff1 1953->1954 1955 401270 __set_app_type 1956 401150 258 API calls 1955->1956 1957 401288 1956->1957 1958 402f70 GlobalMemoryStatusEx 1959 402cd0 16 API calls 1958->1959 1960 402fc0 1959->1960 1961 402cd0 16 API calls 1960->1961 1962 402ff1 1961->1962 1963 401930 1964 401960 GetExitCodeProcess 1963->1964 1965 40193f 1963->1965 1968 4019b3 1964->1968 1969 401986 KillTimer PostQuitMessage 1964->1969 1966 4019d0 ShowWindow 1965->1966 1967 40194c 1965->1967 1966->1964 1972 4019fd 1966->1972 1967->1964 1970 401a40 EnumWindows 1967->1970 1968->1969 1971 4019af 1968->1971 1969->1971 1970->1964 1972->1964 1973 401a0b KillTimer 1972->1973 1974 401bf0 12 API calls 1973->1974 1975 401a27 PostQuitMessage 1974->1975 1975->1964 1976 4018b0 GetWindowThreadProcessId 1977 4018e3 GetWindowLongA 1976->1977 1978 4018d7 1976->1978 1977->1978 1979 4018fe ShowWindow 1977->1979 1979->1978 1980 4025b0 1981 4025d0 1980->1981 1982 4025e1 1980->1982 1984 402430 18 API calls 1981->1984 1983 402430 18 API calls 1982->1983 1985 402612 1982->1985 1983->1985 1984->1982 1986 402ff9 1987 404ba0 1986->1987 1988 40300d memset GetEnvironmentVariableA strlen 1987->1988 1989 403076 strlen strcat SetEnvironmentVariableA 1988->1989 1990 403067 1988->1990 1991 401afc 1992 401b00 GetModuleHandleA GetProcAddress 1991->1992 1993 401b30 GetCurrentProcess 1992->1993 1994 401b43 1992->1994 1993->1994 1995 401b78 1994->1995 1996 401b63 fprintf 1994->1996 1996->1995 1997 401a3c 1998 401a40 EnumWindows 1997->1998 1999 401960 GetExitCodeProcess 1998->1999 2000 401986 KillTimer PostQuitMessage 1999->2000 2001 4019b3 1999->2001 2002 4019af 2000->2002 2001->2000 2001->2002 2003 40223c 2004 402240 strlen 2003->2004 2005 402261 2004->2005 2006 401cbc 2007 401cc0 FormatMessageA 2006->2007 2008 401da3 fprintf 2007->2008 2009 401d03 strcat 2007->2009 2008->2009 2011 401d72 printf 2009->2011 2012 401ddf MessageBoxA 2009->2012 2013 401d90 LocalFree 2011->2013 2012->2013 2020 401bbe 2021 401bc0 MessageBoxA 2020->2021

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_00402240 1 Function_004030C0 3 Function_00402640 1->3 15 Function_00402CD0 1->15 42 Function_00401E10 1->42 51 Function_00404BA0 1->51 58 Function_00402A30 1->58 2 Function_00404940 2->51 56 Function_004013B0 2->56 57 Function_00404B30 2->57 55 Function_00402430 3->55 4 Function_00401EC0 5 Function_00402945 6 Function_00402CC5 7 Function_00401149 8 Function_00404AC9 60 Function_004012B0 8->60 9 Function_0040124A 9->2 20 Function_00404A60 9->20 10 Function_004049CC 10->56 11 Function_00402950 12 Function_00404AD0 12->60 13 Function_00401150 13->2 13->20 41 Function_00404A90 13->41 14 Function_00404BD0 15->14 16 Function_004012D0 16->42 17 Function_00402055 18 Function_00404760 19 Function_00402060 21 Function_00401A60 22 Function_00401AE0 23 Function_004021E1 24 Function_00401269 24->13 25 Function_004013E9 25->4 25->18 29 Function_00401BF0 25->29 25->42 50 Function_004047A0 25->50 26 Function_00402F6C 26->15 27 Function_00401270 27->13 28 Function_00402F70 28->15 30 Function_00402FF9 30->51 31 Function_0040227C 32 Function_00401AFC 33 Function_004049FE 33->56 34 Function_00401B00 35 Function_00402280 36 Function_00401000 36->41 37 Function_00401B80 38 Function_00401E09 39 Function_0040290C 40 Function_00402910 43 Function_00401290 43->13 44 Function_00401B90 45 Function_00401F95 46 Function_00404C19 47 Function_0040311C 47->3 47->15 47->42 47->58 48 Function_0040479C 49 Function_0040489E 50->51 52 Function_004028A0 53 Function_00404AA0 54 Function_00404B29 55->35 56->1 56->4 56->18 56->22 56->29 56->42 56->50 57->60 58->19 58->51 59 Function_00401930 59->29 61 Function_004018B0 62 Function_004025B0 62->55 63 Function_00401EB7 64 Function_00401A3C 65 Function_0040223C 66 Function_004012BC 67 Function_00401CBC 68 Function_0040263E 69 Function_00401BBE

                Executed Functions

                Function 004030C0 Relevance: 302.4, APIs: 119, Strings: 53, Instructions: 1411stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Modulememset$Handlefprintf$AddressCurrentFileNameProcProcessfopenstrlenstrncpystrrchrstrstr
                • String ID: CmdLine:%s %s$ " :%s$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$ p@$(OK)$(n/a)$--l4j-$--l4j-debug$-Xms$-Xmx$-cla$-jar$-jar$1.7.0$:$Add classpath:%s$An error occurred while starting the application.$Args length:%d/32768 chars$Bc@$Bc@$Bundled JRE:%s$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$C:\Users\user\Desktop$Check launcher:%s %s$IsWow64Process$Launcher args:%s$Launcher:%s$Set var:%s = %s$WOW64:%s$Working dir:%s$\$``@$bin\java.exe$bin\javaw.exe$ini$j.lo$l4j.$nch4$sspa$th "$true$yes$~`@
                • API String ID: 2968499522-3589992203
                • Opcode ID: 9a828ee921b1d8379db5194f7a2a7bd7a944953bb407b50695efd66db1fd3284
                • Instruction ID: 0e89a22367f5d3f2eae708a14e8bb05f6e03d73e7b0ab72636a6b4786490bd8a
                • Opcode Fuzzy Hash: 9a828ee921b1d8379db5194f7a2a7bd7a944953bb407b50695efd66db1fd3284
                • Instruction Fuzzy Hash: CAD251B19087048BD714AF25C54026ABBE5EFC4304F05C9BFE5C8A7391DB7C9989DB8A
                Function 004013B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 332stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 285 4013b0-4013cc call 4030c0 288 4013d2-4013d3 285->288 289 4017c9-4017f8 memset call 401e10 285->289 290 4013f0-401400 call 401ec0 288->290 291 4013d5-4013da call 401bf0 288->291 296 40182a-40184f FindWindowExA 289->296 297 4017fa 289->297 302 401716-401729 strstr 290->302 303 401406-40141c call 401ec0 290->303 304 4013df-4013e6 291->304 296->297 301 401851 296->301 300 4017fc-401820 ShowWindow SetForegroundWindow call 401ae0 297->300 300->296 307 401857-40187d GetWindowTextA strstr 301->307 302->303 305 40172f-401734 302->305 313 401437-401444 303->313 314 40141e-401431 strstr 303->314 304->290 305->303 307->300 310 401883-4018a6 FindWindowExA 307->310 310->307 312 4018a8 310->312 312->297 316 401446-401448 313->316 317 40144e-4014bc CreateWindowExA 313->317 314->313 315 40178e-401793 314->315 315->313 316->317 318 40168f-401696 call 4047a0 316->318 319 401661-401689 SetTimer 317->319 320 4014c2-4014eb call 401e10 317->320 323 40169b-40169c 318->323 319->291 319->318 326 4014f1-401501 call 401ec0 320->326 327 40176b-40177c atoi 320->327 323->291 325 4016a2-4016a9 323->325 328 4016b9-4016bf 325->328 329 4016ab-4016b3 325->329 340 401503-401516 strstr 326->340 341 40151d-401568 call 401ec0 LoadImageA 326->341 331 401798 327->331 332 40177e-401783 327->332 334 4016d7-4016f6 GetMessageA 328->334 329->328 333 401739-401740 329->333 336 4017a2-4017c4 fwrite 331->336 332->315 333->336 337 401742-401749 call 404760 333->337 338 4016c1-4016d4 TranslateMessage DispatchMessageA 334->338 339 4016f8-401700 334->339 336->337 337->304 338->334 343 401702-401713 call 404760 339->343 344 40174e-401769 fprintf 339->344 340->341 345 401518 340->345 341->291 351 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 341->351 344->343 345->341 351->319
                APIs
                  • Part of subcall function 004030C0: memset.MSVCRT ref: 004030EE
                  • Part of subcall function 004030C0: GetModuleHandleA.KERNEL32(?,004013C7), ref: 004030FA
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                  • Part of subcall function 00401BF0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004013DA), ref: 00401BF6
                  • Part of subcall function 00401BF0: MessageBoxA.USER32 ref: 00401C32
                  • Part of subcall function 00401BF0: ShellExecuteA.SHELL32 ref: 00401C7E
                • memset.MSVCRT ref: 004017E1
                • ShowWindow.USER32 ref: 00401808
                • SetForegroundWindow.USER32 ref: 00401813
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$memsetstrstr$CreateErrorExecuteForegroundHandleImageLastLoadMessageModuleShellShow
                • String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$Exit code:%d$STATIC
                • API String ID: 1172715904-121186343
                • Opcode ID: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction ID: 22f332a72cef92a8da5d6acb595563ebd0f99b3e0e1198dea9edd092bcf45b6f
                • Opcode Fuzzy Hash: b7e873c6563f926a30741e0d117d4a65a1acbb56b3432b0c167deef810c33fa7
                • Instruction Fuzzy Hash: 6FD101B19083018BD714FF2AD54131EBAE5BFC4344F01C93FE989A73A1DB7899459B8A
                Function 004013E9 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 205stringwindowtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 635 4013e9 636 4013f0-401400 call 401ec0 635->636 639 401716-401729 strstr 636->639 640 401406-40141c call 401ec0 636->640 639->640 641 40172f-401734 639->641 644 401437-401444 640->644 645 40141e-401431 strstr 640->645 641->640 647 401446-401448 644->647 648 40144e-4014bc CreateWindowExA 644->648 645->644 646 40178e-401793 645->646 646->644 647->648 649 40168f-40169c call 4047a0 647->649 650 401661-401689 SetTimer 648->650 651 4014c2-4014eb call 401e10 648->651 652 4013d5-4013da call 401bf0 649->652 658 4016a2-4016a9 649->658 650->649 650->652 659 4014f1-401501 call 401ec0 651->659 660 40176b-40177c atoi 651->660 667 4013df-4013e6 652->667 662 4016b9-4016bf 658->662 663 4016ab-4016b3 658->663 675 401503-401516 strstr 659->675 676 40151d-401568 call 401ec0 LoadImageA 659->676 665 401798 660->665 666 40177e-401783 660->666 669 4016d7-4016f6 GetMessageA 662->669 663->662 668 401739-401740 663->668 671 4017a2-4017c4 fwrite 665->671 666->646 667->636 668->671 672 401742-401749 call 404760 668->672 673 4016c1-4016d4 TranslateMessage DispatchMessageA 669->673 674 4016f8-401700 669->674 671->672 672->667 673->669 678 401702-401713 call 404760 674->678 679 40174e-401769 fprintf 674->679 675->676 680 401518 675->680 676->652 686 40156e-40165e SendMessageA GetWindowRect GetSystemMetrics * 2 SetWindowPos ShowWindow UpdateWindow 676->686 679->678 680->676 686->650
                APIs
                  • Part of subcall function 00401EC0: FindResourceExA.KERNEL32 ref: 00401EFB
                  • Part of subcall function 00401EC0: LoadResource.KERNEL32 ref: 00401F14
                  • Part of subcall function 00401EC0: LockResource.KERNEL32 ref: 00401F23
                • strstr.MSVCRT ref: 0040142A
                • CreateWindowExA.USER32 ref: 004014A7
                • strstr.MSVCRT ref: 0040150F
                • LoadImageA.USER32 ref: 0040155E
                • SendMessageA.USER32 ref: 0040158F
                • GetWindowRect.USER32 ref: 004015A4
                • GetSystemMetrics.USER32 ref: 004015B3
                • GetSystemMetrics.USER32 ref: 004015DC
                • SetWindowPos.USER32 ref: 0040162B
                • ShowWindow.USER32 ref: 00401643
                • UpdateWindow.USER32 ref: 00401654
                • SetTimer.USER32 ref: 0040167F
                  • Part of subcall function 004047A0: memset.MSVCRT ref: 004047DE
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040480B
                  • Part of subcall function 004047A0: strlen.MSVCRT ref: 00404813
                  • Part of subcall function 004047A0: strcat.MSVCRT ref: 0040482F
                  • Part of subcall function 004047A0: CreateProcessA.KERNEL32 ref: 00404875
                • GetMessageA.USER32 ref: 004016EC
                • strstr.MSVCRT ref: 00401722
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Window$Resourcestrstr$CreateLoadMessageMetricsSystemstrcat$FindImageLockProcessRectSendShowTimerUpdatememsetstrlen
                • String ID: --l4j-dont-wait$--l4j-no-splash-err$STATIC
                • API String ID: 4182365790-3920415740
                • Opcode ID: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction ID: ee7b831562b9b24d1f16b922444e8b63d9d8e08211f115b699755232a1a447d7
                • Opcode Fuzzy Hash: d398302fcecea8767c2f4d14e06c24a15f3e1a15badd60b91015d221b8449cc4
                • Instruction Fuzzy Hash: 338103B1A083018FD714EF7AD94131EBBE1BFC4344F05893EE988A7391DB7899458B86
                Function 00401150 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 3695137517-0
                • Opcode ID: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction ID: fab3366932fbaa3ebb4d58be2606cf2eda9a25db2a2b1f6ef0ea82b631d7fdb2
                • Opcode Fuzzy Hash: 3549981cb67ff38a295ae9781b7f217a27204a441156aad90a8880d90c2b952a
                • Instruction Fuzzy Hash: 11211DB49043049FC304EF65E58151E7BF1BF88354F408A7EE694A77A5D778A880CF9A
                Function 0040311C Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 184stringfilelibraryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resourcememset$fprintfstrlen$EnvironmentVariable$CurrentFindLoadLockModulestrcpy$AddressCreateDirectoryErrorFileHandleLastMutexNameProcProcessatoifopenstrcatstrchrstrncpystrrchrstrstrstrtok
                • String ID: CmdLine:%s %s$--l4j-debug$1.7.0$An error occurred while starting the application.$C:\Users\user\Desktop$IsWow64Process$WOW64:%s$``@$j.lo$nch4$yes$~`@
                • API String ID: 276419104-4214590570
                • Opcode ID: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction ID: f0a9dd12e9f155100ecc80547f8524881e04b64e39f325f861530ddbe7d78783
                • Opcode Fuzzy Hash: 2a3f9d9becd6b63c6195d3f3105f1d5613062485fea006847c855bd2f4b45a57
                • Instruction Fuzzy Hash: CE811CB09087009BD714AF25C58025EBAE5FFC4744F01C87FE9C8AB391DB7899859F8A
                Function 00402280 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 107stringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 687 402280-4022ce memset 688 4022fd-402339 RegEnumKeyExA 687->688 689 402427-40242e 688->689 690 40233f-402352 strcmp 688->690 691 402354-40235b 690->691 692 4022e5-4022ec 690->692 695 4022d0-4022e3 strcmp 691->695 696 402361-402374 strcmp 691->696 693 4022f2-4022f7 692->693 694 402406-40241d fprintf 692->694 693->688 694->689 695->692 695->696 696->692 697 40237a-4023b0 strcpy * 2 strlen 696->697 698 4023b2-4023b7 697->698 699 4023be-4023e1 strcat 697->699 698->699 699->693 700 4023e7-402401 fprintf 699->700 700->693
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fprintfstrcmpstrcpy$Enummemsetstrcatstrlen
                • String ID: 1.7.0$1.8.0_381$Ignore:%s\%s$Match:%s$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381
                • API String ID: 2366812193-779923612
                • Opcode ID: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction ID: 9ab0c8db1ba71b2b6d2ba768174804a11d38db5b54a87c79ea0cb8f479a381c0
                • Opcode Fuzzy Hash: feb0feb41c432621510d2774921ed4ae6fb30bd5dcd4c6b6128fc8dc5ae5dabe
                • Instruction Fuzzy Hash: AC411DF0A093049FD754AF69C58065ABBE4FF88314F41C87FEA88A7381D77889459F4A
                Function 004047A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 106stringprocesssynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • memset.MSVCRT ref: 004047DE
                • strcat.MSVCRT ref: 0040480B
                • strlen.MSVCRT ref: 00404813
                • strcat.MSVCRT ref: 0040482F
                • CreateProcessA.KERNEL32 ref: 00404875
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandleProcessstrcat$CodeCreateExitObjectSingleWaitfclosememsetstrlen
                • String ID: p@$C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe$D$Exit code:%d
                • API String ID: 1835003254-3076985505
                • Opcode ID: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction ID: 5caefe9559b27fe27b5d30c0e67c063fa4c1d1b371c170d15aebd52dad6435f1
                • Opcode Fuzzy Hash: 3242635cd407cc207b4e9632af2587f9fe911d2d8e26333d3a4061cd7df8f18c
                • Instruction Fuzzy Hash: BB411FB19087048FD710EF69D58111EBBE1BFC4314F01C93EE988A7391DB389959CB9A
                Function 00402640 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 711 402640-402658 712 402700-402717 call 402430 711->712 713 40265e-402676 call 402430 711->713 718 402690-402698 712->718 719 40271d-40272d call 402430 712->719 713->718 720 402678-40268d call 402430 713->720 721 402760-40279a RegOpenKeyExA 718->721 722 40269e-4026a1 718->722 729 402732 719->729 720->718 727 4026f0-4026f9 721->727 728 4027a0-402802 memset RegQueryValueExA 721->728 725 402737-40274e call 402430 722->725 726 4026a7-4026bf call 402430 722->726 738 402754-40275c 725->738 739 40286d-402882 call 402430 725->739 726->738 740 4026c5-4026e2 call 402430 726->740 733 402887-402898 RegCloseKey 728->733 734 402808-40280a 728->734 729->718 733->727 737 402810-40281e 734->737 737->737 741 402820-402827 737->741 738->727 742 40275e 738->742 739->733 740->721 751 4026e4-4026ea 740->751 744 402829-402836 strlen 741->744 745 40284f-40286c RegCloseKey 741->745 742->721 748 402838 744->748 749 40283e-40284a strcat 744->749 748->749 749->745 751->727
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpen$fprintffwrite
                • String ID: JavaHome$SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_381$jre
                • API String ID: 2632948728-210039947
                • Opcode ID: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction ID: 13784bda21131abe29e605e60e8874ea15ce2e043269139803be6fc73a734c89
                • Opcode Fuzzy Hash: 9364065cee4006aa1e248f2a8bc137236dbc144057ed49c4486b6edb3bc99a87
                • Instruction Fuzzy Hash: F9516CB59083158BD714AF25C64425ABBE0FF80304F41C97FE9883B3C2C7BD99458B8A
                Function 00402430 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102registryfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 752 402430-40244c 753 4024a2-4024c1 fprintf 752->753 754 40244e-402458 752->754 756 40245a-402461 753->756 757 4024c3-4024c9 753->757 755 4024d0-4024f8 RegOpenKeyExA 754->755 754->756 755->756 760 4024fe-40252e call 402280 RegCloseKey 755->760 758 402596-4025a6 fprintf 756->758 759 402467-40248f RegOpenKeyExA 756->759 757->755 761 402495-4024a1 759->761 762 402568-402595 call 402280 RegCloseKey 759->762 760->756 766 402534-40253b 760->766 766->761 768 402541-402563 fwrite 766->768 768->761
                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 00402485
                • fprintf.MSVCRT ref: 004024B5
                • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00402715), ref: 004024EE
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 0040251F
                • fwrite.MSVCRT ref: 0040255E
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402715), ref: 00402581
                • fprintf.MSVCRT ref: 004025A6
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseOpenfprintf$fwrite
                • String ID: 32-bit search:%s...$64-bit search:%s...
                • API String ID: 2131660067-1681012534
                • Opcode ID: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction ID: db78835e4e37dc56512bf58087c2aef207271a2ad5982ab85f3d843889212adc
                • Opcode Fuzzy Hash: c9c749f2187168bffb8da3167b872fe2273aff8a064b781ea05361dbc82f9642
                • Instruction Fuzzy Hash: 6741FBB09083159BC700EF65D68525EFBF4FF88304F11887EE888A7391D778E9458B46
                Function 0040124A Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExitProcess__p__environ__p__fmode_cexit
                • String ID:
                • API String ID: 2747451157-0
                • Opcode ID: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction ID: d94ddfb0904ed1d1b1fcd9f17775da174976b76cb98335a262b590a7c617f90a
                • Opcode Fuzzy Hash: 612ea18759bad0b7cbd0a5ec3d2df94d679dbe7011e7526947487d00c96e5d27
                • Instruction Fuzzy Hash: CF11E8B4604700DFC304EF65E5C541A77B1BFC8314B108A7EE694A77A6CB78A880CB89
                Function 00401E10 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 794 401e10-401e46 FindResourceExA 795 401e96-401ea9 SetLastError 794->795 796 401e48-401e5f LoadResource 794->796 797 401eb0-401eb6 795->797 796->797 798 401e61-401e70 LockResource 796->798 798->797 799 401e72-401e7a 798->799 800 401e80-401e8a 799->800 800->800 801 401e8c-401e95 800->801
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 1074440638-0
                • Opcode ID: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction ID: f588b214a1d680624203c40b2ff752b88374fd5a224907c8dedae4407861157b
                • Opcode Fuzzy Hash: 5656401f9e567967a8485652ef1563bf0e9ef1944012dd97e3ad28967893910f
                • Instruction Fuzzy Hash: E4114FB16047019ADB00AB39C54175BBBE1BB84344F01853AED85A7391D638E905CBD6
                Function 00404940 Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 802 404940-404970 call 404ba0 call 404b30 GetCommandLineA GetStartupInfoA 807 404972 802->807 808 404978-40498b 802->808 809 404a16-404a2e GetModuleHandleA 807->809 810 404977 808->810 811 40498d-404990 808->811 812 404a30 809->812 813 404a34-404a51 call 4013b0 809->813 810->808 814 4049d0-4049e3 811->814 815 404992-4049a2 811->815 812->813 814->814 819 4049e5-4049e8 814->819 817 4049f0-4049fc 815->817 818 4049a4-4049aa 815->818 820 404a10-404a14 817->820 822 4049b0-4049b2 818->822 823 404a52-404a56 819->823 824 4049ea 819->824 820->809 825 404a00-404a0d 820->825 822->817 826 4049b4-4049c8 822->826 823->817 824->817 825->820 826->822 827 4049ca 826->827 827->817
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CommandHandleInfoLineModuleStartup
                • String ID:
                • API String ID: 1628297973-0
                • Opcode ID: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction ID: a5db5900d75afb6c5168a722f043656c093b3c7bcdd2ff3413d71d09629adc29
                • Opcode Fuzzy Hash: caeae535246a066ec4027968bdff7b90be6b14e88b81f7980858a74c74548f5b
                • Instruction Fuzzy Hash: E2214CF67047054BDB14A67694E23ABBBD77FC0344F89813AC781322C3E23C5A91565A
                Function 004049CC Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 828 4049cc 829 4049d0-4049e3 828->829 829->829 830 4049e5-4049e8 829->830 831 404a52-404a56 830->831 832 4049ea 830->832 833 4049f0-4049fc 831->833 832->833 834 404a10-404a14 833->834 835 404a00-404a0d 834->835 836 404a16-404a2e GetModuleHandleA 834->836 835->834 837 404a30 836->837 838 404a34-404a51 call 4013b0 836->838 837->838
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction ID: 5d636c514429e280118d9dbd7938b1e1d94385514683ffc3c512b9d4b85b8e02
                • Opcode Fuzzy Hash: 640ac14f03c0242051221d45c1bfb32813a6530bddfb4f1dd95e636b1bdeabfb
                • Instruction Fuzzy Hash: E5F0F4F1A087054BDB149B39919139BBBE2AF80344F44C43EDA86332C2E23C59918E06
                Function 004049FE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 841 4049fe 842 404a00-404a14 841->842 844 404a16-404a2e GetModuleHandleA 842->844 845 404a30 844->845 846 404a34-404a51 call 4013b0 844->846 845->846
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction ID: 25b03b7247f52adc190129cc9a2441f77ae864ffa51203875fe0df8adb52ff07
                • Opcode Fuzzy Hash: be7efde4b0b02bdb2840ff36021931a74c2a51f0cb252b5f7cb9762ef76da80f
                • Instruction Fuzzy Hash: 91F0A0B2A083544ADB04AF7AC18136EFFE1AF84398F44C46DDA84226D2D27C85408F56
                Function 00401290 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 849 401290-4012a3 __set_app_type call 401150 851 4012a8-4012a9 849->851
                APIs
                • __set_app_type.MSVCRT ref: 0040129D
                  • Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,004012A8), ref: 00401161
                  • Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119A
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D5
                  • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FB
                  • Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401200
                  • Part of subcall function 00401150: __p__environ.MSVCRT ref: 00401215
                  • Part of subcall function 00401150: _cexit.MSVCRT ref: 00401239
                  • Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401241
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode__set_app_type_cexit
                • String ID:
                • API String ID: 250851222-0
                • Opcode ID: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction ID: ee6e0f434122d3ee92d33c208706bcb836196eff62b72ac1d1d53b2e3b1dd9b5
                • Opcode Fuzzy Hash: 07d231db7de6fe80658fabe20cc0a2b477427057892decb2133d087f286a5da2
                • Instruction Fuzzy Hash: D8C09B3444521497C3103BB5DC0E359BBE86B05301F51443DD5C567261D7743C454796

                Non-executed Functions

                Function 00402A30 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 167stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 852 402a30-402a4f call 404ba0 855 402bc0 852->855 856 402a55-402a59 852->856 857 402bc5-402bcc 855->857 858 402a60-402a75 strchr 856->858 859 402a7b-402a97 strchr 858->859 860 402cac-402cc0 strcat 858->860 859->857 861 402a9d-402b05 strncat * 2 strlen 859->861 860->857 862 402c20-402c3c strncat 861->862 863 402b0b-402b1e 861->863 866 402ba0-402ba7 862->866 864 402c41-402c53 strcat 863->864 865 402b24-402b37 863->865 871 402bf0-402bf7 864->871 867 402c55-402c6e GetCurrentDirectoryA 865->867 868 402b3d-402b4d 865->868 869 402bf9-402c1e fprintf 866->869 870 402ba9-402bba 866->870 867->866 872 402c73-402c87 strcat 868->872 873 402b53-402b72 strstr 868->873 869->870 870->855 870->858 871->869 871->870 872->871 874 402b78-402b9e GetEnvironmentVariableA 873->874 875 402c8c-402ca7 call 402060 873->875 874->866 877 402bcd-402be9 strcat 874->877 875->866 877->871
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcat$strncat$strchr$CurrentDirectoryEnvironmentVariablefprintfstrlenstrstr
                • String ID: C:\Users\user\Desktop$EXEDIR$EXEFILE$HKEY$OLDPWD$PWD$Substitute:%s = %s
                • API String ID: 1816310627-1435958981
                • Opcode ID: b439f3ed1e230ba17b78e6689917fc82c9a24ba0c31b8ccbea4d443833dace49
                • Instruction ID: a3250f9e5731c696cfa46b821dc8bafca942bd9f0803d40a23b6cf00076f12fd
                • Opcode Fuzzy Hash: b439f3ed1e230ba17b78e6689917fc82c9a24ba0c31b8ccbea4d443833dace49
                • Instruction Fuzzy Hash: FF6140709047059BCB54EF25C98435ABBF1FF84314F01C87EE98C67381CB78A9859B96
                Function 00402CD0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 197stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 879 402cd0-402d25 FindResourceExA 880 402f58-402f64 SetLastError 879->880 881 402d2b-402d42 LoadResource 879->881 882 402d44-402d53 LockResource 881->882 883 402d6c-402db5 atoi FindResourceExA 881->883 882->883 884 402d55-402d59 882->884 885 402f44-402f50 SetLastError 883->885 886 402dbb-402dd2 LoadResource 883->886 889 402d60-402d6a 884->889 885->880 887 402dd4-402de3 LockResource 886->887 888 402dfc-402e4f atoi call 404bd0 886->888 887->888 890 402de5-402de9 887->890 894 402e51 888->894 895 402e53-402e55 888->895 889->883 889->889 892 402df0-402dfa 890->892 892->888 892->892 894->895 896 402e57-402e6f 895->896 897 402ecc-402ed3 895->897 898 402e71-402e79 896->898 899 402ed4-402edc 896->899 900 402f1b-402f3f fprintf 898->900 901 402e7f-402e86 898->901 902 402e88-402ec7 strcat strlen _itoa strlen 899->902 903 402ede-402f16 fprintf 899->903 900->901 901->902 901->903 902->897 903->902
                APIs
                Strings
                • Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 00402F23
                • -Xmx, xrefs: 00402CDC
                • -Xms, xrefs: 00402CD5
                • Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 00402EF5
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLockatoifprintfstrlen$_itoastrcat
                • String ID: -Xms$-Xmx$Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
                • API String ID: 636361558-2330190027
                • Opcode ID: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction ID: 9aecac28fc5dbd291391d4754e14ca6bb2a3230fcdd307f80071577cc15113ea
                • Opcode Fuzzy Hash: 49bac7fe6f19ca0f5bd07a777ba95da00ba2692b1f2fcb73d42c15d88026703e
                • Instruction Fuzzy Hash: E87160B19083158BDB14EF29D58526EBBF1BFC8344F01843FE988AB391D7789805DB96
                Function 00402060 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118stringregistryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strstr$Open$CloseQueryValuestrchrstrrchr
                • String ID: HKEY$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                • API String ID: 356245303-4236897492
                • Opcode ID: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction ID: 7b57610d86410dffa4a0aa1252a1797adbc7715624c0aad137216de424c346f3
                • Opcode Fuzzy Hash: 5c2711ff94cca963458cf507547e09b59df7b2f0a65b0f2675fb1cf67cf2534b
                • Instruction Fuzzy Hash: B44140B19083119FDB00EF69D58555EFBE0BF84314F05C83FEA98A7381D77989489B86
                Function 00401BF0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 134windowstringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Messageprintf$ErrorExecuteFormatFreeLastLocalShellfclosestrcat
                • String ID: An error occurred while starting the application.$Error:%s$Open URL:%s$open
                • API String ID: 519069059-3584283646
                • Opcode ID: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction ID: 5a562d4ed0a2dbc2a1e4330f613c05cbce52b9a6d063ec7aa8dcb6c58c2de855
                • Opcode Fuzzy Hash: d50ecb3a0fe696158464c957faeb54865f91f7cff6ca1c14cdd2f225c6ce74fd
                • Instruction Fuzzy Hash: 04511AB0A087009BD358EF69D55121BBAE1EFC4304F10CC3FA589A77A4D73DD9459B8A
                Function 00402950 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 58stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strlen$_statfprintfstrcatstrcpy
                • String ID: (OK)$(n/a)$Check launcher:%s %s$bin\java.exe$bin\javaw.exe
                • API String ID: 882030775-291028976
                • Opcode ID: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction ID: 8018404b5ef50dabb5b93d2653235a7c06d24b677d78717b0f5c7ccaf4d26fd7
                • Opcode Fuzzy Hash: 3a737aaa2f9c364d49fc00a44d18b990e604c09d1433cb05d02c114c702a0f6e
                • Instruction Fuzzy Hash: 2C1145B0A083449FD720AF6995C566ABAE0BF84304F05C47FA589A73D1DB7C88449B4A
                Function 00401AFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction ID: 11b031cada2c8f52232e6b9cc39170e82d59abd8a686cc32ef86a0f2d0e1404c
                • Opcode Fuzzy Hash: 51305618214c0ba30116f8fc18af47c9d8f331261b948467b54d85ac15f00ac4
                • Instruction Fuzzy Hash: D601FBB0A043049BCB10FF75D68551A7AF4AF84344F01C43EAA89BB795E778E8158B9A
                Function 00401B00 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: AddressCurrentHandleModuleProcProcessfprintf
                • String ID: IsWow64Process$WOW64:%s$yes$~`@
                • API String ID: 24026888-71265849
                • Opcode ID: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction ID: d525f3c9823b811787ccd3d125d57a95285788dfaaa60455273fc0be7c930dab
                • Opcode Fuzzy Hash: 4888365b0b4b81b55560ce55fcae3362c7a4aa79adf2c55a673206aa49c2d4ca
                • Instruction Fuzzy Hash: ABF031B0A043048BC700FF75D68551A7AF4AF84344F01C43EEA85BB7D5E778E814879A
                Function 00401A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33stringfileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: fopenmemsetstrlenstrncpy
                • String ID: ``@$j.lo$nch4
                • API String ID: 80595551-9945926
                • Opcode ID: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction ID: 1e0e73c0bc485388541f9261c06b4dd11082136fe696d302e2fbee76c2dd3950
                • Opcode Fuzzy Hash: 9a4ff01140eb6cd6d2ff592d0c9a1b43f0a674710d240b7d889367cb50cbc086
                • Instruction Fuzzy Hash: 6B01F6F0D083049BC724AF29D4C155DBBE0FF84308F42C83EB99C9B352DA3888949B96
                Function 00401930 Relevance: 10.6, APIs: 7, Instructions: 72timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: KillMessagePostQuitTimer$CodeEnumExitProcessShowWindowWindows
                • String ID:
                • API String ID: 1905518172-0
                • Opcode ID: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction ID: 2407081703d323812a7a2ee4af166e89deffda79c1e67c6e6d523c687404f7b2
                • Opcode Fuzzy Hash: 908e1c4a2d6816fdb463079a13a016f6fa06e961dc5782ddf8e03a78c551d5c2
                • Instruction Fuzzy Hash: 782162B06082058BD314FF39D65131B36E1BBC0384F00893EE985B73A5DB38D848DB9A
                Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: signal
                • String ID:
                • API String ID: 1946981877-0
                • Opcode ID: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction ID: 026972816123a001b062272259e12c6676799cf41c40ad00ae128651dbc386b1
                • Opcode Fuzzy Hash: 0d913dcc96c4dc2ce39cf1c73b3c4cd3388d7077edd27571fed9032662073fd7
                • Instruction Fuzzy Hash: FF3121B0A082409BD724AF69C58032EB6A0BF89314F15897FD9C5E77E1C67E8DC0975A
                Function 00401F95 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$atoi$ErrorFindLastLoadLock
                • String ID:
                • API String ID: 3704303549-0
                • Opcode ID: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction ID: d2e30d868b6ce554d07eddf99e8fb6c9642cdc6314cd9da99df76be242991cc3
                • Opcode Fuzzy Hash: 8917aa49ca170ea9424a4871177909678324a0128281268087337ba5d4e2214c
                • Instruction Fuzzy Hash: 5B117FB15047058BDB10BF39D54136EBBE1BFC4348F06853EDA88A7291D678E906CB86
                Function 00402FF9 Relevance: 9.1, APIs: 6, Instructions: 54stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: EnvironmentVariablestrlen$memsetstrcat
                • String ID:
                • API String ID: 2108680700-0
                • Opcode ID: 6e76fc2e4af15f8032aad6a96e1840275bcb373fe908820486f238fd04cb349d
                • Instruction ID: 86b5df9b3431fb8133a4f6ed8904d7532b204288b27cc5577f69cc4901c0064d
                • Opcode Fuzzy Hash: 6e76fc2e4af15f8032aad6a96e1840275bcb373fe908820486f238fd04cb349d
                • Instruction Fuzzy Hash: 6F1126B1D086089BCB00BFA9C04005DFBF5EF88314F1284BEE988A7351DB386A419B86
                Function 004028A0 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 34stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: strcatstrlen
                • String ID: bin\java.exe$bin\javaw.exe
                • API String ID: 1179760717-2770878578
                • Opcode ID: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction ID: c625f8ff6eb4937acacc3d066b804341fc1bdd91dfaabe361e5825c854feadc3
                • Opcode Fuzzy Hash: 854bfbc186050e28c01aca1e52af11a5c6d2265732dea4351e5e53cdbfa1f743
                • Instruction Fuzzy Hash: 6AF0C8B1C083409FD7217F65A8C461A7BD0AF40304F06847ED1481B393DB798454975A
                Function 00401EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$ErrorFindLastLoadLock
                • String ID: true
                • API String ID: 1074440638-4261170317
                • Opcode ID: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction ID: 720aba9a36caa5c46db755dcfa968833f6afea8c066c512ca53f753ba12c794b
                • Opcode Fuzzy Hash: fa88095351f1cf649c4e0f59975f4c8608c77ca3866356f65f7bb502d8a741c9
                • Instruction Fuzzy Hash: F72108B2A043155ADB10AB39E94036ABBE5FBC0350F01857FEE84A3380E7399619C796
                Function 00401CBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringwindowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FormatFreeLocalMessagefprintfprintfstrcat
                • String ID: An error occurred while starting the application.
                • API String ID: 3558087145-2110520379
                • Opcode ID: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction ID: 897b2e7710a6a7b3f267c2baffa0a05fecd79613af50bb048a3b26d972268dd0
                • Opcode Fuzzy Hash: 0309dab1ae88623b91bd0ca979ed66dc958a41dd0f1e69883467f3f5c59eb028
                • Instruction Fuzzy Hash: 612177B1A086009BD318EF28C50021B77E2EF94304F04C83EE489A77A5D73DE9498B8A
                Function 004012D0 Relevance: 7.6, APIs: 5, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • memset.MSVCRT ref: 004012F4
                  • Part of subcall function 00401E10: FindResourceExA.KERNEL32(?,?,00405010), ref: 00401E3C
                  • Part of subcall function 00401E10: LoadResource.KERNEL32 ref: 00401E55
                  • Part of subcall function 00401E10: LockResource.KERNEL32 ref: 00401E64
                • FindWindowExA.USER32 ref: 0040132A
                • GetWindowTextA.USER32 ref: 00401350
                • strstr.MSVCRT ref: 0040135F
                • FindWindowExA.USER32 ref: 0040137F
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: FindResourceWindow$LoadLockTextmemsetstrstr
                • String ID:
                • API String ID: 1871962372-0
                • Opcode ID: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction ID: 2c743d1d3da27c05cd938fc0b836d91f0b76d418a83aa4d99297ae1c1db7ab18
                • Opcode Fuzzy Hash: 68f9b9fe8e26284ea4466cd7be2fd0a699b70c6e89954b03eac0d4cd0079519f
                • Instruction Fuzzy Hash: 7F215EB2A083005BD714BF6AD54125EFBE4EFC4354F01C83FEA88D3691E63885458B86
                Function 0040489E Relevance: 7.5, APIs: 5, Instructions: 37synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048B2
                • GetExitCodeProcess.KERNEL32 ref: 004048CD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048E8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,8000000E,00401930,00000001,?,0040169B), ref: 004048F9
                • fclose.MSVCRT ref: 0040490D
                • fprintf.MSVCRT ref: 0040492D
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CloseHandle$CodeExitObjectProcessSingleWaitfclosefprintf
                • String ID:
                • API String ID: 1585231095-0
                • Opcode ID: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction ID: eb652ffc412eefeed0e718282237602074e50451812d2df90e84619bac2913a3
                • Opcode Fuzzy Hash: ba37172a1753ab43741c320a5b96a6367dc65ef8d5e99b837736b0aa74c96b18
                • Instruction Fuzzy Hash: 850121B59046048BE710FF79E98245EB7B1BBC4314F01893EDD8467691EA3498198B86
                Function 00402F6C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction ID: 83f1aa44919a4c99108a5316738b6ebc3d89b658feaab29e7295632cd6d8abda
                • Opcode Fuzzy Hash: 1ee8ed68ac0c068930fb015abfc5e24d0c88b4e77e9116532bd67e932936c618
                • Instruction Fuzzy Hash: 890192B0A097099FDB04EF69D18055EBBF1EF88304F10C82EE589AB380D778D9459B86
                Function 00402F70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • GlobalMemoryStatusEx.KERNEL32 ref: 00402F87
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402D1B
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402D38
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402D47
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402D6F
                  • Part of subcall function 00402CD0: FindResourceExA.KERNEL32 ref: 00402DAB
                  • Part of subcall function 00402CD0: LoadResource.KERNEL32 ref: 00402DC8
                  • Part of subcall function 00402CD0: LockResource.KERNEL32 ref: 00402DD7
                  • Part of subcall function 00402CD0: atoi.MSVCRT ref: 00402DFF
                  • Part of subcall function 00402CD0: strcat.MSVCRT(?), ref: 00402E95
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402E9D
                  • Part of subcall function 00402CD0: _itoa.MSVCRT ref: 00402EB4
                  • Part of subcall function 00402CD0: strlen.MSVCRT ref: 00402EBC
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: Resource$FindLoadLockatoistrlen$GlobalMemoryStatus_itoastrcat
                • String ID: -Xms$-Xmx$@
                • API String ID: 3228920701-2676391021
                • Opcode ID: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction ID: 6e677b9b8fabcb62c193d886980ddecd66842c0ac049963db457ddd5af3e35c3
                • Opcode Fuzzy Hash: 3d5dd6a6b33f9c710683a0e9a068311a38a7e96d1987d357962a79e933fbc725
                • Instruction Fuzzy Hash: FF0193B0A093099FD704EF69D18055EBBF1EF88304F10C83EE589AB380D778D9459B86
                Function 00402945 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: _statfprintfstrcatstrcpystrlen
                • String ID: (OK)$(n/a)$Check launcher:%s %s
                • API String ID: 619758015-4217937889
                • Opcode ID: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction ID: fa1afa973b0b716c6a45a6db043711451785159eaff392967d20973c2505f891
                • Opcode Fuzzy Hash: 8e35bfdefc2d965162e0c46b7f7b8511bec3a04771cfdae5fb4af482349bacc5
                • Instruction Fuzzy Hash: C3F05EB0A043085FDB109E59E980766B7E4FB84314F01C47EE94CA7380D778A8548B89
                Function 00401A3C Relevance: 6.0, APIs: 4, Instructions: 26timewindowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.2212279499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000006.00000002.2212256977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212302418.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212367507.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_400000_HkppfZO2WW.jbxd
                Similarity
                • API ID: CodeEnumExitKillMessagePostProcessQuitTimerWindows
                • String ID:
                • API String ID: 405088690-0
                • Opcode ID: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction ID: 5dfb1647a7b45fe9d990e1e5a37a50df87d11f83294e09497229981203e6544d
                • Opcode Fuzzy Hash: 4f729626180ff1f826cd159275eaebbc8f8a505249547bf250ab6daea0a3e3ed
                • Instruction Fuzzy Hash: 83F0D0B59083008AD314BF34D6462197AE0BB84344F018A3ED9C5637D5D7789558DB9B