Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:485992
Start time:16:18:02
Joe Sandbox Product:Cloud
Start date:22.01.2018
Overall analysis duration:0h 13m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Xtaqxu6frQ (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal84.evad.spre.adwa.phis.spyw.troj.winEXE@25/41@29/1
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 60
  • Number of non-executed functions: 68
EGA Information:
  • Successful, ratio: 100%
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: fero.exe, chrome64x.exe, chrome64x.exe, chrome64x.exe


Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture screen (.Net source)Show sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: Ind

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: fero.exeString found in binary or memory: Microsoft.AspNet.Mvc.Facebook.V+ equals www.facebook.com (Facebook)
Source: AcroRd32.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: AcroRd32.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: AcroRd32.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: fero2003.ddns.net
Urls found in memory or binary dataShow sources
Source: fero.exeString found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/chrome64x.exe
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fed
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fero.exe
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fero.exeindY
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0Vector.
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0file://AcrobatMedia003118/c/0file://AcrobatMedia003118/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0xi
Source: AcroRd32.exeString found in binary or memory: http://
Source: AcroRd32.exeString found in binary or memory: http://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: http://altright.com
Source: fire and fury.pdfString found in binary or memory: http://altright.com)
Source: AcroRd32.exeString found in binary or memory: http://cacerts.di
Source: AcroRd32.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace-custom-columns
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace-series-index
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespace6p
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespace=p
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespaceic/2.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/KN1
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/dN1
Source: AcroRd32.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: AcroRd32.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: AcroRd32.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: AcroRd32.exeString found in binary or memory: http://crl.m
Source: AcroRd32.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: AcroRd32.exeString found in binary or memory: http://crl.veris
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.c
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: AcroRd32.exeString found in binary or memory: http://crl4.E
Source: AcroRd32.exeString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: AcroRd32.exeString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: AcroRd32.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: AcroRd32.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/m
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/t
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exeString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: 1E11E75149C17A93653DA7DC0B8CF53F_7AF31CAFD5EA10EF3F1F95E6796CFF64.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOe
Source: 7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.com0
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.com0F
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/ssca-sha2-g6.crlhttp://crl4.digicert.com/ssca-sha2-
Source: AcroRd32.exeString found in binary or memory: http://ocsp.entrust.net03
Source: AcroRd32.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: AcroRd32.exeString found in binary or memory: http://ocsp.geotrust.com0K
Source: fire and fury.pdfString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/
Source: AcroRd32.exeString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/Ep
Source: AcroRd32.exeString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/Lp
Source: AcroRd32.exeString found in binary or memory: http://recentfiles
Source: AcroRd32.exe, UserCache.bin.6.drString found in binary or memory: http://recentfiles.
Source: AcroRd32.exe, UserCache.bin.6.drString found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: AcroRd32.exeString found in binary or memory: http://recentfilesH
Source: AcroRd32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exeString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#
Source: AcroRd32.exeString found in binary or memory: http://ww
Source: AcroRd32.exeString found in binary or memory: http://www
Source: AcroRd32.exeString found in binary or memory: http://www.a
Source: AcroRd32.exeString found in binary or memory: http://www.adob
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#%
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#3
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#:
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/2L1
Source: AcroRd32.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: AcroRd32.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: AcroRd32.exeString found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: AcroRd32.exeString found in binary or memory: http://www.hachette.co.uk
Source: fire and fury.pdfString found in binary or memory: http://www.hachette.co.uk)
Source: AcroRd32.exeString found in binary or memory: http://www.littlebrown.co.uk
Source: fire and fury.pdfString found in binary or memory: http://www.littlebrown.co.uk)
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.com
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.comfile://AcrobatMedia003118/c/0file://AcrobatMedia003118
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/~O1
Source: AcroRd32.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: AcroRd32.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: AcroRd32.exeString found in binary or memory: http://www.usertrust.com1
Source: AcroRd32.exeString found in binary or memory: https://
Source: AcroRd32.exeString found in binary or memory: https://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: https://QA
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/api
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com/
Source: AcroRd32.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: AcroRd32.exeString found in binary or memory: https://w
Source: ReaderMessages-journal.6.drString found in binary or memory: https://www.acro
Source: AcroRd32.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/Q
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/broadcastMessage
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/xehttps://www.macromedia.com/support/flashplayer/
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49194 -> 91.109.180.3:1177
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: fero2003.ddns.net

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Drops PE files to the startup folderShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Source: C:\Users\user\Desktop\fero.exeFile created: C:\Users\user\AppData\Local\Temp\chrome64x.exe
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\fero.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.83582372484
Source: initial sampleStatic PE information: section name: .text entropy: 7.83582372484
File is packed with WinRarShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_206875
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391404 push eax; ret 1_2_01391422
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013920D6 push ecx; ret 1_2_013920E9
.NET source code contains potential unpackerShow sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138ECFC SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,FindClose,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,SetDlgItemTextW,1_2_0138ECFC
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139C562 FindFirstFileExA,1_2_0139C562
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01382816 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_01382816
Contains functionality to spread to USB devices (.Net source)Show sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: USBspr
May infect USB drivesShow sources
Source: fero.exeBinary or memory string: autorun.inf![autorun]
Source: fero.exeBinary or memory string: autorun.inf![autorun]

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\fero.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Submission file is bigger than most known malware samplesShow sources
Source: Xtaqxu6frQ.exeStatic file information: File size 1571773 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile opened: C:\Windows\system32\MSVCR100.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Xtaqxu6frQ.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\verge\Documents\Visual Studio 2013\Projects\fero\fero\obj\Debug\fero.pdbh source: fero.exe
Source: Binary string: c:\Users\verge\Documents\Visual Studio 2013\Projects\fero\fero\obj\Debug\fero.pdb source: fero.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Xtaqxu6frQ.exe
PE file contains a valid data directory to section mappingShow sources
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
.NET source code contains calls to encryption/decryption functionsShow sources
Source: chrome64x.exe.4.dr, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: f39b6b3505175465947b62295a9a0ae2.exe.8.dr, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Binary contains paths to development resourcesShow sources
Source: Xtaqxu6frQ.exeBinary or memory string: 3.vbP.v
Classification labelShow sources
Source: classification engineClassification label: mal84.evad.spre.adwa.phis.spyw.troj.winEXE@25/41@29/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_206875
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP3C6E.tmp
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: Xtaqxu6frQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\fero.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Xtaqxu6frQ.exe 'C:\Users\user\Desktop\Xtaqxu6frQ.exe'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87 --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f
Source: unknownProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
Source: C:\Users\user\Desktop\fero.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: chrome64x.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: f39b6b3505175465947b62295a9a0ae2.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579E90 NtMapViewOfSection,5_2_00579E90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_005799D0 NtCreateKey,5_2_005799D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579890 NtQueryAttributesFile,5_2_00579890
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579B50 NtOpenSection,5_2_00579B50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579AD0 NtCreateMutant,5_2_00579AD0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579850 NtOpenFile,5_2_00579850
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579800 NtCreateFile,5_2_00579800
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579B10 NtCreateSection,5_2_00579B10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579A10 NtOpenKey,5_2_00579A10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579A50 NtOpenKeyEx,5_2_00579A50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579910 NtSetInformationFile,5_2_00579910
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177250 NtOpenKeyEx,6_2_00177250
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_001772D0 NtCreateMutant,6_2_001772D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177350 NtOpenSection,6_2_00177350
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177110 NtSetInformationFile,6_2_00177110
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177690 NtMapViewOfSection,6_2_00177690
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177390 NtDeleteValueKey,6_2_00177390
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177050 NtOpenFile,6_2_00177050
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177310 NtCreateSection,6_2_00177310
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177000 NtCreateFile,6_2_00177000
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177090 NtQueryAttributesFile,6_2_00177090
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_001771D0 NtCreateKey,6_2_001771D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177210 NtOpenKey,6_2_00177210
Creates files inside the system directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Windows\AppPatch\pcamain.sdb
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013870581_2_01387058
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01389E791_2_01389E79
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013A30641_2_013A3064
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013931E41_2_013931E4
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01384D7F1_2_01384D7F
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139E6401_2_0139E640
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013843C71_2_013843C7
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01383FAF1_2_01383FAF
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139EAEE1_2_0139EAEE
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013849481_2_01384948
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013943621_2_01394362
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013815951_2_01381595
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013936E01_2_013936E0
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01393F2D1_2_01393F2D
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01393AF81_2_01393AF8
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138929D1_2_0138929D
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013970A21_2_013970A2
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: String function: 01391430 appears 44 times
PE file contains executable resources (Code or Archives)Show sources
Source: Xtaqxu6frQ.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenamefero.exe, vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameuser32j% vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: System.OriginalFileName vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: originalfilename vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Xtaqxu6frQ.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile read: C:\Users\user\Desktop\Xtaqxu6frQ.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exeBinary or memory string: Progman
Source: AcroRd32.exeBinary or memory string: Program Manager
Source: AcroRd32.exeBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: C:\Users\user\Desktop\fero.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01392035 SetUnhandledExceptionFilter,1_2_01392035
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391EA3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01391EA3
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139A2D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0139A2D5
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01392327 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01392327
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\fero.exeMemory allocated: page read and write and page guard
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_081ed9a3f3f73382.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_local_temp_c71c0f136cf24ef2.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\program_files_adobe_reader_11.0_reader_1cc3b67bab52e14c.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\fero.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391EA3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01391EA3
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013991B4 mov eax, dword ptr fs:[00000030h]1_2_013991B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139D230 GetProcessHeap,1_2_0139D230
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138ECFC SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,FindClose,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,SetDlgItemTextW,1_2_0138ECFC
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139C562 FindFirstFileExA,1_2_0139C562
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01382816 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_01382816
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01390F5F VirtualQuery,GetSystemInfo,1_2_01390F5F
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeAPI call chain: ExitProcess graph end nodegraph_1-20380
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeWindow / User API: threadDelayed 10081
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 3944Thread sleep count: 10081 > 30
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2456Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4004Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4064Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4080Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4076Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2116Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2408Thread sleep time: -922337203685477s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2156Thread sleep time: -922337203685477s >= -60000s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Disables zone checking for all usersShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created: HKEY_USERS\Environment SEE_MASK_NOZONECHECKS
Modifies the windows firewallShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139085C OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,CoUninitialize,1_2_0139085C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138299B GetVersionExW,1_2_0138299B
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_0138DB87
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01385C5C cpuid 1_2_01385C5C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\fero.exeQueries volume information: C:\Users\user\Desktop\fero.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485992 Sample: Xtaqxu6frQ Startdate: 22/01/2018 Architecture: WINDOWS Score: 84 45 .NET source code contains potential unpacker 2->45 47 May infect USB drives 2->47 49 Detected TCP or UDP traffic on non-standard ports 2->49 51 5 other signatures 2->51 8 Xtaqxu6frQ.exe 7 2->8         started        11 AcroRd32.exe 16 2->11         started        13 explorer.exe 2->13         started        15 5 other processes 2->15 process3 file4 39 C:\Users\user\Desktop\fero.exe, PE32 8->39 dropped 17 fero.exe 3 2 8->17         started        20 AcroRd32.exe 12 61 8->20         started        22 AcroRd32.exe 10 11->22         started        24 chrome64x.exe 13->24         started        26 chrome64x.exe 15->26         started        process5 file6 37 C:\Users\user\AppData\Local\...\chrome64x.exe, PE32 17->37 dropped 28 chrome64x.exe 17->28         started        33 AcroRd32.exe 20->33         started        process7 dnsIp8 43 fero2003.ddns.net 91.109.180.3, 1177, 49194, 49196 IELOIELOMainNetworkFR France 28->43 41 C:\...\f39b6b3505175465947b62295a9a0ae2.exe, PE32 28->41 dropped 53 Disables zone checking for all users 28->53 55 Creates autostart registry keys with suspicious names 28->55 57 Drops PE files to the startup folder 28->57 35 netsh.exe 28->35         started        file9 59 Detected TCP or UDP traffic on non-standard ports 43->59 signatures10 process11

Simulations

Behavior and APIs

TimeTypeDescription
16:19:25API Interceptor912x Sleep call for process: AcroRd32.exe modified from: 60000ms to: 5000ms
16:19:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2 "C:\Users\user\AppData\Local\Temp\chrome64x.exe" ..
16:19:42API Interceptor1x Sleep call for process: netsh.exe modified from: 60000ms to: 5000ms
16:19:42API Interceptor14x Sleep call for process: explorer.exe modified from: 60000ms to: 5000ms
16:19:42AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2 "C:\Users\user\AppData\Local\Temp\chrome64x.exe" ..
16:19:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
16:19:46API Interceptor8x Sleep call for process: chrome64x.exe modified from: 60000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

windows-stand

Startup

  • System is w7_1
  • Xtaqxu6frQ.exe (PID: 3364 cmdline: 'C:\Users\user\Desktop\Xtaqxu6frQ.exe' MD5: 8667949F8FD4CE4DA0424AF4208104E3)
    • AcroRd32.exe (PID: 3384 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
      • AcroRd32.exe (PID: 3492 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
    • fero.exe (PID: 3444 cmdline: 'C:\Users\user\Desktop\fero.exe' MD5: 7B21E7A626736B1BE83D83C89354CD9F)
      • chrome64x.exe (PID: 3880 cmdline: 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' MD5: 7B21E7A626736B1BE83D83C89354CD9F)
        • netsh.exe (PID: 3924 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE MD5: 784A50A6A09C25F011C3143DDD68E729)
  • AcroRd32.exe (PID: 3400 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87 --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f MD5: 513659580A49DF6A85CDFD869895924A)
    • AcroRd32.exe (PID: 3452 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87 MD5: 513659580A49DF6A85CDFD869895924A)
  • explorer.exe (PID: 3960 cmdline: explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' .. MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • explorer.exe (PID: 3976 cmdline: explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' .. MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • explorer.exe (PID: 3996 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • explorer.exe (PID: 4008 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • chrome64x.exe (PID: 2100 cmdline: 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' MD5: 7B21E7A626736B1BE83D83C89354CD9F)
  • explorer.exe (PID: 4084 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • chrome64x.exe (PID: 2204 cmdline: 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' MD5: 7B21E7A626736B1BE83D83C89354CD9F)
  • explorer.exe (PID: 2108 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages
File Type:SQLite 3.x database
Size (bytes):275456
Entropy (8bit):5.51396000707157
Encrypted:false
MD5:9A1719B8B9124D1FB88F18919CFE24D0
SHA1:B451E22D81FDAA01E0E5A7D9A7C22D5191B48866
SHA-256:5633CA8040D4B2FE5FFA6253A550E109E8D03409B980F34FCAFCBB9522ACF98A
SHA-512:73DEBFC9496F82AA8044CAE4EB86B8D08A3842EA5787395D08EF4F61B10E2C92A4293C7E7EB73FAD0DD63CB4A19FC97017DE9731C211E5EFB2E71AF29017C7F9
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal
File Type:data
Size (bytes):299604
Entropy (8bit):4.925368924476077
Encrypted:false
MD5:3920A1F3127066E9383B63E8D2456A19
SHA1:A334B68EEF4C72C5C44CCE3EA57D1F65DFB11923
SHA-256:3BF591C09A6B75EBA902F2110A1973082FBB8A98997065E3315E741547FBFAAD
SHA-512:D05EC9DCFFFB3FDADBB3971062AA6056FECCE4E41C1FAC439AA62306FC774294024C89B8D77D85C0C6DF1427FDD33E89A77C04148686636EE5A8773608A46EF4
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\assets\assets-180122151957Z-7622
File Type:PNG image, 48 x 48, 8-bit/color RGB, non-interlaced
Size (bytes):19621
Entropy (8bit):3.4270619140689025
Encrypted:false
MD5:05B8C220CF8E3A0E3134C7BB3B046E68
SHA1:193DC539A3129685AB6F6D2453DB5C190A20121D
SHA-256:7C6470568673A4720B73ECB8F583818E1C8ECFBD8A67D047AF4A7D195F7BCEA8
SHA-512:3B5CF094F3D4226A5B8828E89FE87B6079E150BC956F8364218552FEC94126F8B9949D1DAF99EF4B7CBAC5717E9C150F72C6C74403EBCDBF4D111DF61D7CB8A0
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\assets\assets-180122152000Z-7721
File Type:PNG image, 48 x 48, 8-bit/color RGBA, non-interlaced
Size (bytes):1746
Entropy (8bit):7.827504944554236
Encrypted:false
MD5:E661E41C437F9ED6EFFFDF594F7C2F55
SHA1:985955D27FEEDFEC099B636EF6CDFEA06EE16C4F
SHA-256:D1EFE9940F6AA0DDCE0FB19E0CE1B2662E67CACE8F73E6EA7EB44986DC3885B5
SHA-512:B33AADFF6BEC2D89C02C51245CFCE80CE735DE55029D512A62FDCF3735E4626DE9AB3FA5CDFEEBBAF312ED576ECC6FFEC4943A223196321EABDBD12C892657DB
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\assets\assets-180122152004Z-7846
File Type:PNG image, 48 x 48, 8-bit/color RGBA, non-interlaced
Size (bytes):63139
Entropy (8bit):7.123438940701136
Encrypted:false
MD5:2937C71754BDDE5B1A374A8D14C675D6
SHA1:C5C12C5D0C70D13C8113FC084C3F8CBAE47ED0C5
SHA-256:5AE4A147BF8D36FC0C8FC945616475810F1B87E5B8C101D6761A5FE54608F270
SHA-512:C976D5CBEFEDF7953C2E61717ECC0204A6DEFE8F0C9A2011FDC34FB0497EF055891EFDCDF7FF1418668B614C3FB07EBECC950F60BCD6F56BB640B7B6F39F7AE4
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\assets\assets-180122152007Z-7917
File Type:PNG image, 46 x 46, 8-bit/color RGB, non-interlaced
Size (bytes):1908
Entropy (8bit):7.872987835511097
Encrypted:false
MD5:38092712C28F7DF91EC87995CDC50BE5
SHA1:CB295D6B2A79320009C9CAE5C2DA5D67336133E6
SHA-256:7478D978724C4725E17239DA8D19B083C27BF19F544665E89A06CE712EA83E27
SHA-512:2D5C14631C533EA6ABA8AD5FCC934911C9AD6D68B3847585F357D08DDAB89C0B5F120D04B8850FCEF186DEEEFD0F4B3A1123F0B3432385B2F3C1EDD495BE3496
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\assets\assets-180122152010Z-8019
File Type:PNG image, 46 x 46, 8-bit/color RGBA, non-interlaced
Size (bytes):2641
Entropy (8bit):7.64181179619636
Encrypted:false
MD5:16313DAF29CD9D2BE2D74D91E727FB8D
SHA1:3BB694D55613D50D18F9BB2B051FB902B094EC0F
SHA-256:8F00732937D6847368EAE869A8FCD09CAC584EA2D09EFEE4A0754C9F3D773658
SHA-512:627D9A0383C467129A4E09F24F2645C0457C66AC39E66624BF46B886879D8525F241D37786DD7A991F8F229FAFFAAE49504C7C4701C2E0CF286138DFEF2DD694
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_7AF31CAFD5EA10EF3F1F95E6796CFF64
File Type:data
Size (bytes):471
Entropy (8bit):7.104017636678511
Encrypted:false
MD5:F32F2F56CD1D98BC5327F7FEEAF86DCF
SHA1:5E0BB93E96A7E8D7648FB2B497172D6E7DA53DA6
SHA-256:14FAF58DD15BE2665242281A4966A3A43BE68550995A29F077EAC87FB3C82BA9
SHA-512:74A2C4FFB196A174AEB8C50D381DF78B9453C1975947DB59A2A9C531856404B1DF29FFC7FE8E9F31AD931078116A256DA5DA46D321CBA8CB55DC558955601127
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
File Type:data
Size (bytes):471
Entropy (8bit):7.086398505769453
Encrypted:false
MD5:D7151D85397707C55D75FC6F33F717BD
SHA1:2D464513A675AC0D665B97C5690AD624251C8E77
SHA-256:80A03EEF07ED123E13AD122F52A78EF08E3DCFF7E8568250AEF6F1FE0C98881E
SHA-512:A5F4E7751E901A838CB938AF08F7DBFFF81A0B3A1314D7A3C328FB3C661673F7041003F3C108E7248EEE8913336E713B722A214C77361E6A142E42A37CD78143
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E11E75149C17A93653DA7DC0B8CF53F_7AF31CAFD5EA10EF3F1F95E6796CFF64
File Type:data
Size (bytes):852
Entropy (8bit):3.843441068600754
Encrypted:false
MD5:0AEA02490DE61E9D56098252FB5D6306
SHA1:E139B0C4674BAF7B81F8F53EEC10D7E55478C90B
SHA-256:384871FDEAF723F01291F53C200CBEE9F6B553CC91466F87B178788CF1297A66
SHA-512:0411668309B1BE701393FD6A46D4207512EED4DAB75033C66ACAA9A609F126AA7102B538CFE8230DA8222499CDE79DCEB22B8D70D9B95ABBB2758191E66A127B
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:data
Size (bytes):340
Entropy (8bit):3.427831827909229
Encrypted:false
MD5:F0CDC54A25866636FA11E1BDD9F698BE
SHA1:A512F6FBFFA83D7F9A093B82C354002A4BD41C28
SHA-256:57695B5F1AF0CCF2C3C700AF92E51B09B610D62EAE71877DFFF1D4E8F2C6B24E
SHA-512:401D7116185F532ED02498A93AC7E41C1DE103A0A485B0B988FA3B526DD86DDE1F0594F235CF7AAF9894387AF11D83599CB8CEF694A94A7D6FB83AF0D87D7517
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
File Type:data
Size (bytes):868
Entropy (8bit):3.8622861135762507
Encrypted:false
MD5:B17359B832DA2CF564CFB0BC82E43D5B
SHA1:E7085032624682EB62F4812CA338A54F2CDEEFF3
SHA-256:E8C6DB5E63F05C6F3C097250C948217D559C33A6FD36343A42AF2080BA30FC5F
SHA-512:EE81B6CAAA475CBB1B3F2BC99FC232E9191C3E9D134BBDE9F371FD00BD3E10BDFC0F4A8F783F7E5A840AE49C86D70E83190DFDC7B053FB9AEDE187FC39278ECA
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\UserCache.bin
File Type:data
Size (bytes):224772
Entropy (8bit):6.203353481462018
Encrypted:false
MD5:69617B0F2A64AEC605E9B1BEF6594884
SHA1:5370B9C22FC5CACF2991DD2E7643A806FB269AF3
SHA-256:91D95710DE5E1E7C8F805874334E914D89303924ACC719605236B7FD1539BDE4
SHA-512:EC3628777E72DD5AF84F033BFD0F6D5933682AC7C3A27EE9C69F5EBC30F5E8E37877DD3B9F92B3BE9C0316A9AE16484412D6C9FFF7C7012F9DD296DF05E5129A
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R12d2rj9_1kqau0o_2p0.tmp
File Type:data
Size (bytes):81944
Entropy (8bit):7.9942387161812425
Encrypted:true
MD5:39C9B484F43D03A05D306BC7BCC16654
SHA1:1CB992EAFF6228116E55B858F2ED825B09F2F50B
SHA-256:FA5FDEBE80EC0CE7DC40738B4FD46A9E9B36ECA6A810C523EE6EF3FD40B4179E
SHA-512:9E8F391A40F0A426EA4C60FB1959C83A4ED6E4218034FD4EFCC25D6D27FB8EE33C733BF87FDD7917CC10294E0D2A189B4A3D81F9B49E4C460DAFE294CABE4608
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R15r2iuy_1kqau0e_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R17az5fa_1kqau0l_2p0.tmp
File Type:data
Size (bytes):47361
Entropy (8bit):7.987537477130805
Encrypted:false
MD5:F7DE830CD7B8A9F944B5760216FD3C25
SHA1:1B2B250A7DBBB740DB6B84E287ED2B9B97C465A9
SHA-256:312E19D22980B5F62BD814B2381D9E5D41905A49417937E3BB0D9B2D96A8DCC9
SHA-512:A5CE8AED5922005CE3E85CCC2C606730AB05ED059ED66C38F6D5A9617A139F735E9FE9D2ACF4161CB4622F6809D349365F54902559E2EC6717AE70D40F1EEC20
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1i3ad42_1kqau0p_2p0.tmp
File Type:data
Size (bytes):35731
Entropy (8bit):7.987485835859107
Encrypted:false
MD5:60FB8491AA4B141264152614C765D450
SHA1:C33105A5D6BDA4F09BFCD774ADE9A62E77E131EE
SHA-256:3184CA2A7EF723D242309F3770E6F60AC57E436EE3EB2B434112D0DF848E5C60
SHA-512:91C763EB5A58BB3874F007561577DE952DCE918C90828DA7CD8347782B33888E7AA42A3E68E2ED990B9F052A6D6C40C2F525DAA85EDA5E3935D8479445776D76
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1krh4b0_1kqau0q_2p0.tmp
File Type:data
Size (bytes):36990
Entropy (8bit):7.990124535027691
Encrypted:true
MD5:1F4E9AF6A1DE0EA9BC44D58008F192C1
SHA1:5F5BE604C785F3B46EFCDAE8DD923AED8F793BBB
SHA-256:0E07CC568C6A9039584D1F267D6A2EB4CCE1C83E27B79B588BD6406E6EB4772B
SHA-512:C8712F9658A1FEFB3AFD536D9B05BD5FE67B795064A28C97D14C17B27280D4E9CA2F1301B7E2A96DBB914F2F19D3B3642AEA994A07AC0BBB22CE3BF05BAB7B4C
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1t5v5s1_1kqau0i_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1uprptu_1kqau0f_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R6carik_1kqau0n_2p0.tmp
File Type:data
Size (bytes):38445
Entropy (8bit):7.987468362752603
Encrypted:false
MD5:C2BE4C74C4D98EAC6140ACB383F77D0B
SHA1:A54E90B58DD2463D913142D4D7EC1D038F249C55
SHA-256:D1E10EBE9F745F12C7B29F0A7CA27C576C0BA1E37FDCC19563E822C6692A1D68
SHA-512:A0C3279557019D5F204EA2B77913BB6C2B57ABF667BEEEB9C4F1F42C146653B695BD61699E7B03B2084FE990181C982B6B090ADF37CCBA11218D016F8EB799CA
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rb3lljn_1kqau0j_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rj4rpsm_1kqau0m_2p0.tmp
File Type:data
Size (bytes):41629
Entropy (8bit):7.990480697592721
Encrypted:true
MD5:2270AA3192DA68562FDB1E4C468B13DF
SHA1:0EFDAAE1163AF1AC0C61C6E5F92714CDBB03E41A
SHA-256:5C74FEC27DEC1D0FE65987B22D85BA7953E118B34ED48AD59A8000E4D3D4F975
SHA-512:4A9B0559901AB7362B7780542CDAAD4063432D6B598243C40BF6574076B7AA41C8F4B014CC852FEE16EC443FA86493F1844F8D8CBA7F6B9410870824BDF21C85
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Ruhyq59_1kqau0g_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rx3vdlk_1kqau0d_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rx8kfwv_1kqau0h_2p0.tmp
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP3C6E.tmp
File Type:ASCII text, with no line terminators
Size (bytes):4
Entropy (8bit):1.5
Encrypted:false
MD5:098F6BCD4621D373CADE4E832627B4F6
SHA1:A94A8FE5CCB19BA61C4C0873D391E987982FBBD3
SHA-256:9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08
SHA-512:EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772E473F8819A5D4940E0DB27AC185F8A0E1D5F84F88BC887FD67B143732C304CC5FA9AD8E6F57F50028A8FF
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\chrome64x.exe
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Size (bytes):41984
Entropy (8bit):7.677570317945835
Encrypted:false
MD5:7B21E7A626736B1BE83D83C89354CD9F
SHA1:69037A6B6C23C74E20CAAF50DC4E5987156D1619
SHA-256:4E7C4DFFC84629519C0EF3435BF7698321F1AA5FF594E0D1DA54BC82A5FBB998
SHA-512:D3087ED5255664961F5A7E3556785929563A33960AD926527C47D0DCC08A5C29E51483AFE530C2DA4E414527CFE3259EE329798F569AA7850082F6F2EBF5D785
Malicious:true
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annss.dat
File Type:data
Size (bytes):225
Entropy (8bit):6.800773762476679
Encrypted:false
MD5:C50204EA0A9AE54DC1572E64B64D49AE
SHA1:01E7C4A7B0ACFEC15F74614439B5B239567554C1
SHA-256:71843425B15C332547C3FF043C24306CBCFF5685A3791E5E87C1045EB588E2C3
SHA-512:859A49415C6F78250524FB3B6AF29B23FA8CE381FFC1813EC009A2CC8B63209F4EBC4B635508C24A4CBF26B4C7DC3145253611485E3D06F661A2158A4A5055F7
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssi.dat
File Type:data
Size (bytes):777
Entropy (8bit):7.7028827755503375
Encrypted:false
MD5:F350609DFCCAF2EF2F627BB45838E863
SHA1:F27E0F51C8FCCA661311842E038C66604F08D2EC
SHA-256:4489E4FF131E274C6A66E914367F9901EB3AC5C2D90003854271C81E41BFDC24
SHA-512:E1B05C8B4241D94FB19B893F1FF5B28DC5D177D9FFEA2E7A28985EC6AFADDAAAD21C466A03BA3E6F2C12F12E9458459130B24C6A998B63B207838580441016C7
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssk.dat
File Type:data
Size (bytes):264
Entropy (8bit):6.516581040114005
Encrypted:false
MD5:C87A81662485180B2EC0E6CF84A4FF66
SHA1:86CD8581906348BFD3AA94015CB74F1C55699473
SHA-256:737E75BE02753C1EEB6DDC149B6EB695436312241B45192C19F0DE310A12A780
SHA-512:9F7A8FA86429AF1DD9B2206460BE15B8B6B91261D99A62B088D9E087AA8EA0F87A0EE412CE5CBBBD78159BEDB6BA068EE43F7C66EAD7CEF92E619E18C719A55A
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
File Type:data
Size (bytes):5773
Entropy (8bit):6.775809869730049
Encrypted:false
MD5:77D6FC57F2159C52F41DBC91C235867F
SHA1:6D6570D8E2EF8545C887EC7572F0B94D4E06F11B
SHA-256:92FBC1F3C1E15428BBEB6ADA8F07C7B2F44E0F7C3FBD03E25099B096432D3604
SHA-512:97EA6C6ADCEA97AAAEE67CBAD1BFCB023609704716458974F1CB2126D8E67D50CAA5ADD2E7D406E04F3B4BA6C03213BF94A150AA528E2F53702F4139C2452329
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
File Type:data
Size (bytes):221704
Entropy (8bit):6.503235457578163
Encrypted:false
MD5:A48B0BFB6EEA74F88AE46BF4325EFFFD
SHA1:955775D63CFC6EADECF91740BFCFF28D5A6DB7DB
SHA-256:C10CEE53C64B91E98D94C2BD1B05EDC939D8C4703193469595A0355B41435720
SHA-512:FC26A032F75A6EBD674DEF30F729BF84DC308C33634F7A3553406F173C124195F0BF5E5FEB668FA240FE37998547BC8FAB8684B0D8273AEDF750A1E1A4136A89
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat
File Type:data
Size (bytes):1561
Entropy (8bit):7.812599844558225
Encrypted:false
MD5:CDF9B35164100642C42E5E7C5751F6DA
SHA1:657E8316B880356CE1DF8BEBB8637F5F079651A3
SHA-256:BD7F80CB74353F1737B21487DAA34E856470D93D2446BB1A12B62A1961996E4A
SHA-512:47B6965B102C058403D6D2658821372646678125831BA343BEBBC10A396E13781C85F99375CFF802F337BF7212AD12B41F872C37F5E5EB56017E916FCC3F2215
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat
File Type:data
Size (bytes):4761
Entropy (8bit):7.9614786207275685
Encrypted:false
MD5:19BD6F4C058C115C386C7EDC9C54D9A9
SHA1:74324F2412EC759FB6ABED04E4DFB67B64583C52
SHA-256:67F86658E5DB276E246DD73BD707AD0C8A4277185D7143853680803B5F6D4412
SHA-512:B02FE4D887288AA71149495B0F17A49F5EFD2856A2D8CE6B5B291029DA6338077FD3AFB0B0FA19236818608657779A9769C3A68EDBD232CCCDA2476F29606E0F
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat
File Type:data
Size (bytes):264
Entropy (8bit):6.50504550391091
Encrypted:false
MD5:27B6556F8F35CB5C913CE76A734BAE4A
SHA1:E1426024F649D6407A0A8F33B2D1628E374438E2
SHA-256:35894F4FED8FC47803B3075F9211D62A4B324BE34C21BFD26C0DD3CAC057766A
SHA-512:402C6812889E53285026BC238ACDBA29A6520CCFC957B5DE5799B5E6D18001F260AE80F1D3D85B9A149180EC47C23CA28A60DB6502A9536379CD8A220D69B5FC
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Size (bytes):41984
Entropy (8bit):7.677570317945835
Encrypted:false
MD5:7B21E7A626736B1BE83D83C89354CD9F
SHA1:69037A6B6C23C74E20CAAF50DC4E5987156D1619
SHA-256:4E7C4DFFC84629519C0EF3435BF7698321F1AA5FF594E0D1DA54BC82A5FBB998
SHA-512:D3087ED5255664961F5A7E3556785929563A33960AD926527C47D0DCC08A5C29E51483AFE530C2DA4E414527CFE3259EE329798F569AA7850082F6F2EBF5D785
Malicious:true
Reputation:low
C:\Users\user\Desktop\fero.exe
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Size (bytes):41984
Entropy (8bit):7.677570317945835
Encrypted:false
MD5:7B21E7A626736B1BE83D83C89354CD9F
SHA1:69037A6B6C23C74E20CAAF50DC4E5987156D1619
SHA-256:4E7C4DFFC84629519C0EF3435BF7698321F1AA5FF594E0D1DA54BC82A5FBB998
SHA-512:D3087ED5255664961F5A7E3556785929563A33960AD926527C47D0DCC08A5C29E51483AFE530C2DA4E414527CFE3259EE329798F569AA7850082F6F2EBF5D785
Malicious:true
Reputation:low
C:\Users\user\Desktop\fire and fury.pdf
File Type:PDF document, version 1.4
Size (bytes):1749248
Entropy (8bit):7.669446704421918
Encrypted:false
MD5:2DAA2388D09025790CCAFBF44A3DB342
SHA1:BB51B60859DEFA152895FFF4AFAA8D7D3848C904
SHA-256:056B387D0CDBF26563CCBD1A3D93E9E159CBE5C31D4836E0A2C869D6B135F48B
SHA-512:B8A1F1A5AA5DCBC80ACBD9EFC8601042DE12CC84D68498117A2685E1F1F1D0F611AB47732394A3B6B1B5604538CDCCBBC79F8C63C47B4C02E589AFA391117AF5
Malicious:false
Reputation:low
\AIPC_SRV\broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f
File Type:data
Size (bytes):1036
Entropy (8bit):0.0
Encrypted:false
MD5:227FD460860A3AD1FD2B245793C07F95
SHA1:71D8DA21D4BB33F4CC32B70B174815E40EDA657E
SHA-256:693195CF289838146418E1BD05FD1A482C36FF75A77874609D615247285D5B99
SHA-512:CE035DBE02B8E15091F7FEE997A823DC4A0EF12C14E4F7D8441B9D3D9878BD17036DB61E24D4E67DB2A6E1F8B50168F6F03311B19713C688691CE4298B1DEB2C
Malicious:false
Reputation:low
\AIPC_SRV\pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
File Type:DBase 3 index file
Size (bytes):5180
Entropy (8bit):0.028344400812028762
Encrypted:false
MD5:92A7382B3E374CB648E385728F621C1C
SHA1:C7F57101AC231C5C150A05A384D22527E72BEF58
SHA-256:0655C270A76DB40F9232C210CE4BFDFB9A4E15F77170020C0DAA3E27D53EFB03
SHA-512:F7BF1C57059F08D4A409EA14007CF0C754448566FC272292659E28B84A5E28055122B95BCD70873C449DAF16EB6FE2151DE4B8EDEF08B73BD3DE38439A2B3ED8
Malicious:false
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
fero2003.ddns.net91.109.180.3truetrue

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
91.109.180.3France
29075IELOIELOMainNetworkFRtrue

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):7.930055152676681
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Java Script embedded in Visual Basic Script (1500/0) 0.01%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Xtaqxu6frQ.exe
File size:1571773
MD5:8667949f8fd4ce4da0424af4208104e3
SHA1:13da85ad0e6aa4ba9b484d0daf743996e60d73e5
SHA256:2063aead8dce54294989992a9c0d1a88e22f0ef9aa06886e5f8e9eda2e0db94c
SHA512:008c2a54c776296b04f781f577752376e1484ae98facdd5a50adba7ff02517d5185574b950eb871f579785ca41736eca4722fa7189dfbdfcdd8bcb0292d30330
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[e..[e..[e....+.Ve....)..e....(.Ce..`;..Le..`;..He..`;..re..R.Y.Qe..R.I.Xe..[e...e...;..~e...;..Ze...;%.Ze...;..Ze..Rich[e.

File Icon

Static PE Info

General

Entrypoint:0x411cd9
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x598DB703 [Fri Aug 11 13:54:11 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:49091c5c46d1ed156931ed11f43d3afa

Entrypoint Preview

Instruction
call 0F0979ABh
jmp 0F097353h
cmp ecx, dword ptr [0042D0A8h]
jne 0F0974C5h
ret
jmp 0F097B21h
jmp 0F09BEACh
push ebp
mov ebp, esp
and dword ptr [0045CE88h], 00000000h
sub esp, 28h
push ebx
xor ebx, ebx
inc ebx
or dword ptr [0042D0ACh], ebx
push 0000000Ah
call 0F0A8E10h
test eax, eax
je 0F097633h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
or dword ptr [0042D0ACh], 02h
xor ecx, ecx
push esi
push edi
mov dword ptr [0045CE88h], ebx
lea edi, dword ptr [ebp-28h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-28h]
mov ecx, dword ptr [ebp-1Ch]
mov dword ptr [ebp-08h], eax
xor ecx, 49656E69h
mov eax, dword ptr [ebp-20h]
xor eax, 6C65746Eh
or ecx, eax
mov eax, dword ptr [ebp-24h]
push 00000001h
xor eax, 756E6547h
or ecx, eax
pop eax
push 00000000h
pop ecx
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
jne 0F097505h
mov eax, dword ptr [ebp-28h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 0F0974E5h
cmp eax, 00020660h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x2c3700x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x2c3a40x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000x5928.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x650000x2478.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x2abc00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x255e80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x240000x1d8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2ba4c0x100.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x22cf70x22e00False0.585909498208ump; data6.67042517033IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x240000x8e340x9000False0.456488715278ump; data5.09483813096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2d0000x308980xc00False0.223307291667ump; DOS executable (device driver)2.68733859147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids0x5e0000xf40x200False0.345703125ump; data2.13092623588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x5f0000x59280x5a00False0.264453125ump; data4.86163071041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x650000x24780x2600False0.771689967105ump; data6.63273168643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_BITMAP0x5f4ec0xbb6ump; dataEnglishUnited States
RT_ICON0x600a40x25a8ump; data
RT_DIALOG0x6264c0x286ump; dataEnglishUnited States
RT_DIALOG0x628d40x13aump; dataEnglishUnited States
RT_DIALOG0x62a100xecump; dataEnglishUnited States
RT_DIALOG0x62afc0x12eump; dataEnglishUnited States
RT_DIALOG0x62c2c0x338ump; dataEnglishUnited States
RT_DIALOG0x62f640x252ump; dataEnglishUnited States
RT_STRING0x631b80x1e2ump; dataEnglishUnited States
RT_STRING0x6339c0x1ccump; dataEnglishUnited States
RT_STRING0x635680x1eeump; dataEnglishUnited States
RT_STRING0x637580x146ump; Hitachi SH big-endian COFF object, not strippedEnglishUnited States
RT_STRING0x638a00x446ump; dataEnglishUnited States
RT_STRING0x63ce80x166ump; dataEnglishUnited States
RT_STRING0x63e500x120ump; dataEnglishUnited States
RT_STRING0x63f700xbaump; dataEnglishUnited States
RT_STRING0x6402c0xbcump; dataEnglishUnited States
RT_STRING0x640e80xd6ump; dataEnglishUnited States
RT_GROUP_ICON0x641c00x14ump; MS Windows icon resource - 1 icon
RT_MANIFEST0x641d40x753ump; XML document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, SetCurrentDirectoryW, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 22, 2018 16:19:40.736596107 MEZ5697553192.168.1.168.8.8.8
Jan 22, 2018 16:19:41.733088970 MEZ5697553192.168.1.168.8.8.8
Jan 22, 2018 16:19:42.235349894 MEZ53569758.8.8.8192.168.1.16
Jan 22, 2018 16:19:42.392358065 MEZ53569758.8.8.8192.168.1.16
Jan 22, 2018 16:19:48.097928047 MEZ5120853192.168.1.168.8.8.8
Jan 22, 2018 16:19:48.591259956 MEZ53512088.8.8.8192.168.1.16
Jan 22, 2018 16:19:52.192821980 MEZ6222853192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.200027943 MEZ6222853192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.356199026 MEZ53622288.8.8.8192.168.1.16
Jan 22, 2018 16:19:53.421664953 MEZ5865953192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.508177996 MEZ5691753192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.593430996 MEZ53622288.8.8.8192.168.1.16
Jan 22, 2018 16:19:54.935075045 MEZ5691753192.168.1.168.8.8.8
Jan 22, 2018 16:19:54.935380936 MEZ5865953192.168.1.168.8.8.8
Jan 22, 2018 16:19:55.100990057 MEZ53586598.8.8.8192.168.1.16
Jan 22, 2018 16:19:55.101059914 MEZ53569178.8.8.8192.168.1.16
Jan 22, 2018 16:19:55.153678894 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:55.153728008 MEZ11774919491.109.180.3192.168.1.16
Jan 22, 2018 16:19:55.153814077 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:57.044390917 MEZ53569178.8.8.8192.168.1.16
Jan 22, 2018 16:19:57.292296886 MEZ53586598.8.8.8192.168.1.16
Jan 22, 2018 16:19:57.552268982 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:57.552329063 MEZ11774919491.109.180.3192.168.1.16
Jan 22, 2018 16:19:57.552670956 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:57.552690983 MEZ11774919491.109.180.3192.168.1.16
Jan 22, 2018 16:19:57.956212044 MEZ11774919491.109.180.3192.168.1.16
Jan 22, 2018 16:19:57.957652092 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:58.297826052 MEZ6497053192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.285948992 MEZ6497053192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.527620077 MEZ53649708.8.8.8192.168.1.16
Jan 22, 2018 16:19:59.574682951 MEZ5461853192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.866643906 MEZ53649708.8.8.8192.168.1.16
Jan 22, 2018 16:19:59.941108942 MEZ491941177192.168.1.1691.109.180.3
Jan 22, 2018 16:19:59.941149950 MEZ11774919491.109.180.3192.168.1.16
Jan 22, 2018 16:20:00.068747044 MEZ6239653192.168.1.168.8.8.8
Jan 22, 2018 16:20:00.352015018 MEZ53546188.8.8.8192.168.1.16
Jan 22, 2018 16:20:01.009901047 MEZ53623968.8.8.8192.168.1.16
Jan 22, 2018 16:20:01.022860050 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:01.022910118 MEZ11774919691.109.180.3192.168.1.16
Jan 22, 2018 16:20:01.022962093 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:01.035300970 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:01.035337925 MEZ11774919691.109.180.3192.168.1.16
Jan 22, 2018 16:20:01.035650015 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:01.035675049 MEZ11774919691.109.180.3192.168.1.16
Jan 22, 2018 16:20:03.098542929 MEZ11774919691.109.180.3192.168.1.16
Jan 22, 2018 16:20:03.098664045 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.104518890 MEZ491961177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.104561090 MEZ11774919691.109.180.3192.168.1.16
Jan 22, 2018 16:20:05.116087914 MEZ6363853192.168.1.168.8.8.8
Jan 22, 2018 16:20:05.766006947 MEZ53636388.8.8.8192.168.1.16
Jan 22, 2018 16:20:05.776460886 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.776499033 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:05.776561975 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.790960073 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.790985107 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:05.791270018 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:05.791289091 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:08.157905102 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:08.157943010 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:13.455286026 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:13.455434084 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:15.466957092 MEZ491971177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:15.466990948 MEZ11774919791.109.180.3192.168.1.16
Jan 22, 2018 16:20:15.522732019 MEZ5287753192.168.1.168.8.8.8
Jan 22, 2018 16:20:15.628464937 MEZ5936253192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.524866104 MEZ5287753192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.624151945 MEZ5936253192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.865808964 MEZ53528778.8.8.8192.168.1.16
Jan 22, 2018 16:20:16.865881920 MEZ53593628.8.8.8192.168.1.16
Jan 22, 2018 16:20:16.873778105 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:16.873814106 MEZ11774919891.109.180.3192.168.1.16
Jan 22, 2018 16:20:16.873867989 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:16.883934975 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:16.883956909 MEZ11774919891.109.180.3192.168.1.16
Jan 22, 2018 16:20:16.884201050 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:16.884216070 MEZ11774919891.109.180.3192.168.1.16
Jan 22, 2018 16:20:17.130065918 MEZ53528778.8.8.8192.168.1.16
Jan 22, 2018 16:20:17.209683895 MEZ53593628.8.8.8192.168.1.16
Jan 22, 2018 16:20:18.901149035 MEZ11774919891.109.180.3192.168.1.16
Jan 22, 2018 16:20:18.901325941 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:20.940049887 MEZ491981177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:20.940104008 MEZ11774919891.109.180.3192.168.1.16
Jan 22, 2018 16:20:20.947556973 MEZ5226153192.168.1.168.8.8.8
Jan 22, 2018 16:20:21.935591936 MEZ5226153192.168.1.168.8.8.8
Jan 22, 2018 16:20:22.061058044 MEZ53522618.8.8.8192.168.1.16
Jan 22, 2018 16:20:22.063039064 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:22.063093901 MEZ11774920091.109.180.3192.168.1.16
Jan 22, 2018 16:20:22.063193083 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:22.079080105 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:22.079111099 MEZ11774920091.109.180.3192.168.1.16
Jan 22, 2018 16:20:22.079572916 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:22.079591036 MEZ11774920091.109.180.3192.168.1.16
Jan 22, 2018 16:20:23.805666924 MEZ53522618.8.8.8192.168.1.16
Jan 22, 2018 16:20:25.588722944 MEZ11774920091.109.180.3192.168.1.16
Jan 22, 2018 16:20:25.588898897 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:27.615957022 MEZ492001177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:27.616020918 MEZ11774920091.109.180.3192.168.1.16
Jan 22, 2018 16:20:27.626931906 MEZ6158553192.168.1.168.8.8.8
Jan 22, 2018 16:20:28.623389006 MEZ6158553192.168.1.168.8.8.8
Jan 22, 2018 16:20:29.026304960 MEZ53615858.8.8.8192.168.1.16
Jan 22, 2018 16:20:29.027339935 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:29.027384043 MEZ11774920191.109.180.3192.168.1.16
Jan 22, 2018 16:20:29.027456045 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:29.042623997 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:29.042670012 MEZ11774920191.109.180.3192.168.1.16
Jan 22, 2018 16:20:29.042979956 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:29.042995930 MEZ11774920191.109.180.3192.168.1.16
Jan 22, 2018 16:20:29.339533091 MEZ53615858.8.8.8192.168.1.16
Jan 22, 2018 16:20:30.933046103 MEZ11774920191.109.180.3192.168.1.16
Jan 22, 2018 16:20:30.933147907 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:32.927908897 MEZ492011177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:32.927942038 MEZ11774920191.109.180.3192.168.1.16
Jan 22, 2018 16:20:32.969949961 MEZ5413753192.168.1.168.8.8.8
Jan 22, 2018 16:20:33.968871117 MEZ5413753192.168.1.168.8.8.8
Jan 22, 2018 16:20:34.091754913 MEZ53541378.8.8.8192.168.1.16
Jan 22, 2018 16:20:34.092803955 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:34.092876911 MEZ11774920291.109.180.3192.168.1.16
Jan 22, 2018 16:20:34.092951059 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:34.100388050 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:34.100409031 MEZ11774920291.109.180.3192.168.1.16
Jan 22, 2018 16:20:34.100668907 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:34.100682020 MEZ11774920291.109.180.3192.168.1.16
Jan 22, 2018 16:20:34.426896095 MEZ53541378.8.8.8192.168.1.16
Jan 22, 2018 16:20:35.800520897 MEZ11774920291.109.180.3192.168.1.16
Jan 22, 2018 16:20:35.800638914 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:37.795139074 MEZ492021177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:37.795211077 MEZ11774920291.109.180.3192.168.1.16
Jan 22, 2018 16:20:37.809236050 MEZ5216553192.168.1.168.8.8.8
Jan 22, 2018 16:20:38.533780098 MEZ53521658.8.8.8192.168.1.16
Jan 22, 2018 16:20:38.534847975 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:38.534881115 MEZ11774920391.109.180.3192.168.1.16
Jan 22, 2018 16:20:38.534934998 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:38.547389030 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:38.547415972 MEZ11774920391.109.180.3192.168.1.16
Jan 22, 2018 16:20:38.547684908 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:38.547699928 MEZ11774920391.109.180.3192.168.1.16
Jan 22, 2018 16:20:39.742755890 MEZ11774920391.109.180.3192.168.1.16
Jan 22, 2018 16:20:39.742889881 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:41.744568110 MEZ492031177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:41.744641066 MEZ11774920391.109.180.3192.168.1.16
Jan 22, 2018 16:20:41.757275105 MEZ6309953192.168.1.168.8.8.8
Jan 22, 2018 16:20:42.528963089 MEZ53630998.8.8.8192.168.1.16
Jan 22, 2018 16:20:42.531335115 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:42.531399965 MEZ11774920591.109.180.3192.168.1.16
Jan 22, 2018 16:20:42.531507969 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:42.546741962 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:42.546782970 MEZ11774920591.109.180.3192.168.1.16
Jan 22, 2018 16:20:42.547107935 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:42.547122955 MEZ11774920591.109.180.3192.168.1.16
Jan 22, 2018 16:20:43.885477066 MEZ11774920591.109.180.3192.168.1.16
Jan 22, 2018 16:20:43.885667086 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:45.881244898 MEZ492051177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:45.881288052 MEZ11774920591.109.180.3192.168.1.16
Jan 22, 2018 16:20:45.888643980 MEZ5619053192.168.1.168.8.8.8
Jan 22, 2018 16:20:46.596225023 MEZ53561908.8.8.8192.168.1.16
Jan 22, 2018 16:20:46.597868919 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:46.597930908 MEZ11774920691.109.180.3192.168.1.16
Jan 22, 2018 16:20:46.598041058 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:46.608963966 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:46.609009027 MEZ11774920691.109.180.3192.168.1.16
Jan 22, 2018 16:20:46.609370947 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:46.609389067 MEZ11774920691.109.180.3192.168.1.16
Jan 22, 2018 16:20:48.156738997 MEZ11774920691.109.180.3192.168.1.16
Jan 22, 2018 16:20:48.156919956 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:50.154556036 MEZ492061177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:50.154582977 MEZ11774920691.109.180.3192.168.1.16
Jan 22, 2018 16:20:50.183756113 MEZ6140753192.168.1.168.8.8.8
Jan 22, 2018 16:20:51.178338051 MEZ6140753192.168.1.168.8.8.8
Jan 22, 2018 16:20:51.345077038 MEZ53614078.8.8.8192.168.1.16
Jan 22, 2018 16:20:51.346909046 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:51.346947908 MEZ11774920791.109.180.3192.168.1.16
Jan 22, 2018 16:20:51.347115993 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:51.360821009 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:51.360846043 MEZ11774920791.109.180.3192.168.1.16
Jan 22, 2018 16:20:51.362061977 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:51.362077951 MEZ11774920791.109.180.3192.168.1.16
Jan 22, 2018 16:20:51.862507105 MEZ53614078.8.8.8192.168.1.16
Jan 22, 2018 16:20:53.487540960 MEZ11774920791.109.180.3192.168.1.16
Jan 22, 2018 16:20:53.487728119 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:55.474450111 MEZ492071177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:55.474486113 MEZ11774920791.109.180.3192.168.1.16
Jan 22, 2018 16:20:55.482316971 MEZ5809853192.168.1.168.8.8.8
Jan 22, 2018 16:20:56.415262938 MEZ53580988.8.8.8192.168.1.16
Jan 22, 2018 16:20:56.417279959 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:56.417373896 MEZ11774920891.109.180.3192.168.1.16
Jan 22, 2018 16:20:56.417515039 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:56.431936026 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:56.431973934 MEZ11774920891.109.180.3192.168.1.16
Jan 22, 2018 16:20:56.432279110 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:56.432301998 MEZ11774920891.109.180.3192.168.1.16
Jan 22, 2018 16:20:57.375643015 MEZ11774920891.109.180.3192.168.1.16
Jan 22, 2018 16:20:57.375986099 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:59.373243093 MEZ492081177192.168.1.1691.109.180.3
Jan 22, 2018 16:20:59.373308897 MEZ11774920891.109.180.3192.168.1.16
Jan 22, 2018 16:20:59.389902115 MEZ6312953192.168.1.168.8.8.8
Jan 22, 2018 16:21:00.151971102 MEZ53631298.8.8.8192.168.1.16
Jan 22, 2018 16:21:00.152981997 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:00.153016090 MEZ11774920991.109.180.3192.168.1.16
Jan 22, 2018 16:21:00.153076887 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:00.163912058 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:00.163935900 MEZ11774920991.109.180.3192.168.1.16
Jan 22, 2018 16:21:00.164603949 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:00.164618015 MEZ11774920991.109.180.3192.168.1.16
Jan 22, 2018 16:21:01.838855028 MEZ11774920991.109.180.3192.168.1.16
Jan 22, 2018 16:21:01.839221001 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:03.826742887 MEZ492091177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:03.826785088 MEZ11774920991.109.180.3192.168.1.16
Jan 22, 2018 16:21:03.837326050 MEZ5128353192.168.1.168.8.8.8
Jan 22, 2018 16:21:04.635679960 MEZ53512838.8.8.8192.168.1.16
Jan 22, 2018 16:21:04.636764050 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:04.636814117 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:04.636883020 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:04.645802975 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:04.645855904 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:04.646168947 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:04.646187067 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:04.795270920 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:04.795339108 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:06.110498905 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:06.110995054 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.107351065 MEZ492101177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.107410908 MEZ11774921091.109.180.3192.168.1.16
Jan 22, 2018 16:21:08.137975931 MEZ6534853192.168.1.168.8.8.8
Jan 22, 2018 16:21:08.547743082 MEZ53653488.8.8.8192.168.1.16
Jan 22, 2018 16:21:08.548779011 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.548825979 MEZ11774921191.109.180.3192.168.1.16
Jan 22, 2018 16:21:08.550914049 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.560122967 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.560168982 MEZ11774921191.109.180.3192.168.1.16
Jan 22, 2018 16:21:08.560597897 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:08.560615063 MEZ11774921191.109.180.3192.168.1.16
Jan 22, 2018 16:21:10.533041954 MEZ11774921191.109.180.3192.168.1.16
Jan 22, 2018 16:21:10.533427954 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:12.539457083 MEZ492111177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:12.539504051 MEZ11774921191.109.180.3192.168.1.16
Jan 22, 2018 16:21:12.549381971 MEZ6440553192.168.1.168.8.8.8
Jan 22, 2018 16:21:13.164092064 MEZ53644058.8.8.8192.168.1.16
Jan 22, 2018 16:21:13.166631937 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:13.166692019 MEZ11774921291.109.180.3192.168.1.16
Jan 22, 2018 16:21:13.166846037 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:13.182622910 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:13.182674885 MEZ11774921291.109.180.3192.168.1.16
Jan 22, 2018 16:21:13.183407068 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:13.183430910 MEZ11774921291.109.180.3192.168.1.16
Jan 22, 2018 16:21:14.562424898 MEZ11774921291.109.180.3192.168.1.16
Jan 22, 2018 16:21:14.562586069 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:16.560678005 MEZ492121177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:16.560739994 MEZ11774921291.109.180.3192.168.1.16
Jan 22, 2018 16:21:16.574419975 MEZ5221653192.168.1.168.8.8.8
Jan 22, 2018 16:21:17.082206011 MEZ53522168.8.8.8192.168.1.16
Jan 22, 2018 16:21:17.084052086 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:17.084110975 MEZ11774921391.109.180.3192.168.1.16
Jan 22, 2018 16:21:17.084306002 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:17.096750021 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:17.096786022 MEZ11774921391.109.180.3192.168.1.16
Jan 22, 2018 16:21:17.097048998 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:17.097064972 MEZ11774921391.109.180.3192.168.1.16
Jan 22, 2018 16:21:18.314245939 MEZ11774921391.109.180.3192.168.1.16
Jan 22, 2018 16:21:18.314551115 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.366205931 MEZ492131177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.366250038 MEZ11774921391.109.180.3192.168.1.16
Jan 22, 2018 16:21:20.380563021 MEZ5062153192.168.1.168.8.8.8
Jan 22, 2018 16:21:20.835339069 MEZ53506218.8.8.8192.168.1.16
Jan 22, 2018 16:21:20.836472034 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.836513996 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:20.839688063 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.856173038 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.856210947 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:20.857295036 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.857315063 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:20.912666082 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:20.912689924 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:22.118031979 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:22.118242979 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.123819113 MEZ492141177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.123881102 MEZ11774921491.109.180.3192.168.1.16
Jan 22, 2018 16:21:24.195108891 MEZ5463953192.168.1.168.8.8.8
Jan 22, 2018 16:21:24.875320911 MEZ53546398.8.8.8192.168.1.16
Jan 22, 2018 16:21:24.898045063 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.898091078 MEZ11774921591.109.180.3192.168.1.16
Jan 22, 2018 16:21:24.898164034 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.906779051 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.906835079 MEZ11774921591.109.180.3192.168.1.16
Jan 22, 2018 16:21:24.907109022 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:24.907124043 MEZ11774921591.109.180.3192.168.1.16
Jan 22, 2018 16:21:26.206696033 MEZ11774921591.109.180.3192.168.1.16
Jan 22, 2018 16:21:26.206967115 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.193667889 MEZ492151177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.193737984 MEZ11774921591.109.180.3192.168.1.16
Jan 22, 2018 16:21:28.206088066 MEZ6054353192.168.1.168.8.8.8
Jan 22, 2018 16:21:28.757571936 MEZ53605438.8.8.8192.168.1.16
Jan 22, 2018 16:21:28.847224951 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.847265959 MEZ11774921691.109.180.3192.168.1.16
Jan 22, 2018 16:21:28.847644091 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.856434107 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.856467962 MEZ11774921691.109.180.3192.168.1.16
Jan 22, 2018 16:21:28.857075930 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:28.857096910 MEZ11774921691.109.180.3192.168.1.16
Jan 22, 2018 16:21:30.484364986 MEZ11774921691.109.180.3192.168.1.16
Jan 22, 2018 16:21:30.484483957 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:32.482268095 MEZ492161177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:32.482305050 MEZ11774921691.109.180.3192.168.1.16
Jan 22, 2018 16:21:32.490860939 MEZ6325053192.168.1.168.8.8.8
Jan 22, 2018 16:21:33.150305033 MEZ53632508.8.8.8192.168.1.16
Jan 22, 2018 16:21:33.151570082 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:33.151633024 MEZ11774921791.109.180.3192.168.1.16
Jan 22, 2018 16:21:33.151721954 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:33.161900997 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:33.161931038 MEZ11774921791.109.180.3192.168.1.16
Jan 22, 2018 16:21:33.162584066 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:33.162606001 MEZ11774921791.109.180.3192.168.1.16
Jan 22, 2018 16:21:34.529431105 MEZ11774921791.109.180.3192.168.1.16
Jan 22, 2018 16:21:34.529764891 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:36.530433893 MEZ492171177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:36.530524015 MEZ11774921791.109.180.3192.168.1.16
Jan 22, 2018 16:21:36.542354107 MEZ5194553192.168.1.168.8.8.8
Jan 22, 2018 16:21:37.529562950 MEZ5194553192.168.1.168.8.8.8
Jan 22, 2018 16:21:37.770493984 MEZ53519458.8.8.8192.168.1.16
Jan 22, 2018 16:21:37.771414995 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:37.771459103 MEZ11774921891.109.180.3192.168.1.16
Jan 22, 2018 16:21:37.771526098 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:37.779114008 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:37.779134035 MEZ11774921891.109.180.3192.168.1.16
Jan 22, 2018 16:21:37.779414892 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:37.779428959 MEZ11774921891.109.180.3192.168.1.16
Jan 22, 2018 16:21:38.257061958 MEZ53519458.8.8.8192.168.1.16
Jan 22, 2018 16:21:38.808056116 MEZ11774921891.109.180.3192.168.1.16
Jan 22, 2018 16:21:38.808294058 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:40.794894934 MEZ492181177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:40.794928074 MEZ11774921891.109.180.3192.168.1.16
Jan 22, 2018 16:21:41.446043968 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:41.446078062 MEZ11774921991.109.180.3192.168.1.16
Jan 22, 2018 16:21:41.446288109 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:41.449882984 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:41.449912071 MEZ11774921991.109.180.3192.168.1.16
Jan 22, 2018 16:21:41.450025082 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:41.450038910 MEZ11774921991.109.180.3192.168.1.16
Jan 22, 2018 16:21:42.572700977 MEZ11774921991.109.180.3192.168.1.16
Jan 22, 2018 16:21:42.572830915 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:44.560893059 MEZ492191177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:44.560940027 MEZ11774921991.109.180.3192.168.1.16
Jan 22, 2018 16:21:45.220556021 MEZ492201177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:45.220592022 MEZ11774922091.109.180.3192.168.1.16
Jan 22, 2018 16:21:45.220654011 MEZ492201177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:45.223052979 MEZ492201177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:45.223077059 MEZ11774922091.109.180.3192.168.1.16
Jan 22, 2018 16:21:45.223226070 MEZ492201177192.168.1.1691.109.180.3
Jan 22, 2018 16:21:45.223243952 MEZ11774922091.109.180.3192.168.1.16
Jan 22, 2018 16:21:46.610354900 MEZ11774922091.109.180.3192.168.1.16

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 22, 2018 16:19:40.736596107 MEZ5697553192.168.1.168.8.8.8
Jan 22, 2018 16:19:41.733088970 MEZ5697553192.168.1.168.8.8.8
Jan 22, 2018 16:19:42.235349894 MEZ53569758.8.8.8192.168.1.16
Jan 22, 2018 16:19:42.392358065 MEZ53569758.8.8.8192.168.1.16
Jan 22, 2018 16:19:48.097928047 MEZ5120853192.168.1.168.8.8.8
Jan 22, 2018 16:19:48.591259956 MEZ53512088.8.8.8192.168.1.16
Jan 22, 2018 16:19:52.192821980 MEZ6222853192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.200027943 MEZ6222853192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.356199026 MEZ53622288.8.8.8192.168.1.16
Jan 22, 2018 16:19:53.421664953 MEZ5865953192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.508177996 MEZ5691753192.168.1.168.8.8.8
Jan 22, 2018 16:19:53.593430996 MEZ53622288.8.8.8192.168.1.16
Jan 22, 2018 16:19:54.935075045 MEZ5691753192.168.1.168.8.8.8
Jan 22, 2018 16:19:54.935380936 MEZ5865953192.168.1.168.8.8.8
Jan 22, 2018 16:19:55.100990057 MEZ53586598.8.8.8192.168.1.16
Jan 22, 2018 16:19:55.101059914 MEZ53569178.8.8.8192.168.1.16
Jan 22, 2018 16:19:57.044390917 MEZ53569178.8.8.8192.168.1.16
Jan 22, 2018 16:19:57.292296886 MEZ53586598.8.8.8192.168.1.16
Jan 22, 2018 16:19:58.297826052 MEZ6497053192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.285948992 MEZ6497053192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.527620077 MEZ53649708.8.8.8192.168.1.16
Jan 22, 2018 16:19:59.574682951 MEZ5461853192.168.1.168.8.8.8
Jan 22, 2018 16:19:59.866643906 MEZ53649708.8.8.8192.168.1.16
Jan 22, 2018 16:20:00.068747044 MEZ6239653192.168.1.168.8.8.8
Jan 22, 2018 16:20:00.352015018 MEZ53546188.8.8.8192.168.1.16
Jan 22, 2018 16:20:01.009901047 MEZ53623968.8.8.8192.168.1.16
Jan 22, 2018 16:20:05.116087914 MEZ6363853192.168.1.168.8.8.8
Jan 22, 2018 16:20:05.766006947 MEZ53636388.8.8.8192.168.1.16
Jan 22, 2018 16:20:15.522732019 MEZ5287753192.168.1.168.8.8.8
Jan 22, 2018 16:20:15.628464937 MEZ5936253192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.524866104 MEZ5287753192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.624151945 MEZ5936253192.168.1.168.8.8.8
Jan 22, 2018 16:20:16.865808964 MEZ53528778.8.8.8192.168.1.16
Jan 22, 2018 16:20:16.865881920 MEZ53593628.8.8.8192.168.1.16
Jan 22, 2018 16:20:17.130065918 MEZ53528778.8.8.8192.168.1.16
Jan 22, 2018 16:20:17.209683895 MEZ53593628.8.8.8192.168.1.16
Jan 22, 2018 16:20:20.947556973 MEZ5226153192.168.1.168.8.8.8
Jan 22, 2018 16:20:21.935591936 MEZ5226153192.168.1.168.8.8.8
Jan 22, 2018 16:20:22.061058044 MEZ53522618.8.8.8192.168.1.16
Jan 22, 2018 16:20:23.805666924 MEZ53522618.8.8.8192.168.1.16
Jan 22, 2018 16:20:27.626931906 MEZ6158553192.168.1.168.8.8.8
Jan 22, 2018 16:20:28.623389006 MEZ6158553192.168.1.168.8.8.8
Jan 22, 2018 16:20:29.026304960 MEZ53615858.8.8.8192.168.1.16
Jan 22, 2018 16:20:29.339533091 MEZ53615858.8.8.8192.168.1.16
Jan 22, 2018 16:20:32.969949961 MEZ5413753192.168.1.168.8.8.8
Jan 22, 2018 16:20:33.968871117 MEZ5413753192.168.1.168.8.8.8
Jan 22, 2018 16:20:34.091754913 MEZ53541378.8.8.8192.168.1.16
Jan 22, 2018 16:20:34.426896095 MEZ53541378.8.8.8192.168.1.16
Jan 22, 2018 16:20:37.809236050 MEZ5216553192.168.1.168.8.8.8
Jan 22, 2018 16:20:38.533780098 MEZ53521658.8.8.8192.168.1.16
Jan 22, 2018 16:20:41.757275105 MEZ6309953192.168.1.168.8.8.8
Jan 22, 2018 16:20:42.528963089 MEZ53630998.8.8.8192.168.1.16
Jan 22, 2018 16:20:45.888643980 MEZ5619053192.168.1.168.8.8.8
Jan 22, 2018 16:20:46.596225023 MEZ53561908.8.8.8192.168.1.16
Jan 22, 2018 16:20:50.183756113 MEZ6140753192.168.1.168.8.8.8
Jan 22, 2018 16:20:51.178338051 MEZ6140753192.168.1.168.8.8.8
Jan 22, 2018 16:20:51.345077038 MEZ53614078.8.8.8192.168.1.16
Jan 22, 2018 16:20:51.862507105 MEZ53614078.8.8.8192.168.1.16
Jan 22, 2018 16:20:55.482316971 MEZ5809853192.168.1.168.8.8.8
Jan 22, 2018 16:20:56.415262938 MEZ53580988.8.8.8192.168.1.16
Jan 22, 2018 16:20:59.389902115 MEZ6312953192.168.1.168.8.8.8
Jan 22, 2018 16:21:00.151971102 MEZ53631298.8.8.8192.168.1.16
Jan 22, 2018 16:21:03.837326050 MEZ5128353192.168.1.168.8.8.8
Jan 22, 2018 16:21:04.635679960 MEZ53512838.8.8.8192.168.1.16
Jan 22, 2018 16:21:08.137975931 MEZ6534853192.168.1.168.8.8.8
Jan 22, 2018 16:21:08.547743082 MEZ53653488.8.8.8192.168.1.16
Jan 22, 2018 16:21:12.549381971 MEZ6440553192.168.1.168.8.8.8
Jan 22, 2018 16:21:13.164092064 MEZ53644058.8.8.8192.168.1.16
Jan 22, 2018 16:21:16.574419975 MEZ5221653192.168.1.168.8.8.8
Jan 22, 2018 16:21:17.082206011 MEZ53522168.8.8.8192.168.1.16
Jan 22, 2018 16:21:20.380563021 MEZ5062153192.168.1.168.8.8.8
Jan 22, 2018 16:21:20.835339069 MEZ53506218.8.8.8192.168.1.16
Jan 22, 2018 16:21:24.195108891 MEZ5463953192.168.1.168.8.8.8
Jan 22, 2018 16:21:24.875320911 MEZ53546398.8.8.8192.168.1.16
Jan 22, 2018 16:21:28.206088066 MEZ6054353192.168.1.168.8.8.8
Jan 22, 2018 16:21:28.757571936 MEZ53605438.8.8.8192.168.1.16
Jan 22, 2018 16:21:32.490860939 MEZ6325053192.168.1.168.8.8.8
Jan 22, 2018 16:21:33.150305033 MEZ53632508.8.8.8192.168.1.16
Jan 22, 2018 16:21:36.542354107 MEZ5194553192.168.1.168.8.8.8
Jan 22, 2018 16:21:37.529562950 MEZ5194553192.168.1.168.8.8.8
Jan 22, 2018 16:21:37.770493984 MEZ53519458.8.8.8192.168.1.16
Jan 22, 2018 16:21:38.257061958 MEZ53519458.8.8.8192.168.1.16

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jan 22, 2018 16:19:53.508177996 MEZ192.168.1.168.8.8.80x3b85Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:19:54.935075045 MEZ192.168.1.168.8.8.80x3b85Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:00.068747044 MEZ192.168.1.168.8.8.80xc700Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:05.116087914 MEZ192.168.1.168.8.8.80xaeb7Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:15.522732019 MEZ192.168.1.168.8.8.80xac17Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:16.524866104 MEZ192.168.1.168.8.8.80xac17Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:20.947556973 MEZ192.168.1.168.8.8.80xe31fStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:21.935591936 MEZ192.168.1.168.8.8.80xe31fStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:27.626931906 MEZ192.168.1.168.8.8.80x667cStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:28.623389006 MEZ192.168.1.168.8.8.80x667cStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:32.969949961 MEZ192.168.1.168.8.8.80xfff4Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:33.968871117 MEZ192.168.1.168.8.8.80xfff4Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:37.809236050 MEZ192.168.1.168.8.8.80x4c47Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:41.757275105 MEZ192.168.1.168.8.8.80xa1b6Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:45.888643980 MEZ192.168.1.168.8.8.80x464dStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:50.183756113 MEZ192.168.1.168.8.8.80x610Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:51.178338051 MEZ192.168.1.168.8.8.80x610Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:55.482316971 MEZ192.168.1.168.8.8.80x93a4Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:20:59.389902115 MEZ192.168.1.168.8.8.80x72ceStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:03.837326050 MEZ192.168.1.168.8.8.80xa3fcStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:08.137975931 MEZ192.168.1.168.8.8.80xf823Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:12.549381971 MEZ192.168.1.168.8.8.80x97a3Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:16.574419975 MEZ192.168.1.168.8.8.80x309fStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:20.380563021 MEZ192.168.1.168.8.8.80x2b9cStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:24.195108891 MEZ192.168.1.168.8.8.80xb2cbStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:28.206088066 MEZ192.168.1.168.8.8.80x5117Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:32.490860939 MEZ192.168.1.168.8.8.80xc38Standard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:36.542354107 MEZ192.168.1.168.8.8.80xeb3eStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)
Jan 22, 2018 16:21:37.529562950 MEZ192.168.1.168.8.8.80xeb3eStandard query (0)fero2003.ddns.netA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jan 22, 2018 16:19:55.101059914 MEZ8.8.8.8192.168.1.160x3b85No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:19:57.044390917 MEZ8.8.8.8192.168.1.160x3b85No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:01.009901047 MEZ8.8.8.8192.168.1.160xc700No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:05.766006947 MEZ8.8.8.8192.168.1.160xaeb7No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:16.865808964 MEZ8.8.8.8192.168.1.160xac17No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:17.130065918 MEZ8.8.8.8192.168.1.160xac17No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:22.061058044 MEZ8.8.8.8192.168.1.160xe31fNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:23.805666924 MEZ8.8.8.8192.168.1.160xe31fNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:29.026304960 MEZ8.8.8.8192.168.1.160x667cNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:29.339533091 MEZ8.8.8.8192.168.1.160x667cNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:34.091754913 MEZ8.8.8.8192.168.1.160xfff4No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:34.426896095 MEZ8.8.8.8192.168.1.160xfff4No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:38.533780098 MEZ8.8.8.8192.168.1.160x4c47No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:42.528963089 MEZ8.8.8.8192.168.1.160xa1b6No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:46.596225023 MEZ8.8.8.8192.168.1.160x464dNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:51.345077038 MEZ8.8.8.8192.168.1.160x610No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:51.862507105 MEZ8.8.8.8192.168.1.160x610No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:20:56.415262938 MEZ8.8.8.8192.168.1.160x93a4No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:00.151971102 MEZ8.8.8.8192.168.1.160x72ceNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:04.635679960 MEZ8.8.8.8192.168.1.160xa3fcNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:08.547743082 MEZ8.8.8.8192.168.1.160xf823No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:13.164092064 MEZ8.8.8.8192.168.1.160x97a3No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:17.082206011 MEZ8.8.8.8192.168.1.160x309fNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:20.835339069 MEZ8.8.8.8192.168.1.160x2b9cNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:24.875320911 MEZ8.8.8.8192.168.1.160xb2cbNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:28.757571936 MEZ8.8.8.8192.168.1.160x5117No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:33.150305033 MEZ8.8.8.8192.168.1.160xc38No error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:37.770493984 MEZ8.8.8.8192.168.1.160xeb3eNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)
Jan 22, 2018 16:21:38.257061958 MEZ8.8.8.8192.168.1.160xeb3eNo error (0)fero2003.ddns.net91.109.180.3A (IP address)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Xtaqxu6frQ.exe PID: 3364 Parent PID: 2952

General

Start time:16:19:20
Start date:22/01/2018
Path:C:\Users\user\Desktop\Xtaqxu6frQ.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\Xtaqxu6frQ.exe'
Imagebase:0x77390000
File size:1571773 bytes
MD5 hash:8667949F8FD4CE4DA0424AF4208104E3
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3384 Parent PID: 3364

General

Start time:16:19:21
Start date:22/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Imagebase:0x752f0000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3400 Parent PID: 1480

General

Start time:16:19:21
Start date:22/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87 --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f
Imagebase:0x77390000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: fero.exe PID: 3444 Parent PID: 3364

General

Start time:16:19:21
Start date:22/01/2018
Path:C:\Users\user\Desktop\fero.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\fero.exe'
Imagebase:0x77390000
File size:41984 bytes
MD5 hash:7B21E7A626736B1BE83D83C89354CD9F
Programmed in:.Net C# or VB.NET
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3452 Parent PID: 3400

General

Start time:16:19:21
Start date:22/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
Imagebase:0x77390000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3492 Parent PID: 3384

General

Start time:16:19:21
Start date:22/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf'
Imagebase:0x6a320000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: chrome64x.exe PID: 3880 Parent PID: 3444

General

Start time:16:19:33
Start date:22/01/2018
Path:C:\Users\user\AppData\Local\Temp\chrome64x.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Imagebase:0x77390000
File size:41984 bytes
MD5 hash:7B21E7A626736B1BE83D83C89354CD9F
Programmed in:.Net C# or VB.NET
Reputation:low

Analysis Process: netsh.exe PID: 3924 Parent PID: 3880

General

Start time:16:19:40
Start date:22/01/2018
Path:C:\Windows\System32\netsh.exe
Wow64 process (32bit):false
Commandline:netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Imagebase:0x77390000
File size:96256 bytes
MD5 hash:784A50A6A09C25F011C3143DDD68E729
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: explorer.exe PID: 3960 Parent PID: 2876

General

Start time:16:19:41
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: explorer.exe PID: 3976 Parent PID: 2876

General

Start time:16:19:41
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: explorer.exe PID: 3996 Parent PID: 2876

General

Start time:16:19:42
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Imagebase:0x75440000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: explorer.exe PID: 4008 Parent PID: 536

General

Start time:16:19:42
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: explorer.exe PID: 4084 Parent PID: 536

General

Start time:16:19:42
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:0x74220000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: chrome64x.exe PID: 2100 Parent PID: 4008

General

Start time:16:19:43
Start date:22/01/2018
Path:C:\Users\user\AppData\Local\Temp\chrome64x.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Imagebase:0x76fc0000
File size:41984 bytes
MD5 hash:7B21E7A626736B1BE83D83C89354CD9F
Programmed in:.Net C# or VB.NET
Reputation:low

Analysis Process: explorer.exe PID: 2108 Parent PID: 536

General

Start time:16:19:43
Start date:22/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: chrome64x.exe PID: 2204 Parent PID: 4084

General

Start time:16:19:43
Start date:22/01/2018
Path:C:\Users\user\AppData\Local\Temp\chrome64x.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Imagebase:0x77390000
File size:41984 bytes
MD5 hash:7B21E7A626736B1BE83D83C89354CD9F
Programmed in:.Net C# or VB.NET
Reputation:low

Disassembly

Code Analysis

Reset < >

    Analysis Process: Xtaqxu6frQ.exe PID: 3364 Parent PID: 2952

    Execution Graph

    Execution Coverage:7.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:3.2%
    Total number of Nodes:2000
    Total number of Limit Nodes:29

    Graph

    execution_graph 18670 13995ea 18681 139cd42 18670->18681 18676 1399607 18677 139a1ad __freea 20 API calls 18676->18677 18678 139963c 18677->18678 18679 1399612 18680 139a1ad __freea 20 API calls 18679->18680 18680->18676 18682 13995fc 18681->18682 18683 139cd4b 18681->18683 18685 139d135 GetEnvironmentStringsW 18682->18685 18714 139cc41 18683->18714 18686 139d14c 18685->18686 18687 139d19f 18685->18687 18690 139d152 WideCharToMultiByte 18686->18690 18688 139d1a8 FreeEnvironmentStringsW 18687->18688 18689 1399601 18687->18689 18688->18689 18689->18676 18697 1399642 18689->18697 18690->18687 18691 139d16e 18690->18691 18692 139a1e7 21 API calls 18691->18692 18693 139d174 18692->18693 18694 139d191 18693->18694 18695 139d17b WideCharToMultiByte 18693->18695 18696 139a1ad __freea 20 API calls 18694->18696 18695->18694 18696->18687 18699 1399657 18697->18699 18698 139a278 __CreateFrameInfo 20 API calls 18708 139967e 18698->18708 18699->18698 18700 139a1ad __freea 20 API calls 18701 13996fc 18700->18701 18701->18679 18702 139a278 __CreateFrameInfo 20 API calls 18702->18708 18703 13996e4 18866 1399713 18703->18866 18705 139a153 ___std_exception_copy 26 API calls 18705->18708 18707 139a1ad __freea 20 API calls 18712 13996e2 18707->18712 18708->18702 18708->18703 18708->18705 18709 1399706 18708->18709 18711 139a1ad __freea 20 API calls 18708->18711 18708->18712 18710 139a4af ___std_exception_copy 11 API calls 18709->18710 18713 1399712 18710->18713 18711->18708 18712->18700 18715 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18714->18715 18716 139cc4e 18715->18716 18717 139cd60 __Stoull 38 API calls 18716->18717 18718 139cc56 18717->18718 18734 139c9d5 18718->18734 18721 139a1e7 21 API calls 18723 139cc7e 18721->18723 18722 139cc6d 18722->18682 18730 139ccb0 18723->18730 18741 139ce02 18723->18741 18726 139a1ad __freea 20 API calls 18726->18722 18727 139ccab 18728 139a5c0 __freea 20 API calls 18727->18728 18728->18730 18729 139ccc8 18731 139ccf4 18729->18731 18732 139a1ad __freea 20 API calls 18729->18732 18730->18726 18731->18730 18751 139c8ab 18731->18751 18732->18731 18735 1396b60 __Stoull 38 API calls 18734->18735 18736 139c9e7 18735->18736 18737 139c9f6 GetOEMCP 18736->18737 18738 139ca08 18736->18738 18740 139ca1f 18737->18740 18739 139ca0d GetACP 18738->18739 18738->18740 18739->18740 18740->18721 18740->18722 18742 139c9d5 40 API calls 18741->18742 18743 139ce21 18742->18743 18746 139ce72 IsValidCodePage 18743->18746 18748 139ce28 18743->18748 18750 139ce97 ___scrt_get_show_window_mode 18743->18750 18744 1391ce3 __startOneArgErrorHandling 5 API calls 18745 139cca3 18744->18745 18745->18727 18745->18729 18747 139ce84 GetCPInfo 18746->18747 18746->18748 18747->18748 18747->18750 18748->18744 18750->18750 18754 139caad GetCPInfo 18750->18754 18830 139c868 18751->18830 18753 139c8cf 18753->18730 18755 139cae7 18754->18755 18763 139cb91 18754->18763 18764 139db79 18755->18764 18758 1391ce3 __startOneArgErrorHandling 5 API calls 18760 139cc3d 18758->18760 18760->18748 18762 139bd4c 44 API calls 18762->18763 18763->18758 18765 1396b60 __Stoull 38 API calls 18764->18765 18766 139db99 MultiByteToWideChar 18765->18766 18768 139dbd7 18766->18768 18769 139dc6f 18766->18769 18772 139a1e7 21 API calls 18768->18772 18775 139dbf8 ___scrt_get_show_window_mode 18768->18775 18770 1391ce3 __startOneArgErrorHandling 5 API calls 18769->18770 18771 139cb48 18770->18771 18778 139bd4c 18771->18778 18772->18775 18773 139dc69 18783 139bd97 18773->18783 18775->18773 18776 139dc3d MultiByteToWideChar 18775->18776 18776->18773 18777 139dc59 GetStringTypeW 18776->18777 18777->18773 18779 1396b60 __Stoull 38 API calls 18778->18779 18780 139bd5f 18779->18780 18787 139bb2f 18780->18787 18784 139bda3 18783->18784 18786 139bdb4 18783->18786 18785 139a1ad __freea 20 API calls 18784->18785 18784->18786 18785->18786 18786->18769 18790 139bb4a 18787->18790 18788 139bb70 MultiByteToWideChar 18789 139bd24 18788->18789 18794 139bb9a 18788->18794 18791 1391ce3 __startOneArgErrorHandling 5 API calls 18789->18791 18790->18788 18792 139bd37 18791->18792 18792->18762 18793 139bbbb 18795 139bc04 MultiByteToWideChar 18793->18795 18798 139bc70 18793->18798 18794->18793 18796 139a1e7 21 API calls 18794->18796 18797 139bc1d 18795->18797 18795->18798 18796->18793 18814 139c1f3 18797->18814 18799 139bd97 __freea 20 API calls 18798->18799 18799->18789 18802 139bc7f 18806 139a1e7 21 API calls 18802->18806 18809 139bca0 18802->18809 18803 139bc47 18803->18798 18805 139c1f3 12 API calls 18803->18805 18804 139bd15 18807 139bd97 __freea 20 API calls 18804->18807 18805->18798 18806->18809 18807->18798 18808 139c1f3 12 API calls 18810 139bcf4 18808->18810 18809->18804 18809->18808 18810->18804 18811 139bd03 WideCharToMultiByte 18810->18811 18811->18804 18812 139bd43 18811->18812 18815 139bf1f _GetRangeOfTrysToCheck 5 API calls 18814->18815 18816 139c21a 18815->18816 18817 139c223 LCMapStringEx 18816->18817 18818 139c24a 18816->18818 18822 139c26a 18817->18822 18825 139c27b 18818->18825 18823 1391ce3 __startOneArgErrorHandling 5 API calls 18822->18823 18824 139bc34 18823->18824 18824->18798 18824->18802 18824->18803 18826 139bf1f _GetRangeOfTrysToCheck 5 API calls 18825->18826 18827 139c2a2 18826->18827 18828 1391ce3 __startOneArgErrorHandling 5 API calls 18827->18828 18829 139c263 LCMapStringW 18828->18829 18829->18822 18831 139c874 FindHandler 18830->18831 18838 139bec0 EnterCriticalSection 18831->18838 18833 139c87e 18839 139c8d3 18833->18839 18837 139c897 FindHandler 18837->18753 18838->18833 18851 139cff3 18839->18851 18841 139c921 18842 139cff3 26 API calls 18841->18842 18843 139c93d 18842->18843 18844 139cff3 26 API calls 18843->18844 18845 139c95b 18844->18845 18846 139c88b 18845->18846 18847 139a1ad __freea 20 API calls 18845->18847 18848 139c89f 18846->18848 18847->18846 18865 139bf08 LeaveCriticalSection 18848->18865 18850 139c8a9 18850->18837 18852 139d004 18851->18852 18864 139d000 18851->18864 18853 139d00b 18852->18853 18855 139d01e ___scrt_get_show_window_mode 18852->18855 18854 139a5c0 __freea 20 API calls 18853->18854 18856 139d010 18854->18856 18858 139d055 18855->18858 18859 139d04c 18855->18859 18855->18864 18857 139a49f ___std_exception_copy 26 API calls 18856->18857 18857->18864 18861 139a5c0 __freea 20 API calls 18858->18861 18858->18864 18860 139a5c0 __freea 20 API calls 18859->18860 18862 139d051 18860->18862 18861->18862 18863 139a49f ___std_exception_copy 26 API calls 18862->18863 18863->18864 18864->18841 18865->18850 18870 1399720 18866->18870 18871 13996ea 18866->18871 18867 1399737 18869 139a1ad __freea 20 API calls 18867->18869 18868 139a1ad __freea 20 API calls 18868->18870 18869->18871 18870->18867 18870->18868 18871->18707 18042 13907fb 18043 1390808 18042->18043 18050 1383f1e 18043->18050 18051 1383f4e 18050->18051 18052 1383f57 LoadStringW 18051->18052 18053 1383f6d LoadStringW 18051->18053 18052->18053 18054 1383f7f 18052->18054 18053->18054 18063 138370d 18054->18063 18056 1383f8d 18057 138364a 18056->18057 18073 13819a1 18057->18073 18060 138e1b3 PeekMessageW 18061 138e1ef 18060->18061 18062 138e1ce GetMessageW TranslateMessage DispatchMessageW 18060->18062 18062->18061 18064 1383717 18063->18064 18067 138378b _strlen 18064->18067 18070 13837e9 _wcschr _wcsrchr 18064->18070 18071 1386b5b WideCharToMultiByte 18064->18071 18065 1386b5b WideCharToMultiByte 18068 13837b6 _strlen 18065->18068 18067->18065 18069 138364a 52 API calls 18068->18069 18069->18070 18070->18056 18072 1386b88 18071->18072 18072->18067 18074 13819b8 18073->18074 18077 1397a07 18074->18077 18080 13966e5 18077->18080 18081 139670d 18080->18081 18083 1396725 18080->18083 18084 139a5c0 __freea 20 API calls 18081->18084 18082 139672d 18097 1396b60 18082->18097 18083->18081 18083->18082 18086 1396712 18084->18086 18088 139a49f ___std_exception_copy 26 API calls 18086->18088 18096 139671d 18088->18096 18089 1391ce3 __startOneArgErrorHandling 5 API calls 18092 13819c2 SetDlgItemTextW 18089->18092 18092->18060 18096->18089 18098 139673d 18097->18098 18099 1396b7d 18097->18099 18105 1396b2b 18098->18105 18099->18098 18125 139aaa0 GetLastError 18099->18125 18101 1396b9e 18145 139abef 18101->18145 18106 1396b4a 18105->18106 18107 139a5c0 __freea 20 API calls 18106->18107 18108 13967b5 18107->18108 18109 1396d66 18108->18109 18305 1398e6a 18109->18305 18111 1396d8b 18112 139a5c0 __freea 20 API calls 18111->18112 18113 1396d90 18112->18113 18114 139a49f ___std_exception_copy 26 API calls 18113->18114 18115 13967c0 18114->18115 18122 1396be3 18115->18122 18121 1396d76 18121->18111 18121->18115 18312 1396ec3 18121->18312 18319 13972ff 18121->18319 18324 1396efd 18121->18324 18329 1396f26 18121->18329 18360 13970a2 18121->18360 18123 139a1ad __freea 20 API calls 18122->18123 18124 1396bf3 18123->18124 18124->18096 18126 139aab6 18125->18126 18129 139aabc 18125->18129 18127 139c0e2 _GetRangeOfTrysToCheck 11 API calls 18126->18127 18127->18129 18128 139a278 __CreateFrameInfo 20 API calls 18130 139aace 18128->18130 18129->18128 18131 139ab0b SetLastError 18129->18131 18132 139aad6 18130->18132 18133 139c138 _GetRangeOfTrysToCheck 11 API calls 18130->18133 18131->18101 18134 139a1ad __freea 20 API calls 18132->18134 18135 139aaeb 18133->18135 18136 139aadc 18134->18136 18135->18132 18137 139aaf2 18135->18137 18138 139ab17 SetLastError 18136->18138 18139 139a912 _GetRangeOfTrysToCheck 20 API calls 18137->18139 18153 139a235 18138->18153 18140 139aafd 18139->18140 18142 139a1ad __freea 20 API calls 18140->18142 18144 139ab04 18142->18144 18144->18131 18144->18138 18146 1396bb7 18145->18146 18147 139ac02 18145->18147 18149 139ac1c 18146->18149 18147->18146 18270 139df60 18147->18270 18150 139ac2f 18149->18150 18152 139ac44 18149->18152 18150->18152 18291 139cd60 18150->18291 18152->18098 18164 139d407 18153->18164 18157 139a24f IsProcessorFeaturePresent 18158 139a25a 18157->18158 18162 139a2d5 __CreateFrameInfo 8 API calls 18158->18162 18159 139a245 18159->18157 18163 139a26d 18159->18163 18162->18163 18194 139928c 18163->18194 18197 139d375 18164->18197 18167 139d462 18168 139d46e _GetRangeOfTrysToCheck 18167->18168 18169 139d495 __CreateFrameInfo 18168->18169 18170 139ab24 __CreateFrameInfo 20 API calls 18168->18170 18176 139d49b __CreateFrameInfo 18168->18176 18171 139d4e7 18169->18171 18169->18176 18185 139d4ca 18169->18185 18170->18169 18172 139a5c0 __freea 20 API calls 18171->18172 18173 139d4ec 18172->18173 18174 139a49f ___std_exception_copy 26 API calls 18173->18174 18174->18185 18179 139d513 18176->18179 18206 139bec0 EnterCriticalSection 18176->18206 18181 139d572 18179->18181 18182 139d56a 18179->18182 18192 139d59d 18179->18192 18207 139bf08 LeaveCriticalSection 18179->18207 18181->18192 18208 139d459 18181->18208 18183 139928c __CreateFrameInfo 28 API calls 18182->18183 18183->18181 18215 13a38d9 18185->18215 18188 139d600 18188->18185 18193 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18188->18193 18190 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18190->18188 18191 139d459 __CreateFrameInfo 38 API calls 18191->18192 18211 139d622 18192->18211 18193->18185 18219 139909b 18194->18219 18200 139d31b 18197->18200 18199 139a23a 18199->18159 18199->18167 18201 139d327 FindHandler 18200->18201 18202 139bec0 __CreateFrameInfo EnterCriticalSection 18201->18202 18203 139d335 18202->18203 18204 139d369 __CreateFrameInfo LeaveCriticalSection 18203->18204 18205 139d35c FindHandler 18204->18205 18205->18199 18206->18179 18207->18182 18209 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18208->18209 18210 139d45e 18209->18210 18210->18191 18212 139d628 18211->18212 18213 139d5f1 18211->18213 18218 139bf08 LeaveCriticalSection 18212->18218 18213->18185 18213->18188 18213->18190 18216 1391ce3 __startOneArgErrorHandling 5 API calls 18215->18216 18217 13a38e4 18216->18217 18217->18217 18218->18213 18220 13990a7 _GetRangeOfTrysToCheck 18219->18220 18221 13990bf 18220->18221 18253 1391ff1 GetModuleHandleW 18220->18253 18241 139bec0 EnterCriticalSection 18221->18241 18225 1399165 18242 13991a5 18225->18242 18229 139913c 18239 1399154 18229->18239 18266 1399ee0 18229->18266 18230 13990c7 18230->18225 18230->18229 18263 1399bad 18230->18263 18231 13991ae 18232 1399182 18234 1399ee0 __CreateFrameInfo 5 API calls 18234->18225 18239->18234 18241->18230 18243 139bf08 __CreateFrameInfo LeaveCriticalSection 18242->18243 18244 139917e 18243->18244 18244->18231 18244->18232 18254 1391fff 18253->18254 18254->18221 18255 13991f5 GetModuleHandleExW 18254->18255 18256 1399242 18255->18256 18257 139921f GetProcAddress 18255->18257 18258 1399251 18256->18258 18259 1399248 FreeLibrary 18256->18259 18262 1399234 18257->18262 18260 1391ce3 __startOneArgErrorHandling 5 API calls 18258->18260 18259->18258 18261 139925b 18260->18261 18261->18221 18262->18256 18264 13998c7 __CreateFrameInfo 20 API calls 18263->18264 18265 1399bc4 18264->18265 18265->18229 18269 1399f0f 18266->18269 18267 1391ce3 __startOneArgErrorHandling 5 API calls 18268 1399f38 18267->18268 18268->18239 18269->18267 18271 139df6c FindHandler 18270->18271 18272 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18271->18272 18273 139df75 18272->18273 18276 139dfc3 FindHandler 18273->18276 18282 139bec0 EnterCriticalSection 18273->18282 18275 139df93 18283 139dfd7 18275->18283 18276->18146 18281 139a235 _GetRangeOfTrysToCheck 38 API calls 18281->18276 18282->18275 18284 139dfe5 __Stoull 18283->18284 18286 139dfa7 18283->18286 18285 139dd13 __Stoull 20 API calls 18284->18285 18284->18286 18285->18286 18287 139dfc6 18286->18287 18290 139bf08 LeaveCriticalSection 18287->18290 18289 139dfba 18289->18276 18289->18281 18290->18289 18292 139cd6c FindHandler 18291->18292 18293 139aaa0 _GetRangeOfTrysToCheck 38 API calls 18292->18293 18295 139cd76 18293->18295 18296 139a235 _GetRangeOfTrysToCheck 38 API calls 18295->18296 18297 139cdfa FindHandler 18295->18297 18299 139a1ad __freea 20 API calls 18295->18299 18300 139bec0 EnterCriticalSection 18295->18300 18301 139cdf1 18295->18301 18296->18295 18297->18152 18299->18295 18300->18295 18304 139bf08 LeaveCriticalSection 18301->18304 18303 139cdf8 18303->18295 18304->18303 18306 1398e6f 18305->18306 18307 1398e82 18305->18307 18308 139a5c0 __freea 20 API calls 18306->18308 18307->18121 18309 1398e74 18308->18309 18310 139a49f ___std_exception_copy 26 API calls 18309->18310 18311 1398e7f 18310->18311 18311->18121 18313 1396ec8 18312->18313 18314 1396edf 18313->18314 18315 139a5c0 __freea 20 API calls 18313->18315 18314->18121 18316 1396ed1 18315->18316 18317 139a49f ___std_exception_copy 26 API calls 18316->18317 18318 1396edc 18317->18318 18318->18121 18320 1397306 18319->18320 18322 1397310 18319->18322 18384 1396d08 18320->18384 18322->18121 18325 1396f04 18324->18325 18327 1396f0e 18324->18327 18326 1396d08 39 API calls 18325->18326 18328 1396f0d 18326->18328 18327->18121 18328->18121 18330 1396f49 18329->18330 18331 1396f2f 18329->18331 18332 139a5c0 __freea 20 API calls 18330->18332 18349 1396f7a 18330->18349 18333 1397134 18331->18333 18334 13970c9 18331->18334 18331->18349 18336 1396f66 18332->18336 18335 139710b 18333->18335 18337 139713b 18333->18337 18338 139717a 18333->18338 18334->18335 18343 13970d5 18334->18343 18357 13970f0 18335->18357 18359 1397104 18335->18359 18433 13975f4 18335->18433 18339 139a49f ___std_exception_copy 26 API calls 18336->18339 18341 1397140 18337->18341 18342 13970e2 18337->18342 18447 13977d1 18338->18447 18344 1396f71 18339->18344 18341->18335 18347 1397145 18341->18347 18342->18357 18342->18359 18439 13973ea 18342->18439 18343->18342 18348 139711b 18343->18348 18343->18357 18344->18121 18350 1397158 18347->18350 18353 139714a 18347->18353 18348->18359 18419 139755c 18348->18419 18349->18121 18427 139773e 18350->18427 18351 1391ce3 __startOneArgErrorHandling 5 API calls 18355 13972fb 18351->18355 18353->18359 18423 13977b2 18353->18423 18355->18121 18357->18359 18450 13978e2 18357->18450 18359->18351 18361 1397134 18360->18361 18362 13970c9 18360->18362 18363 139710b 18361->18363 18364 139713b 18361->18364 18365 139717a 18361->18365 18362->18363 18366 13970d5 18362->18366 18371 13975f4 26 API calls 18363->18371 18372 13970f0 18363->18372 18383 1397104 18363->18383 18368 1397140 18364->18368 18378 13970e2 18364->18378 18367 13977d1 26 API calls 18365->18367 18366->18372 18375 139711b 18366->18375 18366->18378 18367->18372 18368->18363 18369 1397145 18368->18369 18373 1397158 18369->18373 18374 139714a 18369->18374 18370 13973ea 49 API calls 18370->18372 18371->18372 18382 13978e2 40 API calls 18372->18382 18372->18383 18379 139773e 26 API calls 18373->18379 18381 13977b2 26 API calls 18374->18381 18374->18383 18377 139755c 40 API calls 18375->18377 18375->18383 18376 1391ce3 __startOneArgErrorHandling 5 API calls 18380 13972fb 18376->18380 18377->18372 18378->18370 18378->18372 18378->18383 18379->18372 18380->18121 18381->18372 18382->18383 18383->18376 18387 139a5ee 18384->18387 18388 139a609 18387->18388 18391 1398731 18388->18391 18392 1398e6a 26 API calls 18391->18392 18393 1398743 18392->18393 18394 1398780 18393->18394 18395 139875a 18393->18395 18407 1396d31 18393->18407 18396 1396b60 __Stoull 38 API calls 18394->18396 18397 139a5c0 __freea 20 API calls 18395->18397 18401 139878c 18396->18401 18398 139875f 18397->18398 18400 139a49f ___std_exception_copy 26 API calls 18398->18400 18400->18407 18402 13987b2 18401->18402 18409 139be20 18401->18409 18403 1398a89 18402->18403 18413 1398e3e 18402->18413 18404 1398e3e 26 API calls 18403->18404 18406 1398dac 18404->18406 18406->18407 18408 139a5c0 __freea 20 API calls 18406->18408 18407->18121 18408->18407 18410 139be39 18409->18410 18412 139be35 18409->18412 18411 139be51 GetStringTypeW 18410->18411 18410->18412 18411->18412 18412->18401 18414 1398e66 18413->18414 18415 1398e51 18413->18415 18414->18403 18415->18414 18416 139a5c0 __freea 20 API calls 18415->18416 18417 1398e5b 18416->18417 18418 139a49f ___std_exception_copy 26 API calls 18417->18418 18418->18414 18420 1397588 18419->18420 18422 13975b7 18420->18422 18454 139a61a 18420->18454 18422->18357 18424 13977be 18423->18424 18425 13975f4 26 API calls 18424->18425 18426 13977d0 18425->18426 18426->18357 18432 1397753 18427->18432 18428 139a5c0 __freea 20 API calls 18429 139775c 18428->18429 18430 139a49f ___std_exception_copy 26 API calls 18429->18430 18431 1397767 18430->18431 18431->18357 18432->18428 18432->18431 18434 1397605 18433->18434 18435 139a5c0 __freea 20 API calls 18434->18435 18438 139762f 18434->18438 18436 1397624 18435->18436 18437 139a49f ___std_exception_copy 26 API calls 18436->18437 18437->18438 18438->18357 18440 1397406 18439->18440 18469 1396882 18440->18469 18442 1397453 18479 139b514 18442->18479 18446 13974ec 18446->18357 18448 13975f4 26 API calls 18447->18448 18449 13977e8 18448->18449 18449->18357 18451 1397942 18450->18451 18452 13978f4 18450->18452 18451->18359 18452->18451 18453 139a61a __Stoull 40 API calls 18452->18453 18453->18452 18455 139a62b 18454->18455 18465 139a637 18454->18465 18456 1396b60 __Stoull 38 API calls 18455->18456 18455->18465 18457 139a657 18456->18457 18457->18465 18466 139ba24 18457->18466 18460 139a68b 18462 139a699 MultiByteToWideChar 18460->18462 18464 139a6bb 18460->18464 18461 139a6cb MultiByteToWideChar 18461->18464 18461->18465 18462->18464 18462->18465 18463 139a5c0 __freea 20 API calls 18463->18465 18464->18463 18464->18465 18465->18422 18467 1396b60 __Stoull 38 API calls 18466->18467 18468 139a685 18467->18468 18468->18460 18468->18461 18470 139689e 18469->18470 18471 13968ad 18469->18471 18472 139a5c0 __freea 20 API calls 18470->18472 18473 13968a3 18471->18473 18511 139a1e7 18471->18511 18472->18473 18473->18442 18477 139a1ad __freea 20 API calls 18477->18473 18478 13968eb 18478->18477 18480 139b524 18479->18480 18485 139b53a 18479->18485 18481 139a5c0 __freea 20 API calls 18480->18481 18484 139b529 18481->18484 18482 139b54e 18483 139a5c0 __freea 20 API calls 18482->18483 18486 139b553 18483->18486 18487 139a49f ___std_exception_copy 26 API calls 18484->18487 18485->18482 18489 139b564 18485->18489 18488 139a49f ___std_exception_copy 26 API calls 18486->18488 18503 13974cd 18487->18503 18488->18503 18490 139b5c0 18489->18490 18492 139b59e 18489->18492 18491 139b5de 18490->18491 18493 139b5e3 18490->18493 18495 139b63d 18491->18495 18496 139b607 18491->18496 18521 139b3e8 18492->18521 18531 139acd3 18493->18531 18559 139afd6 18495->18559 18497 139b60c 18496->18497 18498 139b625 18496->18498 18542 139b320 18497->18542 18552 139b1bc 18498->18552 18503->18446 18504 1396cac 18503->18504 18643 1398004 18504->18643 18506 1396cd2 18508 1398004 47 API calls 18506->18508 18509 1396cbe 18509->18506 18647 139a51a 18509->18647 18512 139a225 18511->18512 18515 139a1f5 __CreateFrameInfo 18511->18515 18513 139a5c0 __freea 20 API calls 18512->18513 18516 13968d4 18513->18516 18514 139a210 RtlAllocateHeap 18514->18515 18514->18516 18515->18512 18515->18514 18517 1399d57 __CreateFrameInfo 7 API calls 18515->18517 18516->18478 18518 1396bfd 18516->18518 18517->18515 18519 139a1ad __freea 20 API calls 18518->18519 18520 1396c0c 18519->18520 18520->18478 18522 139b40e 18521->18522 18523 139b423 18521->18523 18524 1391ce3 __startOneArgErrorHandling 5 API calls 18522->18524 18566 139a153 18523->18566 18525 139b41f 18524->18525 18525->18503 18528 139b4d3 18529 139a4af ___std_exception_copy 11 API calls 18528->18529 18532 139ace7 18531->18532 18533 1396b60 __Stoull 38 API calls 18532->18533 18534 139acf9 18533->18534 18535 139ad01 18534->18535 18536 139ad15 18534->18536 18537 139a5c0 __freea 20 API calls 18535->18537 18539 139afd6 40 API calls 18536->18539 18541 139ad10 _strrchr __alldvrm ___scrt_get_show_window_mode 18536->18541 18538 139ad06 18537->18538 18539->18541 18541->18503 18575 139eaee 18542->18575 18553 139eaee 28 API calls 18552->18553 18554 139b1e9 18553->18554 18555 139e54b 26 API calls 18554->18555 18556 139b221 18555->18556 18560 139eaee 28 API calls 18559->18560 18561 139affe 18560->18561 18562 139e54b 26 API calls 18561->18562 18563 139b043 18562->18563 18564 139b04a 18563->18564 18565 139b071 38 API calls 18563->18565 18564->18503 18565->18564 18567 139a160 18566->18567 18568 139a16e 18566->18568 18567->18568 18573 139a185 18567->18573 18569 139a5c0 __freea 20 API calls 18568->18569 18570 139a176 18569->18570 18571 139a49f ___std_exception_copy 26 API calls 18570->18571 18572 139a180 18571->18572 18572->18522 18572->18528 18573->18572 18574 139a5c0 __freea 20 API calls 18573->18574 18574->18570 18576 139eb23 18575->18576 18580 139eb5f 18576->18580 18585 139ebb2 18576->18585 18577 139a153 ___std_exception_copy 26 API calls 18580->18577 18587 13a0ad0 22 API calls 18585->18587 18644 1398012 18643->18644 18645 139801c 18643->18645 18652 1397fd0 18644->18652 18645->18509 18648 139a528 18647->18648 18649 139a536 18647->18649 18649->18509 18653 1397def 47 API calls 18652->18653 18654 1397fe5 18653->18654 18654->18645 18660 13868fc 18663 139069d 18660->18663 18668 138577a 18663->18668 18665 13906b4 SendDlgItemMessageW 18666 138e1b3 4 API calls 18665->18666 18667 138691c 18666->18667 18669 1385788 18668->18669 18669->18665 18875 138e35c 18876 138e366 __EH_prolog 18875->18876 19031 1381170 18876->19031 18879 138ea1c 18881 138ea34 SendMessageW 18879->18881 18882 138ea42 18879->18882 18880 138e3a8 18883 138e41e 18880->18883 18884 138e3b5 18880->18884 18941 138e394 18880->18941 18881->18882 18885 138ea4b SendDlgItemMessageW 18882->18885 18886 138ea5c 18882->18886 18887 138e4b0 GetDlgItemTextW 18883->18887 18888 138e42b 18883->18888 18891 138e3ba 18884->18891 18898 138e3f1 18884->18898 18885->18886 19106 1390075 18886->19106 18893 138e4e7 18887->18893 18887->18898 18890 1383f1e 55 API calls 18888->18890 18895 138e44d SetDlgItemTextW 18890->18895 18896 1383f1e 55 API calls 18891->18896 18891->18941 18894 138e4ff GetDlgItem 18893->18894 19029 138e4f0 18893->19029 18900 138e539 SetFocus 18894->18900 18901 138e513 SendMessageW SendMessageW 18894->18901 18908 138e45b 18895->18908 18902 138e3d4 18896->18902 18899 138e412 EndDialog 18898->18899 18898->18941 18899->18941 18906 138e549 18900->18906 18918 138e555 18900->18918 18901->18900 19153 13810b0 SHGetMalloc 18902->19153 18903 138ea94 GetDlgItem 18904 138eaad 18903->18904 18905 138eab3 SetWindowTextW 18903->18905 18904->18905 19125 138d917 GetClassNameW 18905->19125 18910 1383f1e 55 API calls 18906->18910 18909 138e468 GetMessageW 18908->18909 18923 138e48e TranslateMessage DispatchMessageW 18908->18923 18908->18941 18909->18908 18909->18941 18935 138e553 18910->18935 18913 138e9bc 18915 1383f1e 55 API calls 18913->18915 18919 138e9cc SetDlgItemTextW 18915->18919 18916 138e3df SetDlgItemTextW 18916->18941 18924 1383f1e 55 API calls 18918->18924 18922 138e9e0 18919->18922 18926 1383f1e 55 API calls 18922->18926 18923->18908 18927 138e587 18924->18927 18925 138f208 91 API calls 18928 138eaf4 18925->18928 18931 138ea09 18926->18931 18933 138364a 52 API calls 18927->18933 18932 138eb24 18928->18932 18934 1383f1e 55 API calls 18928->18934 18930 138e5aa 19049 1382265 18930->19049 18936 1383f1e 55 API calls 18931->18936 18938 138f208 91 API calls 18932->18938 18986 138ebc5 18932->18986 18933->18935 18940 138eb07 SetDlgItemTextW 18934->18940 19041 138fed1 GetDlgItem 18935->19041 18936->18941 18937 138ec6f 18946 138ec81 18937->18946 18947 138ec78 EnableWindow 18937->18947 18945 138eb3f 18938->18945 18942 1383f1e 55 API calls 18940->18942 18949 138eb1b SetDlgItemTextW 18942->18949 18943 138e5e6 19055 138d972 SetCurrentDirectoryW 18943->19055 18944 138e5df GetLastError 18944->18943 18948 138eb76 18945->18948 18954 138eb51 18945->18954 18950 138ec9e 18946->18950 19173 138112d GetDlgItem EnableWindow 18946->19173 18947->18946 18953 138ebb8 18948->18953 18970 138eb96 DialogBoxParamW 18948->18970 18949->18932 18952 138ecc5 18950->18952 18963 138ecbd SendMessageW 18950->18963 18952->18941 18964 1383f1e 55 API calls 18952->18964 18958 138f208 91 API calls 18953->18958 19162 138d0d1 ShowWindow 18954->19162 18955 138e5fc 18959 138e60f 18955->18959 18960 138e605 GetLastError 18955->18960 18957 138ec94 19174 138112d GetDlgItem EnableWindow 18957->19174 18958->18986 18969 138e69a 18959->18969 18971 138e627 GetTickCount 18959->18971 19007 138e68a 18959->19007 18960->18959 18963->18952 18966 138ecde SetDlgItemTextW 18964->18966 18965 138ec4d 18972 138d0d1 6 API calls 18965->18972 18966->18941 18967 138eb6a 18967->18948 18968 138e8bf 19071 138114b GetDlgItem ShowWindow 18968->19071 18974 138e6b2 GetModuleFileNameW 18969->18974 18975 138e85a 18969->18975 18970->18898 18970->18953 18976 138364a 52 API calls 18971->18976 18978 138ec6c 18972->18978 18973 1383f1e 55 API calls 18973->18986 19155 1384b74 18974->19155 18975->18898 18982 1383f1e 55 API calls 18975->18982 18988 138e644 18976->18988 18978->18937 18979 138e8cf 19072 138114b GetDlgItem ShowWindow 18979->19072 18987 138e86e 18982->18987 18984 138364a 52 API calls 18990 138e705 CreateFileMappingW 18984->18990 18985 138e8d9 18989 1383f1e 55 API calls 18985->18989 18986->18937 18986->18965 18986->18973 18991 138364a 52 API calls 18987->18991 19056 1381af5 18988->19056 18993 138e8e3 SetDlgItemTextW 18989->18993 18995 138e763 GetCommandLineW 18990->18995 19021 138e7c9 18990->19021 19001 138e88c 18991->19001 19073 138114b GetDlgItem ShowWindow 18993->19073 18994 138e66a 18998 138e671 GetLastError 18994->18998 19004 138e678 18994->19004 18999 138e774 18995->18999 18997 138e7d4 ShellExecuteExW 19005 138e7f1 18997->19005 18998->19004 19159 138e079 SHGetMalloc 18999->19159 19000 138e8f7 SetDlgItemTextW GetDlgItem 19009 138e910 GetWindowLongW SetWindowLongW 19000->19009 19010 138e928 19000->19010 19006 1383f1e 55 API calls 19001->19006 19064 1381a04 19004->19064 19024 138e820 Sleep 19005->19024 19025 138e834 19005->19025 19006->18898 19007->18968 19007->18969 19009->19010 19074 138f208 19010->19074 19011 138e079 SHGetMalloc 19014 138e79c 19011->19014 19015 138e079 SHGetMalloc 19014->19015 19017 138e7a8 MapViewOfFile 19015->19017 19016 138f208 91 API calls 19018 138e944 19016->19018 19017->19021 19098 139040d 19018->19098 19019 138e84a UnmapViewOfFile CloseHandle 19019->18975 19021->18997 19024->19005 19024->19025 19025->18975 19025->19019 19029->18898 19029->18913 19032 13811d2 19031->19032 19034 1381179 19031->19034 19193 1383c8c 19032->19193 19035 13811df 19034->19035 19175 1383cb3 19034->19175 19035->18879 19035->18880 19035->18941 19038 13811ae GetDlgItem 19038->19035 19039 13811be 19038->19039 19039->19035 19040 13811c4 SetWindowTextW 19039->19040 19040->19035 19042 138ff2d SendMessageW SendMessageW 19041->19042 19045 138fefd 19041->19045 19043 138ff84 SendMessageW SendMessageW SendMessageW 19042->19043 19044 138ff65 19042->19044 19047 138ffaf SendMessageW 19043->19047 19048 138ffce SendMessageW 19043->19048 19044->19043 19046 138ff08 ShowWindow SendMessageW SendMessageW 19045->19046 19046->19042 19047->19048 19048->18930 19053 138226f 19049->19053 19050 1382300 19051 1382329 19050->19051 19199 138242c 19050->19199 19051->18943 19051->18944 19053->19050 19053->19051 19054 138242c 9 API calls 19053->19054 19054->19053 19055->18955 19057 1381aff 19056->19057 19058 1381b69 CreateFileW 19057->19058 19059 1381b5d 19057->19059 19058->19059 19060 1383201 2 API calls 19059->19060 19061 1381bbb 19059->19061 19062 1381ba2 19060->19062 19061->18994 19062->19061 19063 1381ba6 CreateFileW 19062->19063 19063->19061 19065 1381a28 19064->19065 19070 1381a39 19064->19070 19066 1381a3b 19065->19066 19067 1381a34 19065->19067 19065->19070 19260 1381aa7 19066->19260 19253 1381bee 19067->19253 19070->19007 19071->18979 19072->18985 19073->19000 19075 138f212 __EH_prolog 19074->19075 19081 138e936 19075->19081 19335 138df81 19075->19335 19078 138df81 ExpandEnvironmentStringsW 19089 138f249 _wcslen _wcsrchr 19078->19089 19079 138f549 SetWindowTextW 19079->19089 19081->19016 19084 138f33a SetFileAttributesW 19085 138f32d _wcslen ___scrt_get_show_window_mode 19084->19085 19087 138f3f5 GetFileAttributesW 19084->19087 19085->19084 19085->19087 19085->19089 19091 138274f 7 API calls 19085->19091 19092 138f70e GetDlgItem SetWindowTextW SendMessageW 19085->19092 19093 138364a 52 API calls 19085->19093 19095 138f750 SendMessageW 19085->19095 19345 138311e 19085->19345 19087->19085 19090 138f403 DeleteFileW 19087->19090 19089->19078 19089->19079 19089->19081 19089->19085 19339 1386c21 CompareStringW 19089->19339 19340 138d5d8 GetCurrentDirectoryW 19089->19340 19341 138274f 19089->19341 19350 13826d8 19089->19350 19353 138e0d9 19089->19353 19090->19085 19091->19085 19092->19085 19094 138f438 GetFileAttributesW 19093->19094 19094->19085 19096 138f449 MoveFileW 19094->19096 19095->19089 19096->19085 19097 138f461 MoveFileExW 19096->19097 19097->19085 19099 1390417 __EH_prolog 19098->19099 19370 1385b71 19099->19370 19107 1390082 19106->19107 19958 138d533 19107->19958 19110 139008f GetWindow 19111 138ea62 GetDlgItem SendMessageW 19110->19111 19114 13900ab 19110->19114 19124 138d5d8 GetCurrentDirectoryW 19111->19124 19112 13900b8 GetClassNameW 19963 1386c21 CompareStringW 19112->19963 19114->19111 19114->19112 19115 13900e0 GetWindowLongW 19114->19115 19116 1390149 GetWindow 19114->19116 19115->19116 19117 13900f0 SendMessageW 19115->19117 19116->19111 19116->19114 19117->19116 19118 1390106 19117->19118 19964 138d595 19118->19964 19968 138d552 19118->19968 19972 138d642 19118->19972 19123 1390142 DeleteObject 19123->19116 19124->18903 19126 138d938 19125->19126 19127 138d95d 19125->19127 19984 1386c21 CompareStringW 19126->19984 19129 138d962 SHAutoComplete 19127->19129 19130 138d96b 19127->19130 19129->19130 19133 138dcdd 19130->19133 19131 138d94b 19131->19127 19132 138d94f FindWindowExW 19131->19132 19132->19127 19134 138dce7 __EH_prolog 19133->19134 19985 1381d27 19134->19985 19136 1381a04 74 API calls 19138 138de1b 19136->19138 19137 138dd11 ___std_exception_copy 19139 138de0e 19137->19139 19140 138dd31 19137->19140 19138->18925 19138->18928 19139->19136 19994 1381f9c 19140->19994 19145 1381f9c 71 API calls 19146 138dd6c 19145->19146 20007 1381ec9 19146->20007 19149 1381aa7 70 API calls 19150 138dd86 ___std_exception_copy 19149->19150 19151 138ddbb 19150->19151 19152 1386962 MultiByteToWideChar 19150->19152 19151->19139 19152->19151 19154 13810c7 19153->19154 19154->18916 19154->18941 19156 1384b7d 19155->19156 19157 1384b96 19155->19157 20047 1384c2d 19156->20047 19157->18984 19160 138e09b 19159->19160 19160->19011 20071 138ce36 19162->20071 19165 138d123 19166 138d1bd 19165->19166 19167 138d185 19165->19167 19168 138d1c1 ShowWindow 19166->19168 19172 138d1ba 19166->19172 19167->19172 20073 138ceec 19167->20073 19168->19172 19171 138d1a3 ShowWindow SetWindowTextW 19171->19172 19172->18967 19173->18957 19174->18950 19196 138367c 19175->19196 19177 1383cd9 GetWindowRect GetClientRect 19178 1383dce 19177->19178 19184 1383d33 19177->19184 19179 1383e10 GetSystemMetrics GetWindow 19178->19179 19180 1383dd8 GetWindowTextW 19178->19180 19181 1383e30 19179->19181 19182 138370d 53 API calls 19180->19182 19185 138119b 19181->19185 19187 1383e3c GetWindowTextW 19181->19187 19189 1383e82 GetWindowRect 19181->19189 19190 1383ef7 GetWindow 19181->19190 19191 138370d 53 API calls 19181->19191 19186 1383e04 SetWindowTextW 19182->19186 19183 1383d94 GetWindowLongW 19188 1383dbe GetWindowRect 19183->19188 19184->19179 19184->19183 19185->19035 19185->19038 19186->19179 19187->19181 19188->19178 19189->19190 19190->19181 19190->19185 19192 1383e6f SetWindowTextW 19191->19192 19192->19181 19194 1383c92 GetWindowLongW SetWindowLongW 19193->19194 19195 1383cb0 19193->19195 19194->19195 19195->19035 19197 138370d 53 API calls 19196->19197 19198 13836a4 _wcschr 19197->19198 19198->19177 19200 1382439 19199->19200 19201 138245d 19200->19201 19203 1382450 CreateDirectoryW 19200->19203 19220 1382396 19201->19220 19203->19201 19205 1382490 19203->19205 19208 138249f 19205->19208 19212 1382669 19205->19212 19206 13824a3 GetLastError 19206->19208 19208->19051 19210 1382479 19210->19206 19211 138247d CreateDirectoryW 19210->19211 19211->19205 19211->19206 19233 1391430 19212->19233 19215 13826b9 19215->19208 19216 138268c 19217 1383201 2 API calls 19216->19217 19218 13826a0 19217->19218 19218->19215 19219 13826a4 SetFileAttributesW 19218->19219 19219->19215 19235 13823aa 19220->19235 19223 1383201 19224 138320e 19223->19224 19232 1383218 _wcslen 19224->19232 19243 13833a8 19224->19243 19226 1383226 _wcslen 19246 13833d4 19226->19246 19228 1383235 19229 138323d 19228->19229 19230 13832bf GetCurrentDirectoryW 19228->19230 19231 13833a8 CharUpperW 19229->19231 19230->19232 19231->19232 19232->19210 19234 1382676 SetFileAttributesW 19233->19234 19234->19215 19234->19216 19236 1391430 19235->19236 19237 13823b7 GetFileAttributesW 19236->19237 19238 138239f 19237->19238 19239 13823c8 19237->19239 19238->19206 19238->19223 19240 1383201 2 API calls 19239->19240 19241 13823dc 19240->19241 19241->19238 19242 13823e0 GetFileAttributesW 19241->19242 19242->19238 19250 1385966 19243->19250 19247 13833e1 19246->19247 19248 13833a8 CharUpperW 19247->19248 19249 13833ed 19247->19249 19248->19249 19249->19228 19251 1385976 CharUpperW 19250->19251 19252 13833b6 19250->19252 19251->19252 19252->19226 19254 1381bf7 19253->19254 19255 1381bfb 19253->19255 19254->19070 19256 1381c06 19255->19256 19257 1381aa7 70 API calls 19255->19257 19256->19254 19266 1382343 19256->19266 19257->19256 19261 1381ab3 19260->19261 19262 1381ad1 19260->19262 19261->19262 19264 1381abf CloseHandle 19261->19264 19263 1381af0 19262->19263 19274 1381769 19262->19274 19263->19070 19264->19262 19267 1391430 19266->19267 19268 1382350 DeleteFileW 19267->19268 19269 1382363 19268->19269 19270 1381c15 19268->19270 19271 1383201 2 API calls 19269->19271 19270->19070 19272 1382377 19271->19272 19272->19270 19273 138237b DeleteFileW 19272->19273 19273->19270 19275 1381772 19274->19275 19276 138177d 19274->19276 19280 13816b0 19275->19280 19283 13818ed 19276->19283 19288 13864c4 19280->19288 19282 13816d5 19282->19276 19285 13818fc 19283->19285 19284 1381786 19284->19263 19285->19284 19332 1392980 19285->19332 19287 138191e 19289 13864d3 19288->19289 19314 138665a 19288->19314 19292 13865d8 19289->19292 19294 13864e2 19289->19294 19289->19314 19290 13866d2 19290->19282 19291 1383f1e 55 API calls 19293 13866c7 19291->19293 19296 13865e3 19292->19296 19292->19314 19297 1383f1e 55 API calls 19293->19297 19294->19290 19295 138656f 19294->19295 19298 1386555 19294->19298 19299 138659b 19294->19299 19300 1386519 19294->19300 19301 1386540 19294->19301 19302 1386523 19294->19302 19304 13864f8 19294->19304 19303 1383f1e 55 API calls 19295->19303 19296->19290 19296->19298 19296->19301 19296->19302 19297->19290 19310 1383f1e 55 API calls 19298->19310 19306 1383f1e 55 API calls 19299->19306 19328 138db43 19300->19328 19311 1383f1e 55 API calls 19301->19311 19309 1383f1e 55 API calls 19302->19309 19303->19304 19319 138e308 19304->19319 19307 13865ab 19306->19307 19309->19304 19312 138654a 19310->19312 19311->19312 19314->19290 19314->19291 19320 138e311 19319->19320 19321 1386506 19319->19321 19320->19321 19321->19282 19329 138db50 19328->19329 19334 13929a0 19332->19334 19333 13929d2 RaiseException 19333->19287 19334->19333 19336 138df8b 19335->19336 19337 138e03e ExpandEnvironmentStringsW 19336->19337 19338 138e061 19336->19338 19337->19338 19338->19089 19339->19089 19340->19089 19343 138275d 19341->19343 19342 1382816 7 API calls 19342->19343 19343->19342 19344 13827f0 19343->19344 19344->19089 19346 13833a8 CharUpperW 19345->19346 19347 1383133 19346->19347 19348 138364a 52 API calls 19347->19348 19349 138314a _wcschr _wcslen 19347->19349 19348->19349 19349->19085 19351 13826ea 19350->19351 19352 13826e3 FindClose 19350->19352 19351->19089 19352->19351 19354 138e0e3 ___std_exception_copy 19353->19354 19358 138e102 _wcslen 19354->19358 19359 13817e6 19354->19359 19356 138df81 ExpandEnvironmentStringsW 19356->19358 19357 138e1a4 19357->19089 19358->19356 19358->19357 19364 13817f9 19359->19364 19367 1381979 19364->19367 19368 13864c4 68 API calls 19367->19368 19371 1385b7e _wcslen 19370->19371 19382 1385ab1 19371->19382 19373 1385b96 19384 1385ac7 19382->19384 19392 1385b22 19382->19392 19383 1385af0 19384->19383 19393 13817ae 19384->19393 19392->19373 19959 138d552 3 API calls 19958->19959 19960 138d53a 19959->19960 19961 138d595 3 API calls 19960->19961 19962 138d546 19960->19962 19961->19962 19962->19110 19962->19111 19963->19114 19965 138d59e GetDC 19964->19965 19966 138d5c4 19964->19966 19965->19966 19967 138d5ad GetDeviceCaps ReleaseDC 19965->19967 19966->19118 19967->19966 19969 138d55b GetDC 19968->19969 19970 138d581 19968->19970 19969->19970 19971 138d56a GetDeviceCaps ReleaseDC 19969->19971 19970->19118 19971->19970 19980 138d5ef GetDC GetDeviceCaps ReleaseDC 19972->19980 19974 138d64a 19975 138d64e 19974->19975 19977 138d664 ___scrt_get_show_window_mode 19974->19977 19981 138d839 GetDC 19975->19981 19978 138d7f8 DeleteObject 19977->19978 19979 138d65f SendMessageW 19977->19979 19978->19979 19979->19116 19979->19123 19980->19974 19982 138d857 ReleaseDC 19981->19982 19982->19979 19984->19131 19986 1381d31 19985->19986 19987 1381d87 CreateFileW 19986->19987 19988 1381db4 GetLastError 19987->19988 19990 1381e05 19987->19990 19989 1383201 2 API calls 19988->19989 19991 1381dd4 19989->19991 19990->19137 19991->19990 19992 1381dd8 CreateFileW GetLastError 19991->19992 19993 1381dfc 19992->19993 19993->19990 20015 1381e53 19994->20015 19996 1381fc7 19999 13820a7 19996->19999 20000 13820cb SetFilePointer 19999->20000 20001 13820ba 19999->20001 20002 1382104 20000->20002 20003 13820e9 GetLastError 20000->20003 20001->20002 20004 1381883 69 API calls 20001->20004 20002->19145 20003->20002 20005 13820f3 20003->20005 20004->20000 20005->20002 20006 1381883 69 API calls 20005->20006 20006->20002 20010 1381ee0 20007->20010 20009 1381f41 20009->19149 20010->20009 20011 1381f33 20010->20011 20013 1381f43 20010->20013 20026 1381c17 20010->20026 20038 138183b 20011->20038 20013->20009 20014 1381c17 5 API calls 20013->20014 20014->20013 20018 1381ebe 20015->20018 20019 1381e5f 20015->20019 20016 1381e96 SetFilePointer 20017 1381eb4 GetLastError 20016->20017 20016->20018 20017->20018 20018->19996 20020 1381883 20018->20020 20019->20016 20021 1381897 20020->20021 20022 138188c 20020->20022 20024 13818ed RaiseException 20021->20024 20023 13816b0 68 API calls 20022->20023 20023->20021 20025 13818a0 20024->20025 20025->19996 20027 1381c25 GetStdHandle 20026->20027 20028 1381c30 ReadFile 20026->20028 20027->20028 20029 1381c49 20028->20029 20030 1381c69 20028->20030 20043 1381d04 20029->20043 20030->20010 20032 1381c50 20033 1381c71 GetLastError 20032->20033 20034 1381c80 20032->20034 20037 1381c5e 20032->20037 20033->20030 20033->20034 20034->20030 20035 1381c90 GetLastError 20034->20035 20035->20030 20035->20037 20036 1381c17 GetFileType 20036->20030 20037->20036 20039 1381856 68 API calls 20038->20039 20040 1381849 20039->20040 20041 13818ed RaiseException 20040->20041 20042 1381852 20041->20042 20042->20009 20044 1381d0d GetFileType 20043->20044 20045 1381d0a 20043->20045 20046 1381d1b 20044->20046 20045->20032 20046->20032 20048 1384c3e 20047->20048 20051 1384c6e 20048->20051 20050 1384c68 20050->19157 20052 1384c7a 20051->20052 20055 1384c84 20051->20055 20059 1384bef 20052->20059 20054 1384cee GetCurrentProcessId 20057 1384cbf ___InternalCxxFrameHandler 20054->20057 20055->20054 20056 1384ca4 20055->20056 20056->20057 20058 13817ae 68 API calls 20056->20058 20057->20050 20058->20057 20060 1384c27 20059->20060 20061 1384bf8 20059->20061 20060->20055 20065 1385ccd 20061->20065 20064 1384c08 GetProcAddress GetProcAddress 20064->20060 20066 1391430 20065->20066 20067 1385cda GetSystemDirectoryW 20066->20067 20068 1384c02 20067->20068 20069 1385cf2 20067->20069 20068->20060 20068->20064 20070 1385d03 LoadLibraryW 20069->20070 20070->20068 20072 138ce73 GetWindowRect 20071->20072 20072->19165 20075 138cefe _wcslen ___std_exception_copy 20073->20075 20074 138d0a8 20074->19171 20074->19172 20075->20074 20076 1386c43 CompareStringW 20075->20076 20076->20075 21470 1381092 21475 13811e5 21470->21475 21472 1381097 21479 13916e1 21472->21479 21476 13811ef __EH_prolog 21475->21476 21482 1382d26 21476->21482 21478 13811fb 21478->21472 21488 13916a6 21479->21488 21485 1384b28 21482->21485 21484 1382d39 21484->21478 21486 1384d18 73 API calls 21485->21486 21487 1384b3c 21486->21487 21487->21484 21489 13916ca 21488->21489 21490 13916c3 21488->21490 21497 1399c07 21489->21497 21494 1399b97 21490->21494 21493 13810a1 21495 1399c07 29 API calls 21494->21495 21496 1399ba9 21495->21496 21496->21493 21500 13998ef 21497->21500 21503 1399825 21500->21503 21502 1399913 21502->21493 21504 1399831 FindHandler 21503->21504 21511 139bec0 EnterCriticalSection 21504->21511 21506 139983f 21512 1399a56 21506->21512 21508 139984c 21522 139986a 21508->21522 21510 139985d FindHandler 21510->21502 21511->21506 21513 1399a6c __CreateFrameInfo 21512->21513 21514 1399a74 21512->21514 21513->21508 21514->21513 21516 139d1b8 29 API calls 21514->21516 21521 1399acd 21514->21521 21515 139d1b8 29 API calls 21517 1399ae3 21515->21517 21518 1399ac3 21516->21518 21519 139a1ad __freea 20 API calls 21517->21519 21520 139a1ad __freea 20 API calls 21518->21520 21519->21513 21520->21521 21521->21513 21521->21515 21525 139bf08 LeaveCriticalSection 21522->21525 21524 1399874 21524->21510 21525->21524 17644 1391b5f 17649 1392035 SetUnhandledExceptionFilter 17644->17649 17646 1391b64 17650 139a083 17646->17650 17648 1391b6f 17649->17646 17651 139a0a9 17650->17651 17652 139a08f 17650->17652 17651->17648 17652->17651 17657 139a5c0 17652->17657 17663 139ab24 GetLastError 17657->17663 17660 139a49f 17898 139a424 17660->17898 17662 139a0a4 17662->17648 17664 139ab3d 17663->17664 17668 139ab43 17663->17668 17682 139c0e2 17664->17682 17669 139ab9a SetLastError 17668->17669 17689 139a278 17668->17689 17671 139a099 17669->17671 17671->17660 17674 139ab5d 17698 139a1ad 17674->17698 17675 139ab79 17711 139a912 17675->17711 17676 139ab63 17678 139ab91 SetLastError 17676->17678 17678->17671 17680 139a1ad __freea 17 API calls 17681 139ab8a 17680->17681 17681->17669 17681->17678 17716 139bf1f 17682->17716 17685 139c121 TlsGetValue 17686 139c115 17685->17686 17723 1391ce3 17686->17723 17688 139c132 17688->17668 17690 139a285 17689->17690 17691 139a2c5 17690->17691 17692 139a2b0 HeapAlloc 17690->17692 17696 139a299 __CreateFrameInfo 17690->17696 17694 139a5c0 __freea 19 API calls 17691->17694 17693 139a2c3 17692->17693 17692->17696 17695 139a2ca 17693->17695 17694->17695 17695->17674 17704 139c138 17695->17704 17696->17691 17696->17692 17738 1399d57 17696->17738 17699 139a1b8 HeapFree 17698->17699 17703 139a1e1 __freea 17698->17703 17700 139a1cd 17699->17700 17699->17703 17701 139a5c0 __freea 18 API calls 17700->17701 17702 139a1d3 GetLastError 17701->17702 17702->17703 17703->17676 17705 139bf1f _GetRangeOfTrysToCheck 5 API calls 17704->17705 17706 139c15f 17705->17706 17707 139c17a TlsSetValue 17706->17707 17710 139c16e 17706->17710 17707->17710 17708 1391ce3 __startOneArgErrorHandling 5 API calls 17709 139ab72 17708->17709 17709->17674 17709->17675 17710->17708 17754 139a8ea 17711->17754 17717 139bf4b 17716->17717 17718 139bf4f 17716->17718 17717->17718 17722 139bf6f 17717->17722 17730 139bfbb 17717->17730 17718->17685 17718->17686 17720 139bf7b GetProcAddress 17721 139bf8b __CreateFrameInfo 17720->17721 17721->17718 17722->17718 17722->17720 17724 1391cee IsProcessorFeaturePresent 17723->17724 17725 1391cec 17723->17725 17727 1392363 17724->17727 17725->17688 17737 1392327 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17727->17737 17729 1392446 17729->17688 17731 139bfd1 17730->17731 17732 139bfdc LoadLibraryExW 17730->17732 17731->17717 17733 139c011 17732->17733 17734 139bff9 GetLastError 17732->17734 17733->17731 17735 139c028 FreeLibrary 17733->17735 17734->17733 17736 139c004 LoadLibraryExW 17734->17736 17735->17731 17736->17733 17737->17729 17743 1399d9b 17738->17743 17740 1399d6d 17741 1391ce3 __startOneArgErrorHandling 5 API calls 17740->17741 17742 1399d97 17741->17742 17742->17696 17744 1399da7 FindHandler 17743->17744 17749 139bec0 EnterCriticalSection 17744->17749 17746 1399db2 17750 1399de4 17746->17750 17748 1399dd9 FindHandler 17748->17740 17749->17746 17753 139bf08 LeaveCriticalSection 17750->17753 17752 1399deb 17752->17748 17753->17752 17760 139a82a 17754->17760 17756 139a90e 17757 139a89a 17756->17757 17771 139a72e 17757->17771 17759 139a8be 17759->17680 17761 139a836 FindHandler 17760->17761 17766 139bec0 EnterCriticalSection 17761->17766 17763 139a840 17767 139a866 17763->17767 17765 139a85e FindHandler 17765->17756 17766->17763 17770 139bf08 LeaveCriticalSection 17767->17770 17769 139a870 17769->17765 17770->17769 17772 139a73a FindHandler 17771->17772 17779 139bec0 EnterCriticalSection 17772->17779 17774 139a744 17780 139aa55 17774->17780 17776 139a75c 17784 139a772 17776->17784 17778 139a76a FindHandler 17778->17759 17779->17774 17781 139aa8b __Stoull 17780->17781 17782 139aa64 __Stoull 17780->17782 17781->17776 17782->17781 17787 139dd13 17782->17787 17897 139bf08 LeaveCriticalSection 17784->17897 17786 139a77c 17786->17778 17790 139dd29 17787->17790 17809 139dd93 17787->17809 17788 139dde1 17855 139de86 17788->17855 17794 139a1ad __freea 20 API calls 17790->17794 17798 139dd5c 17790->17798 17790->17809 17791 139a1ad __freea 20 API calls 17792 139ddb5 17791->17792 17793 139a1ad __freea 20 API calls 17792->17793 17797 139ddc8 17793->17797 17799 139dd51 17794->17799 17795 139ddef 17800 139de4f 17795->17800 17811 139a1ad 20 API calls __freea 17795->17811 17796 139a1ad __freea 20 API calls 17801 139dd88 17796->17801 17803 139a1ad __freea 20 API calls 17797->17803 17802 139a1ad __freea 20 API calls 17798->17802 17814 139dd7e 17798->17814 17815 139d8f2 17799->17815 17804 139a1ad __freea 20 API calls 17800->17804 17806 139a1ad __freea 20 API calls 17801->17806 17807 139dd73 17802->17807 17808 139ddd6 17803->17808 17810 139de55 17804->17810 17806->17809 17843 139d9f0 17807->17843 17812 139a1ad __freea 20 API calls 17808->17812 17809->17788 17809->17791 17810->17781 17811->17795 17812->17788 17814->17796 17816 139d903 17815->17816 17842 139d9ec 17815->17842 17817 139d914 17816->17817 17818 139a1ad __freea 20 API calls 17816->17818 17819 139a1ad __freea 20 API calls 17817->17819 17822 139d926 17817->17822 17818->17817 17819->17822 17820 139a1ad __freea 20 API calls 17821 139d938 17820->17821 17823 139a1ad __freea 20 API calls 17821->17823 17824 139d94a 17821->17824 17822->17820 17822->17821 17823->17824 17825 139d95c 17824->17825 17826 139a1ad __freea 20 API calls 17824->17826 17827 139a1ad __freea 20 API calls 17825->17827 17829 139d96e 17825->17829 17826->17825 17827->17829 17842->17798 17844 139d9fd 17843->17844 17854 139da55 17843->17854 17845 139da0d 17844->17845 17846 139a1ad __freea 20 API calls 17844->17846 17847 139da1f 17845->17847 17848 139a1ad __freea 20 API calls 17845->17848 17846->17845 17849 139a1ad __freea 20 API calls 17847->17849 17851 139da31 17847->17851 17848->17847 17849->17851 17850 139a1ad __freea 20 API calls 17853 139da43 17850->17853 17851->17850 17851->17853 17852 139a1ad __freea 20 API calls 17852->17854 17853->17852 17853->17854 17854->17814 17856 139de93 17855->17856 17860 139deb1 17855->17860 17856->17860 17861 139da95 17856->17861 17859 139a1ad __freea 20 API calls 17859->17860 17860->17795 17862 139daa6 17861->17862 17896 139db73 17861->17896 17863 139da59 __Stoull 20 API calls 17862->17863 17864 139daae 17863->17864 17865 139da59 __Stoull 20 API calls 17864->17865 17866 139dab9 17865->17866 17867 139da59 __Stoull 20 API calls 17866->17867 17896->17859 17897->17786 17899 139ab24 __CreateFrameInfo 20 API calls 17898->17899 17900 139a43a 17899->17900 17901 139a499 17900->17901 17902 139a448 17900->17902 17909 139a4af IsProcessorFeaturePresent 17901->17909 17906 1391ce3 __startOneArgErrorHandling 5 API calls 17902->17906 17904 139a49e 17905 139a424 ___std_exception_copy 26 API calls 17904->17905 17907 139a4ab 17905->17907 17908 139a46f 17906->17908 17907->17662 17908->17662 17910 139a4ba 17909->17910 17913 139a2d5 17910->17913 17914 139a2f1 __CreateFrameInfo ___scrt_get_show_window_mode 17913->17914 17915 139a31d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17914->17915 17916 139a3ee __CreateFrameInfo 17915->17916 17917 1391ce3 __startOneArgErrorHandling 5 API calls 17916->17917 17918 139a40c GetCurrentProcess TerminateProcess 17917->17918 17918->17904 20762 139d242 20765 139d268 20762->20765 20766 139d264 20762->20766 20763 1391ce3 __startOneArgErrorHandling 5 API calls 20764 139d2ca 20763->20764 20765->20766 20767 139b941 32 API calls 20765->20767 20766->20763 20767->20765 17945 13913e6 17946 13913f0 17945->17946 17949 1391146 17946->17949 17977 1390e54 17949->17977 17951 1391160 17952 13911bd 17951->17952 17953 13911e1 17951->17953 17988 13910c4 17952->17988 17957 1391259 LoadLibraryExA 17953->17957 17960 13912ba 17953->17960 17961 13912cc 17953->17961 17972 1391388 17953->17972 17956 1391ce3 __startOneArgErrorHandling 5 API calls 17958 13913c5 17956->17958 17959 139126c GetLastError 17957->17959 17957->17960 17963 139127f 17959->17963 17964 1391295 17959->17964 17960->17961 17962 13912c5 FreeLibrary 17960->17962 17965 139132a GetProcAddress 17961->17965 17961->17972 17962->17961 17963->17960 17963->17964 17967 13910c4 11 API calls 17964->17967 17966 139133a GetLastError 17965->17966 17965->17972 17969 139134d 17966->17969 17970 13912a0 RaiseException 17967->17970 17968 13910c4 11 API calls 17971 13913b6 17968->17971 17969->17972 17973 13910c4 11 API calls 17969->17973 17970->17971 17971->17956 17972->17968 17974 139136e RaiseException 17973->17974 17975 1390e54 11 API calls 17974->17975 17976 1391385 17975->17976 17976->17972 17978 1390e60 17977->17978 17979 1390e86 17977->17979 17996 1390f02 17978->17996 17979->17951 17982 1390e81 18006 1390e87 17982->18006 17985 1391111 17986 1391ce3 __startOneArgErrorHandling 5 API calls 17985->17986 17987 1391142 17986->17987 17987->17951 17989 13910d6 17988->17989 17990 13910f8 RaiseException 17988->17990 17991 1390f02 8 API calls 17989->17991 17990->17971 17992 13910db 17991->17992 17993 13910f3 17992->17993 17994 1391054 3 API calls 17992->17994 18018 13910fc 17993->18018 17994->17993 17997 1390e87 3 API calls 17996->17997 17998 1390f17 17997->17998 17999 1391ce3 __startOneArgErrorHandling 5 API calls 17998->17999 18000 1390e65 17999->18000 18000->17982 18001 1391054 18000->18001 18004 1391069 18001->18004 18002 139106f 18002->17982 18003 13910a4 VirtualProtect 18003->18002 18004->18002 18004->18003 18014 1390f5f VirtualQuery 18004->18014 18007 1390e98 18006->18007 18008 1390e94 18006->18008 18009 1390e9c 18007->18009 18010 1390ea0 GetModuleHandleW 18007->18010 18008->17985 18009->17985 18011 1390eb6 GetProcAddress 18010->18011 18012 1390eb2 18010->18012 18011->18012 18013 1390ec6 GetProcAddress 18011->18013 18012->17985 18013->18012 18015 1390f7a 18014->18015 18016 1390fbd 18015->18016 18017 1390f85 GetSystemInfo 18015->18017 18016->18003 18017->18016 18019 1390e87 3 API calls 18018->18019 18020 1391111 18019->18020 18021 1391ce3 __startOneArgErrorHandling 5 API calls 18020->18021 18022 1391142 18021->18022 18022->17990 20077 1391b71 20078 1391b7d FindHandler 20077->20078 20103 1391507 20078->20103 20080 1391b84 20082 1391bad 20080->20082 20169 1391ea3 IsProcessorFeaturePresent 20080->20169 20088 1391bec 20082->20088 20114 1399f3c 20082->20114 20085 1399ee0 __CreateFrameInfo 5 API calls 20085->20088 20086 1391bcc FindHandler 20087 1391c4c 20118 1391fbe 20087->20118 20088->20087 20173 13992a2 20088->20173 20104 1391510 20103->20104 20193 1391cf9 IsProcessorFeaturePresent 20104->20193 20108 1391521 20113 1391525 20108->20113 20204 1399d1f 20108->20204 20111 139153c 20111->20080 20113->20080 20115 1399f53 20114->20115 20116 1391ce3 __startOneArgErrorHandling 5 API calls 20115->20116 20117 1391bc6 20116->20117 20117->20085 20117->20086 20334 1392450 20118->20334 20121 1391c52 20122 1399e8d 20121->20122 20123 139cd42 52 API calls 20122->20123 20125 1399e96 20123->20125 20124 1391c5b 20127 139085c 20124->20127 20125->20124 20336 139d0cd 20125->20336 20342 1385d17 20127->20342 20131 139087f ___scrt_get_show_window_mode 20132 139088f GetCommandLineW 20131->20132 20133 139089e 20132->20133 20134 1390910 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 20132->20134 20394 138f099 20133->20394 20136 138364a 52 API calls 20134->20136 20137 1390979 SetEnvironmentVariableW GetModuleHandleW LoadIconW LoadBitmapW 20136->20137 20407 138d985 20137->20407 20140 139090a 20401 139056d 20140->20401 20141 13908ad OpenFileMappingW 20144 13908c5 MapViewOfFile 20141->20144 20145 1390901 CloseHandle 20141->20145 20142 13909c7 20147 13908fa UnmapViewOfFile 20144->20147 20148 13908da 20144->20148 20145->20134 20147->20145 20149 139056d 2 API calls 20148->20149 20149->20147 20170 1391eb9 ___scrt_get_show_window_mode 20169->20170 20171 1391f61 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20170->20171 20172 1391fab 20171->20172 20172->20080 20174 13992ca 20173->20174 20175 139a0b8 _GetRangeOfTrysToCheck 20173->20175 20174->20087 20176 139aaa0 _GetRangeOfTrysToCheck 38 API calls 20175->20176 20178 139a0c9 20176->20178 20177 139a235 _GetRangeOfTrysToCheck 38 API calls 20179 139a0f3 20177->20179 20178->20177 20180 139a5c0 __freea 20 API calls 20179->20180 20183 139a132 20179->20183 20181 139a128 20180->20181 20182 139a49f ___std_exception_copy 26 API calls 20181->20182 20182->20183 20183->20087 20194 139151c 20193->20194 20195 1394ee4 20194->20195 20196 1394ee9 20195->20196 20215 139608a 20196->20215 20200 1394eff 20201 1394f0a 20200->20201 20229 13960c6 20200->20229 20201->20108 20203 1394ef7 20203->20108 20271 139d24b 20204->20271 20207 1394f0d 20208 1394f16 20207->20208 20214 1394f27 20207->20214 20209 1395283 6 API calls 20208->20209 20210 1394f1b 20209->20210 20211 13960c6 DeleteCriticalSection 20210->20211 20212 1394f20 20211->20212 20330 139639e 20212->20330 20214->20113 20217 1396093 20215->20217 20218 13960bc 20217->20218 20220 1394ef3 20217->20220 20233 139631e 20217->20233 20219 13960c6 DeleteCriticalSection 20218->20219 20219->20220 20220->20203 20221 1395250 20220->20221 20252 1396233 20221->20252 20223 139525a 20224 1395265 20223->20224 20257 13962e1 20223->20257 20224->20200 20226 1395273 20227 1395280 20226->20227 20262 1395283 20226->20262 20227->20200 20230 13960f0 20229->20230 20231 13960d1 20229->20231 20230->20203 20232 13960db DeleteCriticalSection 20231->20232 20232->20230 20232->20232 20238 1396112 20233->20238 20236 1396355 InitializeCriticalSectionAndSpinCount 20237 1396341 20236->20237 20237->20217 20239 1396142 20238->20239 20240 1396146 20238->20240 20239->20240 20241 1396166 20239->20241 20245 13961b2 20239->20245 20240->20236 20240->20237 20241->20240 20243 1396172 GetProcAddress 20241->20243 20244 1396182 __CreateFrameInfo 20243->20244 20244->20240 20246 13961cf 20245->20246 20247 13961da LoadLibraryExW 20245->20247 20246->20239 20248 13961f6 GetLastError 20247->20248 20250 139620e 20247->20250 20248->20250 20251 1396201 LoadLibraryExW 20248->20251 20249 1396225 FreeLibrary 20249->20246 20250->20246 20250->20249 20251->20250 20253 1396112 __CreateFrameInfo 5 API calls 20252->20253 20254 139624d 20253->20254 20255 1396265 TlsAlloc 20254->20255 20256 1396256 20254->20256 20256->20223 20258 1396112 __CreateFrameInfo 5 API calls 20257->20258 20259 13962fb 20258->20259 20260 1396315 TlsSetValue 20259->20260 20261 139630a 20259->20261 20260->20261 20261->20226 20263 139528d 20262->20263 20264 1395293 20262->20264 20266 139626d 20263->20266 20264->20224 20267 1396112 __CreateFrameInfo 5 API calls 20266->20267 20268 1396287 20267->20268 20269 139629e TlsFree 20268->20269 20270 1396293 20268->20270 20269->20270 20270->20264 20272 139d268 20271->20272 20275 139d264 20271->20275 20272->20275 20277 139b941 20272->20277 20273 1391ce3 __startOneArgErrorHandling 5 API calls 20274 139152e 20273->20274 20274->20111 20274->20207 20275->20273 20278 139b94d FindHandler 20277->20278 20289 139bec0 EnterCriticalSection 20278->20289 20280 139b954 20290 139d719 20280->20290 20282 139b963 20288 139b972 20282->20288 20303 139b7d5 GetStartupInfoW 20282->20303 20286 139b983 FindHandler 20286->20272 20314 139b98e 20288->20314 20289->20280 20291 139d725 FindHandler 20290->20291 20292 139d749 20291->20292 20293 139d732 20291->20293 20317 139bec0 EnterCriticalSection 20292->20317 20294 139a5c0 __freea 20 API calls 20293->20294 20296 139d737 20294->20296 20297 139a49f ___std_exception_copy 26 API calls 20296->20297 20300 139d741 FindHandler 20297->20300 20298 139d755 20302 139d781 20298->20302 20318 139d66a 20298->20318 20300->20282 20325 139d7a8 20302->20325 20304 139b884 20303->20304 20305 139b7f2 20303->20305 20309 139b88b 20304->20309 20305->20304 20306 139d719 28 API calls 20305->20306 20307 139b81b 20306->20307 20307->20304 20308 139b849 GetFileType 20307->20308 20308->20307 20311 139b892 20309->20311 20310 139b8d5 GetStdHandle 20310->20311 20311->20310 20312 139b93d 20311->20312 20313 139b8e8 GetFileType 20311->20313 20312->20288 20313->20311 20329 139bf08 LeaveCriticalSection 20314->20329 20316 139b995 20316->20286 20317->20298 20319 139a278 __CreateFrameInfo 20 API calls 20318->20319 20323 139d67c 20319->20323 20320 139a1ad __freea 20 API calls 20321 139d6db 20320->20321 20321->20298 20322 139c191 12 API calls 20322->20323 20323->20322 20324 139d689 20323->20324 20324->20320 20328 139bf08 LeaveCriticalSection 20325->20328 20327 139d7af 20327->20300 20328->20327 20329->20316 20331 13963cd 20330->20331 20333 13963a7 20330->20333 20331->20214 20332 13963b7 FreeLibrary 20332->20333 20333->20331 20333->20332 20335 1391fd1 GetStartupInfoW 20334->20335 20335->20121 20339 139d074 20336->20339 20340 1396b60 __Stoull 38 API calls 20339->20340 20341 139d088 20340->20341 20341->20125 20343 1391430 20342->20343 20344 1385d21 GetModuleHandleW 20343->20344 20345 1385d3b GetProcAddress 20344->20345 20346 1385d8c 20344->20346 20348 1385d64 GetProcAddress 20345->20348 20349 1385d54 20345->20349 20347 13860c1 GetModuleFileNameW 20346->20347 20430 1398e85 20346->20430 20358 13860dc 20347->20358 20348->20346 20351 1385d70 20348->20351 20349->20348 20351->20346 20353 138600a GetModuleFileNameW CreateFileW 20354 1386039 SetFilePointer 20353->20354 20355 13860b5 CloseHandle 20353->20355 20354->20355 20356 1386049 ReadFile 20354->20356 20355->20347 20356->20355 20362 1386068 20356->20362 20357 138299b GetVersionExW 20357->20358 20358->20357 20359 1385ccd 2 API calls 20358->20359 20360 1386111 CompareStringW 20358->20360 20361 1386131 20358->20361 20365 138615b 20358->20365 20359->20358 20360->20358 20360->20361 20364 1386147 GetFileAttributesW 20361->20364 20362->20355 20363 1385ccd 2 API calls 20362->20363 20363->20362 20364->20358 20367 138615d 20364->20367 20365->20367 20368 138619a 20365->20368 20366 13862a9 OleInitialize 20391 138699b GetCPInfo 20366->20391 20367->20365 20369 1386180 GetFileAttributesW 20367->20369 20372 1386194 20367->20372 20368->20366 20370 138299b GetVersionExW 20368->20370 20369->20367 20369->20372 20371 13861b4 20370->20371 20373 13861bb 20371->20373 20374 1386221 20371->20374 20372->20368 20376 1385ccd 2 API calls 20373->20376 20375 138364a 52 API calls 20374->20375 20378 1386249 AllocConsole 20375->20378 20377 13861c5 20376->20377 20379 1385ccd 2 API calls 20377->20379 20380 13862a1 ExitProcess 20378->20380 20381 1386256 GetCurrentProcessId AttachConsole 20378->20381 20382 13861cf 20379->20382 20434 13966c5 20381->20434 20385 1383f1e 55 API calls 20382->20385 20386 13861ea 20385->20386 20387 138364a 52 API calls 20386->20387 20388 13861fd 20387->20388 20389 1383f1e 55 API calls 20388->20389 20390 138620c 20389->20390 20390->20380 20392 13869bf IsDBCSLeadByte 20391->20392 20392->20392 20393 13869d7 20392->20393 20393->20131 20400 138f0a3 20394->20400 20395 138f0eb CharUpperW 20395->20400 20396 138f1b9 20396->20140 20396->20141 20397 138f16e CharUpperW 20397->20400 20399 138f112 CharUpperW 20399->20400 20400->20395 20400->20396 20400->20397 20400->20399 20485 1384d18 20400->20485 20402 1391430 20401->20402 20403 139057a SetEnvironmentVariableW 20402->20403 20408 1385ccd 2 API calls 20407->20408 20409 138d997 OleInitialize 20408->20409 20410 138d9b9 SHGetMalloc 20409->20410 20410->20142 20431 1398e9e 20430->20431 20436 1398509 20431->20436 20435 1386277 GetStdHandle WriteConsoleW Sleep FreeConsole 20434->20435 20435->20380 20437 1398e6a 26 API calls 20436->20437 20438 139851b 20437->20438 20439 1398556 20438->20439 20441 1398530 20438->20441 20453 1385fff 20438->20453 20440 1396b60 __Stoull 38 API calls 20439->20440 20443 1398562 20440->20443 20442 139a5c0 __freea 20 API calls 20441->20442 20444 1398535 20442->20444 20447 1398591 20443->20447 20454 1397f9d 20443->20454 20446 139a49f ___std_exception_copy 26 API calls 20444->20446 20446->20453 20448 13985fd 20447->20448 20461 1398e16 20447->20461 20449 1398e16 26 API calls 20448->20449 20450 13986c4 20449->20450 20452 139a5c0 __freea 20 API calls 20450->20452 20450->20453 20452->20453 20453->20347 20453->20353 20455 1397fbf 20454->20455 20456 1397fa9 20454->20456 20476 1397f73 20455->20476 20456->20455 20457 1397fb1 20456->20457 20467 139ba5d 20457->20467 20460 1397fbd 20460->20443 20462 1398e3a 20461->20462 20463 1398e26 20461->20463 20462->20448 20463->20462 20464 139a5c0 __freea 20 API calls 20463->20464 20465 1398e2f 20464->20465 20466 139a49f ___std_exception_copy 26 API calls 20465->20466 20466->20462 20468 1396b60 __Stoull 38 API calls 20467->20468 20469 139ba7e 20468->20469 20470 139ba24 __Stoull 38 API calls 20469->20470 20475 139ba88 20469->20475 20472 139baa8 20470->20472 20471 1391ce3 __startOneArgErrorHandling 5 API calls 20473 139bb2b 20471->20473 20474 139db79 42 API calls 20472->20474 20473->20460 20474->20475 20475->20471 20477 1397f8c 20476->20477 20478 1397f7f 20476->20478 20480 139b9fe 20477->20480 20478->20460 20481 139aaa0 _GetRangeOfTrysToCheck 38 API calls 20480->20481 20482 139ba09 20481->20482 20483 139abef __Stoull 38 API calls 20482->20483 20484 139ba19 20483->20484 20484->20478 20486 1384d27 ___scrt_get_show_window_mode 20485->20486 20487 1384d3e _wcslen 20485->20487 20486->20400 20488 1384c2d 73 API calls 20487->20488 20488->20486 18023 139be7f 18024 139be8a 18023->18024 18026 139beb3 18024->18026 18028 139beaf 18024->18028 18029 139c191 18024->18029 18038 139bed7 18026->18038 18030 139bf1f _GetRangeOfTrysToCheck 5 API calls 18029->18030 18031 139c1b8 18030->18031 18032 139c1d6 InitializeCriticalSectionAndSpinCount 18031->18032 18033 139c1c1 InitializeCriticalSectionEx 18031->18033 18034 139c1e2 18032->18034 18033->18034 18035 1391ce3 __startOneArgErrorHandling 5 API calls 18034->18035 18037 139c1ed 18035->18037 18037->18024 18039 139bee4 18038->18039 18041 139bf03 18038->18041 18040 139beee DeleteCriticalSection 18039->18040 18040->18040 18040->18041 18041->18028 21754 1399fc9 21755 1399fd5 FindHandler 21754->21755 21756 139a00c FindHandler 21755->21756 21762 139bec0 EnterCriticalSection 21755->21762 21758 1399fe9 21759 139dfd7 __Stoull 20 API calls 21758->21759 21760 1399ff9 21759->21760 21763 139a012 21760->21763 21762->21758 21766 139bf08 LeaveCriticalSection 21763->21766 21765 139a019 21765->21756 21766->21765 21900 139b74c 21910 139ffd7 21900->21910 21904 139b759 21923 13a00b8 21904->21923 21907 139b783 21908 139a1ad __freea 20 API calls 21907->21908 21909 139b78e 21908->21909 21927 139ffe0 21910->21927 21912 139b754 21913 139fe8a 21912->21913 21914 139fe96 FindHandler 21913->21914 21947 139bec0 EnterCriticalSection 21914->21947 21916 139fea1 21917 139ff0c 21916->21917 21919 139fee0 DeleteCriticalSection 21916->21919 21948 13a1693 21916->21948 21961 139ff21 21917->21961 21921 139a1ad __freea 20 API calls 21919->21921 21921->21916 21922 139ff18 FindHandler 21922->21904 21924 139b768 DeleteCriticalSection 21923->21924 21925 13a00ce 21923->21925 21924->21904 21924->21907 21925->21924 21926 139a1ad __freea 20 API calls 21925->21926 21926->21924 21928 139ffec FindHandler 21927->21928 21937 139bec0 EnterCriticalSection 21928->21937 21930 13a008f 21942 13a00af 21930->21942 21932 139fffb 21932->21930 21936 139ff90 66 API calls 21932->21936 21938 139b798 EnterCriticalSection 21932->21938 21939 13a0085 21932->21939 21934 13a009b FindHandler 21934->21912 21936->21932 21937->21932 21938->21932 21945 139b7ac LeaveCriticalSection 21939->21945 21941 13a008d 21941->21932 21946 139bf08 LeaveCriticalSection 21942->21946 21944 13a00b6 21944->21934 21945->21941 21946->21944 21947->21916 21949 13a169f FindHandler 21948->21949 21950 13a16b0 21949->21950 21951 13a16c5 21949->21951 21952 139a5c0 __freea 20 API calls 21950->21952 21958 13a16c0 FindHandler 21951->21958 21964 139b798 EnterCriticalSection 21951->21964 21953 13a16b5 21952->21953 21955 139a49f ___std_exception_copy 26 API calls 21953->21955 21955->21958 21956 13a16e1 21965 13a161d 21956->21965 21958->21916 21959 13a16ec 21981 13a1709 21959->21981 22224 139bf08 LeaveCriticalSection 21961->22224 21963 139ff28 21963->21922 21964->21956 21966 13a162a 21965->21966 21968 13a163f 21965->21968 21967 139a5c0 __freea 20 API calls 21966->21967 21970 13a162f 21967->21970 21973 13a163a 21968->21973 21984 139ff2a 21968->21984 21972 139a49f ___std_exception_copy 26 API calls 21970->21972 21972->21973 21973->21959 21974 13a00b8 20 API calls 21975 13a165b 21974->21975 21990 139b65e 21975->21990 21977 13a1661 21997 13a195b 21977->21997 21980 139a1ad __freea 20 API calls 21980->21973 22223 139b7ac LeaveCriticalSection 21981->22223 21983 13a1711 21983->21958 21985 139ff3e 21984->21985 21986 139ff42 21984->21986 21985->21974 21986->21985 21987 139b65e 26 API calls 21986->21987 21988 139ff62 21987->21988 22012 13a128d 21988->22012 21991 139b67f 21990->21991 21992 139b66a 21990->21992 21991->21977 21993 139a5c0 __freea 20 API calls 21992->21993 21994 139b66f 21993->21994 21995 139a49f ___std_exception_copy 26 API calls 21994->21995 21996 139b67a 21995->21996 21996->21977 21998 13a196a 21997->21998 21999 13a197f 21997->21999 22001 139a5ad 20 API calls 21998->22001 22000 13a19ba 21999->22000 22004 13a19a6 21999->22004 22002 139a5ad 20 API calls 22000->22002 22003 13a196f 22001->22003 22005 13a19bf 22002->22005 22006 139a5c0 __freea 20 API calls 22003->22006 22180 13a1933 22004->22180 22008 139a5c0 __freea 20 API calls 22005->22008 22010 13a1667 22006->22010 22009 13a19c7 22008->22009 22011 139a49f ___std_exception_copy 26 API calls 22009->22011 22010->21973 22010->21980 22011->22010 22013 13a1299 FindHandler 22012->22013 22014 13a12a1 22013->22014 22015 13a12b9 22013->22015 22037 139a5ad 22014->22037 22016 13a1357 22015->22016 22021 13a12ee 22015->22021 22018 139a5ad 20 API calls 22016->22018 22020 13a135c 22018->22020 22024 139a5c0 __freea 20 API calls 22020->22024 22040 139d7b1 EnterCriticalSection 22021->22040 22022 139a5c0 __freea 20 API calls 22027 13a12ae FindHandler 22022->22027 22025 13a1364 22024->22025 22030 139a49f ___std_exception_copy 26 API calls 22025->22030 22026 13a12f4 22028 13a1310 22026->22028 22029 13a1325 22026->22029 22027->21985 22031 139a5c0 __freea 20 API calls 22028->22031 22041 13a1378 22029->22041 22030->22027 22033 13a1315 22031->22033 22034 139a5ad 20 API calls 22033->22034 22036 13a1320 22034->22036 22092 13a134f 22036->22092 22038 139ab24 __CreateFrameInfo 20 API calls 22037->22038 22039 139a5b2 22038->22039 22039->22022 22040->22026 22042 13a13a6 22041->22042 22087 13a139f 22041->22087 22043 13a13aa 22042->22043 22046 13a13c9 22042->22046 22044 139a5ad 20 API calls 22043->22044 22047 13a13af 22044->22047 22045 1391ce3 __startOneArgErrorHandling 5 API calls 22049 13a1580 22045->22049 22048 13a13fd 22046->22048 22050 13a141a 22046->22050 22052 139a5c0 __freea 20 API calls 22047->22052 22053 139a5ad 20 API calls 22048->22053 22049->22036 22051 13a1430 22050->22051 22095 13a1602 22050->22095 22098 13a0f1d 22051->22098 22054 13a13b6 22052->22054 22056 13a1402 22053->22056 22058 139a49f ___std_exception_copy 26 API calls 22054->22058 22059 139a5c0 __freea 20 API calls 22056->22059 22058->22087 22061 13a140a 22059->22061 22066 139a49f ___std_exception_copy 26 API calls 22061->22066 22062 13a1477 22064 13a148b 22062->22064 22065 13a14d1 WriteFile 22062->22065 22063 13a143e 22067 13a1464 22063->22067 22072 13a1442 22063->22072 22068 13a14c1 22064->22068 22069 13a1493 22064->22069 22071 13a14f4 GetLastError 22065->22071 22077 13a145a 22065->22077 22066->22087 22110 13a0cfd GetConsoleCP 22067->22110 22136 13a0f93 22068->22136 22073 13a14b1 22069->22073 22079 13a1498 22069->22079 22071->22077 22081 13a1538 22072->22081 22105 13a0eb0 22072->22105 22128 13a1160 22073->22128 22076 139a5c0 __freea 20 API calls 22082 13a155d 22076->22082 22080 13a1514 22077->22080 22077->22081 22077->22087 22079->22081 22121 13a1072 22079->22121 22081->22076 22081->22087 22087->22045 22179 139d7d4 LeaveCriticalSection 22092->22179 22094 13a1355 22094->22027 22148 13a1584 22095->22148 22170 13a00f6 22098->22170 22100 13a0f2d 22101 139aaa0 _GetRangeOfTrysToCheck 38 API calls 22100->22101 22102 13a0f32 22100->22102 22104 13a0f55 22101->22104 22102->22062 22102->22063 22103 13a0f73 GetConsoleMode 22103->22102 22104->22102 22104->22103 22106 13a0f0a 22105->22106 22109 13a0ed5 22105->22109 22106->22077 22107 13a2a64 WriteConsoleW CreateFileW 22107->22109 22108 13a0f0c GetLastError 22108->22106 22109->22106 22109->22107 22109->22108 22111 13a0e72 22110->22111 22115 13a0d60 22110->22115 22112 1391ce3 __startOneArgErrorHandling 5 API calls 22111->22112 22115->22111 22137 13a0fa2 22136->22137 22157 139d888 22148->22157 22150 13a1596 22151 13a15af SetFilePointerEx 22150->22151 22152 13a159e 22150->22152 22154 13a15c7 GetLastError 22151->22154 22155 13a15a3 22151->22155 22153 139a5c0 __freea 20 API calls 22152->22153 22153->22155 22156 139a58a 20 API calls 22154->22156 22155->22051 22156->22155 22158 139d8aa 22157->22158 22159 139d895 22157->22159 22162 139a5ad 20 API calls 22158->22162 22164 139d8cf 22158->22164 22160 139a5ad 20 API calls 22159->22160 22161 139d89a 22160->22161 22165 139a5c0 __freea 20 API calls 22161->22165 22163 139d8da 22162->22163 22166 139a5c0 __freea 20 API calls 22163->22166 22164->22150 22167 139d8a2 22165->22167 22168 139d8e2 22166->22168 22167->22150 22169 139a49f ___std_exception_copy 26 API calls 22168->22169 22169->22167 22171 13a0110 22170->22171 22172 13a0103 22170->22172 22174 13a011c 22171->22174 22175 139a5c0 __freea 20 API calls 22171->22175 22173 139a5c0 __freea 20 API calls 22172->22173 22176 13a0108 22173->22176 22174->22100 22177 13a013d 22175->22177 22176->22100 22178 139a49f ___std_exception_copy 26 API calls 22177->22178 22178->22176 22179->22094 22183 13a18b1 22180->22183 22182 13a1957 22182->22010 22184 13a18bd FindHandler 22183->22184 22194 139d7b1 EnterCriticalSection 22184->22194 22186 13a18cb 22187 13a18f2 22186->22187 22188 13a18fd 22186->22188 22195 13a19da 22187->22195 22189 139a5c0 __freea 20 API calls 22188->22189 22191 13a18f8 22189->22191 22210 13a1927 22191->22210 22193 13a191a FindHandler 22193->22182 22194->22186 22196 139d888 26 API calls 22195->22196 22197 13a19ea 22196->22197 22198 13a19f0 22197->22198 22200 139d888 26 API calls 22197->22200 22208 13a1a22 22197->22208 22213 139d7f7 22198->22213 22202 13a1a19 22200->22202 22201 139d888 26 API calls 22204 13a1a2e CloseHandle 22201->22204 22206 139d888 26 API calls 22202->22206 22204->22198 22207 13a1a3a GetLastError 22204->22207 22205 139a58a 20 API calls 22209 13a1a6a 22205->22209 22206->22208 22207->22198 22208->22198 22208->22201 22209->22191 22222 139d7d4 LeaveCriticalSection 22210->22222 22212 13a1931 22212->22193 22214 139d806 22213->22214 22215 139d86d 22213->22215 22214->22215 22219 139d830 22214->22219 22216 139a5c0 __freea 20 API calls 22215->22216 22217 139d872 22216->22217 22218 139a5ad 20 API calls 22217->22218 22220 139d85d 22218->22220 22219->22220 22221 139d857 SetStdHandle 22219->22221 22220->22205 22220->22209 22221->22220 22222->22212 22223->21983 22224->21963 17919 139aba9 17927 139c036 17919->17927 17922 139abbd 17923 139ab24 __CreateFrameInfo 20 API calls 17924 139abc5 17923->17924 17925 139abd2 17924->17925 17934 139abd5 17924->17934 17928 139bf1f _GetRangeOfTrysToCheck 5 API calls 17927->17928 17929 139c05d 17928->17929 17930 139c075 TlsAlloc 17929->17930 17933 139c066 17929->17933 17930->17933 17931 1391ce3 __startOneArgErrorHandling 5 API calls 17932 139abb3 17931->17932 17932->17922 17932->17923 17933->17931 17935 139abdf 17934->17935 17937 139abe5 17934->17937 17938 139c08c 17935->17938 17937->17922 17939 139bf1f _GetRangeOfTrysToCheck 5 API calls 17938->17939 17940 139c0b3 17939->17940 17941 139c0cb TlsFree 17940->17941 17942 139c0bf 17940->17942 17941->17942 17943 1391ce3 __startOneArgErrorHandling 5 API calls 17942->17943 17944 139c0dc 17943->17944 17944->17937 21075 139a98b 21076 139a996 21075->21076 21080 139a9a6 21075->21080 21081 139a9ac 21076->21081 21079 139a1ad __freea 20 API calls 21079->21080 21082 139a9bf 21081->21082 21085 139a9c5 21081->21085 21084 139a1ad __freea 20 API calls 21082->21084 21083 139a1ad __freea 20 API calls 21086 139a9d1 21083->21086 21084->21085 21085->21083 21087 139a1ad __freea 20 API calls 21086->21087 21088 139a9dc 21087->21088 21089 139a1ad __freea 20 API calls 21088->21089 21090 139a9e7 21089->21090 21091 139a1ad __freea 20 API calls 21090->21091 21092 139a9f2 21091->21092 21093 139a1ad __freea 20 API calls 21092->21093 21094 139a9fd 21093->21094 21095 139a1ad __freea 20 API calls 21094->21095 21096 139aa08 21095->21096 21097 139a1ad __freea 20 API calls 21096->21097 21098 139aa13 21097->21098 21099 139a1ad __freea 20 API calls 21098->21099 21100 139aa1e 21099->21100 21101 139a1ad __freea 20 API calls 21100->21101 21102 139aa2c 21101->21102 21107 139a872 21102->21107 21113 139a77e 21107->21113 21109 139a896 21110 139a8c2 21109->21110 21126 139a7df 21110->21126 21112 139a8e6 21112->21079 21114 139a78a FindHandler 21113->21114 21121 139bec0 EnterCriticalSection 21114->21121 21116 139a7be 21122 139a7d3 21116->21122 21118 139a794 21118->21116 21120 139a1ad __freea 20 API calls 21118->21120 21119 139a7cb FindHandler 21119->21109 21120->21116 21121->21118 21125 139bf08 LeaveCriticalSection 21122->21125 21124 139a7dd 21124->21119 21125->21124 21127 139a7eb FindHandler 21126->21127 21134 139bec0 EnterCriticalSection 21127->21134 21129 139a7f5 21130 139aa55 _GetRangeOfTrysToCheck 20 API calls 21129->21130 21131 139a808 21130->21131 21135 139a81e 21131->21135 21133 139a816 FindHandler 21133->21112 21134->21129 21138 139bf08 LeaveCriticalSection 21135->21138 21137 139a828 21137->21133 21138->21137 22326 1390db0 22328 1390dba 22326->22328 22327 1391146 19 API calls 22327->22328 22328->22327

    Executed Functions

    Function 0139085C, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 180windowfiletime

    Control-flow Graph

    APIs
      • Part of subcall function 01385D17: GetModuleHandleW.KERNEL32 ref: 01385D2F
      • Part of subcall function 01385D17: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 01385D47
      • Part of subcall function 01385D17: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01385D6A
      • Part of subcall function 01385D17: GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01386015
      • Part of subcall function 01385D17: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0138602D
      • Part of subcall function 01385D17: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0138603F
      • Part of subcall function 01385D17: ReadFile.KERNEL32(00000000,?,00007FFE,013A4488,00000000), ref: 0138605E
      • Part of subcall function 01385D17: CloseHandle.KERNEL32(00000000), ref: 013860B6
      • Part of subcall function 01385D17: GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 013860CC
      • Part of subcall function 01385D17: CompareStringW.KERNEL32(00000400,00001001,013A44D4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 01386126
      • Part of subcall function 01385D17: GetFileAttributesW.KERNEL32(?,?,013A44A0,00000800,?,00000000,?,00000800), ref: 0138614F
      • Part of subcall function 01385D17: GetFileAttributesW.KERNEL32(?,?,013A4560,00000800), ref: 01386188
      • Part of subcall function 01385D17: AllocConsole.KERNEL32 ref: 0138624C
      • Part of subcall function 01385D17: GetCurrentProcessId.KERNEL32 ref: 01386256
      • Part of subcall function 01385D17: AttachConsole.KERNEL32(00000000), ref: 0138625D
      • Part of subcall function 01385D17: _wcslen.LIBCMT ref: 01386272
      • Part of subcall function 01385D17: GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01386283
      • Part of subcall function 01385D17: WriteConsoleW.KERNEL32(00000000), ref: 0138628A
      • Part of subcall function 01385D17: Sleep.KERNEL32(00002710), ref: 01386295
      • Part of subcall function 01385D17: FreeConsole.KERNEL32 ref: 0138629B
      • Part of subcall function 01385D17: ExitProcess.KERNEL32 ref: 013862A3
    • OleInitialize.OLE32(00000000), ref: 0139086F
      • Part of subcall function 0138699B: GetCPInfo.KERNEL32(00000000,?), ref: 013869AC
      • Part of subcall function 0138699B: IsDBCSLeadByte.KERNEL32(00000000), ref: 013869C0
    • GetCommandLineW.KERNEL32 ref: 01390892
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 013908B9
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 013908CE
    • UnmapViewOfFile.KERNEL32(00000000), ref: 013908FB
    • CloseHandle.KERNEL32(00000000), ref: 01390902
      • Part of subcall function 0139056D: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 01390583
      • Part of subcall function 0139056D: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 013905BF
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Xtaqxu6frQ.exe,00000800), ref: 0139091C
    • SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\Xtaqxu6frQ.exe), ref: 0139092E
    • GetLocalTime.KERNEL32(?), ref: 01390935
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 01390986
    • GetModuleHandleW.KERNEL32(00000000), ref: 01390989
    • LoadIconW.USER32(00000000,00000064), ref: 013909A0
    • LoadBitmapW.USER32(00000065), ref: 013909B3
      • Part of subcall function 0138D985: OleInitialize.OLE32(00000000), ref: 0138D99B
      • Part of subcall function 0138D985: SHGetMalloc.SHELL32(013C66C0), ref: 0138D9BE
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0000E35C,00000000), ref: 01390A03
      • Part of subcall function 0138D9CB: OleUninitialize.OLE32 ref: 0138D9EE
    • Sleep.KERNEL32(00000000), ref: 01390A3A
    • CloseHandle.KERNEL32 ref: 01390AC6
      • Part of subcall function 0138DA96: _wcslen.LIBCMT ref: 0138DAEC
    • DeleteObject.GDI32 ref: 01390A78
    • DeleteObject.GDI32(24050713), ref: 01390A84
    • CoUninitialize.OLE32 ref: 01390ACC
      • Part of subcall function 013905CC: WaitForSingleObject.KERNEL32(?,0000000A), ref: 013905D8
      • Part of subcall function 013905CC: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 013905F1
      • Part of subcall function 013905CC: WaitForSingleObject.KERNEL32(?,0000000A), ref: 013905FC
      • Part of subcall function 0138F099: CharUpperW.USER32(?), ref: 0138F0F1
      • Part of subcall function 0138F099: CharUpperW.USER32(?), ref: 0138F118
      • Part of subcall function 0138F099: CharUpperW.USER32(?), ref: 0138F174
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01387058, Relevance: 16.8, APIs: 3, Strings: 6, Instructions: 1060
    APIs
    • __EH_prolog.LIBCMT ref: 01387061
      • Part of subcall function 0138350C: _wcslen.LIBCMT ref: 01383512
      • Part of subcall function 01381482: _wcslen.LIBCMT ref: 013814A6
      • Part of subcall function 01388C20: __EH_prolog.LIBCMT ref: 01388C25
    • __allrem.INT64 ref: 0138766F
    • __allrem.INT64 ref: 013876EB
      • Part of subcall function 01388F90: __allrem.INT64 ref: 01388FB1
      • Part of subcall function 0138844E: _strncpy.LIBCMT ref: 013884D4
      • Part of subcall function 01382F0F: _wcschr.LIBVCRUNTIME ref: 01382FA1
      • Part of subcall function 01382F0F: _wcschr.LIBVCRUNTIME ref: 01382FB1
      • Part of subcall function 0138242C: CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 01382453
      • Part of subcall function 0138242C: CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 01382486
      • Part of subcall function 0138242C: GetLastError.KERNEL32(?,?), ref: 013824A3
      • Part of subcall function 01385B71: _wcslen.LIBCMT ref: 01385B87
      • Part of subcall function 0138BA11: _memcmp.LIBVCRUNTIME ref: 0138BB64
      • Part of subcall function 01387EC2: __alldiv.INT64 ref: 01387F51
      • Part of subcall function 01387EC2: _memcmp.LIBVCRUNTIME ref: 0138822C
      • Part of subcall function 013824D0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 01382576
      • Part of subcall function 013824D0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 013825BA
      • Part of subcall function 013824D0: SetFileTime.KERNEL32(?,?,?,00000000), ref: 0138263B
      • Part of subcall function 013824D0: CloseHandle.KERNEL32(?), ref: 01382642
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01392035, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00012041), ref: 0139203A
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138E35C, Relevance: 90.0, APIs: 42, Strings: 9, Instructions: 712windowfilesleep

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 138e35c-138e392 call 1391404 call 1391430 call 1381170 7 138e39c-138e3a2 0->7 8 138e394-138e397 0->8 9 138e3a8-138e3ab 7->9 10 138ea1c-138ea32 7->10 11 138ece9-138ecf9 8->11 12 138e3bf-138e3c1 9->12 13 138e3ad-138e3b3 9->13 14 138ea34-138ea3c SendMessageW 10->14 15 138ea42-138ea49 10->15 12->11 16 138e41e-138e425 13->16 17 138e3b5-138e3b8 13->17 14->15 18 138ea4b-138ea56 SendDlgItemMessageW 15->18 19 138ea5c-138eaab call 1390075 GetDlgItem SendMessageW call 138d5d8 GetDlgItem 15->19 20 138e4b0-138e4cd GetDlgItemTextW 16->20 21 138e42b-138e459 call 1383f1e SetDlgItemTextW 16->21 22 138e3ba-138e3bd 17->22 23 138e3f1-138e401 17->23 18->19 47 138eaad 19->47 48 138eab3-138eae4 SetWindowTextW call 138d917 call 138dcdd 19->48 30 138e4e7-138e4ee 20->30 31 138e4cf-138e4d9 20->31 44 138e4a2-138e4a9 21->44 22->12 26 138e3c6-138e3dd call 1383f1e call 13810b0 22->26 28 138e403-138e40a 23->28 29 138e410 23->29 26->8 66 138e3df-138e3ef SetDlgItemTextW 26->66 28->29 40 138ece7 28->40 39 138e412-138e419 EndDialog 29->39 32 138e4f0-138e4fa 30->32 33 138e4ff-138e511 GetDlgItem 30->33 37 138e4e1-138e4e2 31->37 38 138e4db 31->38 43 138e9a7-138e9ae 32->43 41 138e539-138e547 SetFocus 33->41 42 138e513-138e534 SendMessageW * 2 33->42 37->39 38->37 39->40 40->11 49 138e549-138e553 call 1383f1e 41->49 50 138e555-138e59c call 1385a62 call 138fe50 call 1383f1e call 138364a 41->50 42->41 43->37 54 138e9b4-138e9b6 43->54 52 138e45b-138e462 44->52 53 138e4ab 44->53 47->48 78 138eaf4-138eafb 48->78 79 138eae6-138eaef call 138f208 48->79 70 138e5a2-138e5b1 call 138fed1 49->70 50->70 52->40 55 138e468-138e479 GetMessageW 52->55 53->40 54->37 60 138e9bc-138e9de call 1383f1e SetDlgItemTextW 54->60 55->40 62 138e47f-138e48c 55->62 73 138e9e7-138e9fb 60->73 74 138e9e0-138e9e5 60->74 62->44 81 138e48e-138e49c TranslateMessage DispatchMessageW 62->81 66->8 85 138e5b3-138e5ba call 13904dd 70->85 86 138e5bf-138e5dd call 1382265 70->86 80 138e9fd-138ea17 call 1383f1e * 2 call 138d61a 73->80 74->80 88 138eb24-138eb2b 78->88 89 138eafd-138eb1e call 1383f1e SetDlgItemTextW call 1383f1e SetDlgItemTextW 78->89 79->78 80->40 81->44 85->86 107 138e5f0-138e603 call 138d972 86->107 108 138e5df-138e5e4 GetLastError 86->108 93 138eb31-138eb46 call 138f208 88->93 94 138ebc5-138ebcc 88->94 89->88 113 138eb76-138eb7c 93->113 114 138eb48-138eb4f 93->114 99 138ec6f-138ec76 94->99 100 138ebd2-138ebd9 94->100 110 138ec81-138ec88 99->110 111 138ec78-138ec7b EnableWindow 99->111 100->99 106 138ebdf-138ebe6 100->106 106->99 117 138ebec-138ebf3 106->117 135 138e616 107->135 136 138e605-138e60d GetLastError 107->136 115 138e5e6-138e5e9 108->115 116 138e5eb-138e5ed 108->116 119 138ec8a-138ec99 call 138112d * 2 110->119 120 138ec9e-138eca5 110->120 111->110 124 138ebb8-138ebc0 call 138f208 113->124 125 138eb7e-138eb8b 113->125 114->113 127 138eb51-138eb75 call 138d0d1 call 13966e0 114->127 115->107 115->116 116->107 130 138ebfa-138ec00 117->130 119->120 122 138eca7-138ecae 120->122 123 138eccb-138ecd2 120->123 122->123 132 138ecb0-138ecbb 122->132 123->40 134 138ecd4-138ece1 call 1383f1e SetDlgItemTextW 123->134 124->94 125->124 154 138eb8d-138eb94 125->154 127->113 137 138ec0b-138ec11 130->137 138 138ec02-138ec09 130->138 144 138ecc5 132->144 145 138ecbd-138ecc3 SendMessageW 132->145 134->40 140 138e619-138e621 135->140 136->135 143 138e60f-138e614 136->143 147 138ec1c-138ec43 call 1397b2d call 1383f1e call 1397b2d 137->147 148 138ec13-138ec1a 137->148 138->137 149 138ec44-138ec4b 138->149 151 138e690-138e694 140->151 152 138e623-138e625 140->152 143->140 144->123 145->123 147->149 148->147 148->149 149->130 155 138ec4d-138ec6c call 138d0d1 149->155 159 138e8bf-138e90e call 138114b * 2 call 1383f1e SetDlgItemTextW call 138114b SetDlgItemTextW GetDlgItem 151->159 160 138e69a-138e6a1 151->160 162 138e6a4-138e6ac 152->162 163 138e627-138e66f GetTickCount call 138364a call 13819ce call 1381af5 152->163 154->124 161 138eb96-138ebb2 DialogBoxParamW 154->161 155->99 214 138e910-138e922 GetWindowLongW SetWindowLongW 159->214 215 138e928-138e950 call 138f208 * 2 call 139040d 159->215 160->162 161->38 161->124 167 138e6b2-138e761 GetModuleFileNameW call 1384b74 call 138364a CreateFileMappingW 162->167 168 138e85a-138e85e 162->168 198 138e67b-138e685 call 1381a04 163->198 199 138e671-138e676 GetLastError 163->199 194 138e763-138e772 GetCommandLineW 167->194 195 138e7ce-138e7d1 167->195 168->29 172 138e864-138e8ba call 1383f1e call 138364a call 13818a4 call 1383f1e call 138d61a 168->172 172->29 201 138e784-138e7cc call 138e079 * 3 MapViewOfFile call 1392c70 194->201 202 138e774-138e77f call 1385a62 194->202 197 138e7d4-138e804 ShellExecuteExW call 1384d63 * 2 195->197 226 138e806-138e818 197->226 227 138e83e-138e841 197->227 212 138e68a 198->212 199->198 209 138e678 199->209 201->197 202->201 209->198 212->151 214->215 237 138e955-138e971 call 138f208 215->237 238 138e81b-138e81e 226->238 230 138e844-138e848 227->230 230->168 232 138e84a-138e854 UnmapViewOfFile CloseHandle 230->232 232->168 243 138e973-138e97a 237->243 244 138e993-138e9a2 call 138112d 237->244 240 138e820-138e832 Sleep 238->240 241 138e834-138e83c 238->241 240->238 240->241 241->230 243->244 246 138e97c-138e983 243->246 244->43 246->244 247 138e985-138e98e call 138f208 246->247 247->244
    APIs
    • __EH_prolog.LIBCMT ref: 0138E361
      • Part of subcall function 01381170: GetDlgItem.USER32(00000000,00003021), ref: 013811B4
      • Part of subcall function 01381170: SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
      • Part of subcall function 013810B0: SHGetMalloc.SHELL32(?), ref: 013810BD
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0138E3E9
    • EndDialog.USER32(?,00000001), ref: 0138E413
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0138E453
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138E471
    • TranslateMessage.USER32(?), ref: 0138E492
    • DispatchMessageW.USER32(?), ref: 0138E49C
    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0138E4C0
    • GetDlgItem.USER32(?,00000068), ref: 0138E502
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0138E523
    • SetFocus.USER32(00000000), ref: 0138E53A
      • Part of subcall function 0138FE50: _wcschr.LIBVCRUNTIME ref: 0138FE59
      • Part of subcall function 0138FE50: _wcslen.LIBCMT ref: 0138FE7A
      • Part of subcall function 0138FED1: GetDlgItem.USER32(00000068,013DAE28), ref: 0138FEE0
      • Part of subcall function 0138FED1: ShowWindow.USER32(00000000,00000005), ref: 0138FF0B
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0138FF1A
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000C2,00000000,013A4254), ref: 0138FF24
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138FF3A
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0138FF50
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138FF90
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0138FF9A
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138FFA9
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138FFCC
      • Part of subcall function 0138FED1: SendMessageW.USER32(00000000,000000C2,00000000,013A5030), ref: 0138FFD7
    • SendMessageW.USER32(00000000,000000C2,00000000,013A4254), ref: 0138E532
      • Part of subcall function 013904DD: _wcslen.LIBCMT ref: 01390539
    • GetLastError.KERNEL32(00000000,?), ref: 0138E5DF
      • Part of subcall function 0138D972: SetCurrentDirectoryW.KERNEL32(?,0138DAE5,013A4270,00000000,?,00000006,?,00000800), ref: 0138D976
    • GetLastError.KERNEL32(?,00000000,?), ref: 0138E605
    • GetTickCount.KERNEL32(?,00000000,?), ref: 0138E627
      • Part of subcall function 01381AF5: CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000), ref: 01381B7D
      • Part of subcall function 01381AF5: CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000), ref: 01381BB2
    • GetLastError.KERNEL32 ref: 0138E671
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,?), ref: 0138E6C0
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007002,winrarsfxmappingfile.tmp), ref: 0138E754
    • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000800), ref: 0138E76A
      • Part of subcall function 0138E079: SHGetMalloc.SHELL32(?), ref: 0138E083
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0138E7B0
    • ShellExecuteExW.SHELL32(0000003C), ref: 0138E7D8
    • Sleep.KERNEL32(00000064), ref: 0138E822
    • UnmapViewOfFile.KERNEL32(?,?,0000230C,?,00000080), ref: 0138E84B
    • CloseHandle.KERNEL32(00000000), ref: 0138E854
      • Part of subcall function 0138114B: GetDlgItem.USER32(?,?), ref: 01381160
      • Part of subcall function 0138114B: ShowWindow.USER32(00000000), ref: 01381167
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0138E8EC
    • SetDlgItemTextW.USER32(?,00000065,013A4254), ref: 0138E8FF
    • GetDlgItem.USER32(?,00000065), ref: 0138E904
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0138E913
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0138E922
      • Part of subcall function 0139040D: __EH_prolog.LIBCMT ref: 01390412
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0138E9CF
    • SendMessageW.USER32(?,00000080,00000001,00100171), ref: 0138EA3C
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,24050713), ref: 0138EA56
      • Part of subcall function 01390075: GetWindow.USER32(?,00000005), ref: 01390096
      • Part of subcall function 01390075: GetClassNameW.USER32(00000000,?,00000800), ref: 013900C5
      • Part of subcall function 01390075: GetWindowLongW.USER32(00000000,000000F0), ref: 013900E3
      • Part of subcall function 01390075: SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 013900FA
      • Part of subcall function 01390075: SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 01390134
      • Part of subcall function 01390075: DeleteObject.GDI32(00000000), ref: 01390143
      • Part of subcall function 01390075: GetWindow.USER32(00000000,00000002), ref: 0139014C
    • GetDlgItem.USER32(?,00000068), ref: 0138EA6B
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0138EA7D
      • Part of subcall function 0138D5D8: GetCurrentDirectoryW.KERNEL32(?,?,0138DAB4,?,00000800), ref: 0138D5E0
    • GetDlgItem.USER32(?,00000066), ref: 0138EA97
    • SetWindowTextW.USER32(00000000,013CD70A), ref: 0138EAB5
      • Part of subcall function 0138D917: GetClassNameW.USER32(?,?,00000050), ref: 0138D92E
      • Part of subcall function 0138D917: FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0138D955
      • Part of subcall function 0138D917: SHAutoComplete.SHLWAPI(?,00000010), ref: 0138D965
      • Part of subcall function 0138DCDD: __EH_prolog.LIBCMT ref: 0138DCE2
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0138EB0B
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0138EB1E
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0000E1F4,00000000), ref: 0138EBAA
      • Part of subcall function 0138D0D1: ShowWindow.USER32(?,00000000), ref: 0138D0EA
      • Part of subcall function 0138D0D1: GetWindowRect.USER32(?,?), ref: 0138D10F
      • Part of subcall function 0138D0D1: ShowWindow.USER32(?,00000005), ref: 0138D1A6
      • Part of subcall function 0138D0D1: SetWindowTextW.USER32(?,00000000), ref: 0138D1AE
      • Part of subcall function 0138D0D1: ShowWindow.USER32(00000000,00000005), ref: 0138D1C4
    • EnableWindow.USER32(00000000,00000000), ref: 0138EC7B
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0138ECE1
      • Part of subcall function 0138112D: GetDlgItem.USER32(?,?), ref: 0138113B
      • Part of subcall function 0138112D: EnableWindow.USER32(00000000), ref: 01381142
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0138ECBD
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F63
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F79
      • Part of subcall function 0138F208: __EH_prolog.LIBCMT ref: 0138F20D
      • Part of subcall function 0138F208: SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,761A5509,?,00000000,0138E2BE,?,00000003), ref: 0138F342
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F37D
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F391
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F3B6
      • Part of subcall function 0138F208: GetFileAttributesW.KERNEL32(-00003C84), ref: 0138F3FC
      • Part of subcall function 0138F208: DeleteFileW.KERNEL32(-00003C84), ref: 0138F40A
      • Part of subcall function 0138F208: GetFileAttributesW.KERNEL32(-0000103C), ref: 0138F442
      • Part of subcall function 0138F208: MoveFileW.KERNEL32(-00003C84,-0000103C), ref: 0138F457
      • Part of subcall function 0138F208: MoveFileExW.KERNEL32(-0000103C,00000005,00000004), ref: 0138F46B
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F4EC
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F4F5
      • Part of subcall function 0138F208: SetWindowTextW.USER32(?,-00005C84), ref: 0138F553
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F595
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F665
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F689
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F697
      • Part of subcall function 0138F208: _wcsrchr.LIBVCRUNTIME ref: 0138F6D3
      • Part of subcall function 0138F208: GetDlgItem.USER32(?,00000066), ref: 0138F713
      • Part of subcall function 0138F208: SetWindowTextW.USER32(00000000,-0000103C), ref: 0138F723
      • Part of subcall function 0138F208: SendMessageW.USER32(00000000,00000143,00000000,013D9E20), ref: 0138F737
      • Part of subcall function 0138F208: SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 0138F760
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138FED1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96window

    Control-flow Graph

    APIs
    • GetDlgItem.USER32(00000068,013DAE28), ref: 0138FEE0
    • ShowWindow.USER32(00000000,00000005), ref: 0138FF0B
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0138FF1A
    • SendMessageW.USER32(00000000,000000C2,00000000,013A4254), ref: 0138FF24
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138FF3A
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0138FF50
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138FF90
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0138FF9A
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138FFA9
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138FFCC
    • SendMessageW.USER32(00000000,000000C2,00000000,013A5030), ref: 0138FFD7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01391146, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 221library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 729 1391146-13911bb call 1390e54 732 13911e1-1391204 729->732 733 13911bd-13911dc call 13910c4 RaiseException 729->733 734 1391209-1391216 732->734 735 1391206 732->735 742 13913b8-13913c8 call 1391ce3 733->742 737 1391218-139122b 734->737 738 1391237-1391239 734->738 735->734 759 139138d-1391395 737->759 764 1391231 737->764 740 139123f-1391241 738->740 741 13912d2-13912d7 738->741 747 1391259-139126a LoadLibraryExA 740->747 748 1391243-1391257 740->748 744 13912d9-13912e9 741->744 745 13912eb-13912ed 741->745 744->745 752 13912f3-13912fb 745->752 753 1391388-139138b 745->753 750 139126c-139127d GetLastError 747->750 751 13912ba-13912c3 747->751 748->747 748->751 760 139127f-1391293 750->760 761 1391295-13912b5 call 13910c4 RaiseException 750->761 755 13912c5-13912c6 FreeLibrary 751->755 756 13912cc 751->756 762 139132a-1391338 GetProcAddress 752->762 763 13912fd-1391300 752->763 753->759 755->756 756->741 767 13913b1-13913b6 call 13910c4 759->767 768 1391397-13913af 759->768 760->751 760->761 761->742 762->753 765 139133a-139134b GetLastError 762->765 763->762 766 1391302-139130c 763->766 764->738 772 139134d-1391361 765->772 773 1391363-1391385 call 13910c4 RaiseException call 1390e54 765->773 766->762 774 139130e-1391315 766->774 767->742 768->767 772->753 772->773 773->753 774->762 780 1391317-139131b 774->780 780->762 784 139131d-1391328 780->784 784->753 784->762
    APIs
    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 013911D4
    • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 01391260
    • GetLastError.KERNEL32 ref: 0139126C
    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 013912AC
    • FreeLibrary.KERNEL32(00000000), ref: 013912C6
    • GetProcAddress.KERNEL32(00000000,?), ref: 0139132E
    • GetLastError.KERNEL32 ref: 0139133A
    • RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 0139137A
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139BB2F, Relevance: 9.2, APIs: 6, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 789 139bb2f-139bb48 790 139bb5e-139bb63 789->790 791 139bb4a-139bb5a call 13a014c 789->791 792 139bb65-139bb6d 790->792 793 139bb70-139bb94 MultiByteToWideChar 790->793 791->790 801 139bb5c 791->801 792->793 795 139bb9a-139bba6 793->795 796 139bd27-139bd3a call 1391ce3 793->796 799 139bba8-139bbb9 795->799 800 139bbfa 795->800 803 139bbbb-139bbca call 13a3910 799->803 804 139bbd8-139bbe9 call 139a1e7 799->804 805 139bbfc-139bbfe 800->805 801->790 807 139bd1c 803->807 814 139bbd0-139bbd6 803->814 804->807 817 139bbef 804->817 805->807 808 139bc04-139bc17 MultiByteToWideChar 805->808 812 139bd1e-139bd25 call 139bd97 807->812 808->807 811 139bc1d-139bc2f call 139c1f3 808->811 819 139bc34-139bc38 811->819 812->796 820 139bbf5-139bbf8 814->820 817->820 819->807 821 139bc3e-139bc45 819->821 820->805 822 139bc7f-139bc8b 821->822 823 139bc47-139bc4c 821->823 825 139bcd7 822->825 826 139bc8d-139bc9e 822->826 823->812 824 139bc52-139bc54 823->824 824->807 828 139bc5a-139bc74 call 139c1f3 824->828 827 139bcd9-139bcdb 825->827 829 139bca0-139bcaf call 13a3910 826->829 830 139bcb9-139bcca call 139a1e7 826->830 831 139bd15-139bd1b call 139bd97 827->831 832 139bcdd-139bcf6 call 139c1f3 827->832 828->812 844 139bc7a 828->844 829->831 842 139bcb1-139bcb7 829->842 830->831 841 139bccc 830->841 831->807 832->831 847 139bcf8-139bcff 832->847 846 139bcd2-139bcd5 841->846 842->846 844->807 846->827 848 139bd3b-139bd41 847->848 849 139bd01-139bd02 847->849 850 139bd03-139bd13 WideCharToMultiByte 848->850 849->850 850->831 851 139bd43-139bd4a call 139bd97 850->851 851->812
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,013974EC,013974EC,?,?,?,0139BD80,00000001,00000001,4DE85006), ref: 0139BB89
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0139BD80,00000001,00000001,4DE85006,?,?,?), ref: 0139BC0F
      • Part of subcall function 0139C1F3: LCMapStringEx.KERNELBASE(?,01396CBE,00000010,?,?,013974EC,?,?,00000000,?,?,?,?,?,01397178), ref: 0139C246
      • Part of subcall function 0139C1F3: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,4DE85006,00000001,?,000000FF), ref: 0139C264
      • Part of subcall function 0139A1E7: RtlAllocateHeap.NTDLL(00000000,?,?,?,013968D4,?,0000015D,?,?,?,?,01397453,000000FF,00000000,?,?), ref: 0139A219
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,4DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0139BD09
    • __freea.LIBCMT ref: 0139BD16
    • __freea.LIBCMT ref: 0139BD1F
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    • __freea.LIBCMT ref: 0139BD44
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138D917, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 854 138d917-138d936 GetClassNameW 855 138d938-138d94d call 1386c21 854->855 856 138d95e-138d960 854->856 861 138d94f-138d95b FindWindowExW 855->861 862 138d95d 855->862 858 138d962-138d965 SHAutoComplete 856->858 859 138d96b-138d96f 856->859 858->859 861->862 862->856
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 0138D92E
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0138D965
      • Part of subcall function 01386C21: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01382CE4,?,?,?,01382C93,?,-00000002,?,00000000,?), ref: 01386C37
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0138D955
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139056D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32

    Control-flow Graph

    APIs
    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 01390583
    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 013905BF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381D27, Relevance: 6.1, APIs: 4, Instructions: 99

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 875 1381d27-1381d48 call 1391430 878 1381d51 875->878 879 1381d4a-1381d4f 875->879 880 1381d53-1381d70 878->880 879->878 879->880 881 1381d72 880->881 882 1381d78-1381d82 880->882 881->882 883 1381d87-1381db2 CreateFileW 882->883 884 1381d84 882->884 885 1381e16-1381e2b 883->885 886 1381db4-1381dd6 GetLastError call 1383201 883->886 884->883 888 1381e45-1381e50 885->888 889 1381e2d-1381e40 call 1385a62 885->889 892 1381dd8-1381dfa CreateFileW GetLastError 886->892 893 1381e05-1381e0a 886->893 889->888 894 1381e00-1381e03 892->894 895 1381dfc 892->895 893->885 896 1381e0c 893->896 894->885 894->893 895->894 896->885
    APIs
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,-00000001,00000000), ref: 01381DA7
    • GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 01381DB4
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000), ref: 01381DE9
    • GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 01381DF1
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381C17, Relevance: 6.1, APIs: 4, Instructions: 57file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 897 1381c17-1381c23 898 1381c25-1381c2d GetStdHandle 897->898 899 1381c30-1381c47 ReadFile 897->899 898->899 900 1381c49-1381c52 call 1381d04 899->900 901 1381ca3 899->901 905 1381c54-1381c5c 900->905 906 1381c6b-1381c6f 900->906 902 1381ca6-1381cab 901->902 905->906 909 1381c5e 905->909 907 1381c71-1381c7a GetLastError 906->907 908 1381c80-1381c84 906->908 907->908 912 1381c7c-1381c7e 907->912 910 1381c9e-1381ca1 908->910 911 1381c86-1381c8e 908->911 913 1381c5f-1381c64 call 1381c17 909->913 910->902 911->910 914 1381c90-1381c99 GetLastError 911->914 912->902 917 1381c69 913->917 914->910 916 1381c9b-1381c9c 914->916 916->913 917->902
    APIs
    • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 01381C3F
      • Part of subcall function 01381D04: GetFileType.KERNEL32(000000FF), ref: 01381D10
    • GetLastError.KERNEL32 ref: 01381C90
      • Part of subcall function 01381C17: GetStdHandle.KERNEL32(000000F6), ref: 01381C27
      • Part of subcall function 01381C17: GetLastError.KERNEL32 ref: 01381C71
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013961B2, Relevance: 6.1, APIs: 4, Instructions: 54library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 918 13961b2-13961cd 919 13961cf-13961d8 918->919 920 13961da-13961f4 LoadLibraryExW 918->920 923 139622f-1396232 919->923 921 13961f6-13961ff GetLastError 920->921 922 139621d-1396223 920->922 926 139620e 921->926 927 1396201-139620c LoadLibraryExW 921->927 924 139622c 922->924 925 1396225-1396226 FreeLibrary 922->925 928 139622e 924->928 925->924 929 1396210-1396212 926->929 927->929 928->923 929->922 930 1396214-139621b 929->930 930->928
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,013DD1F0,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx), ref: 013961EA
    • GetLastError.KERNEL32(?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000,?,013960A0), ref: 013961F6
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx), ref: 01396204
    • FreeLibrary.KERNEL32(00000000,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000), ref: 01396226
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139BFBB, Relevance: 6.1, APIs: 4, Instructions: 52library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 931 139bfbb-139bfcf 932 139bfd1-139bfda 931->932 933 139bfdc-139bff7 LoadLibraryExW 931->933 936 139c033-139c035 932->936 934 139c020-139c026 933->934 935 139bff9-139c002 GetLastError 933->935 937 139c028-139c029 FreeLibrary 934->937 938 139c02f 934->938 939 139c011 935->939 940 139c004-139c00f LoadLibraryExW 935->940 937->938 941 139c031-139c032 938->941 942 139c013-139c015 939->942 940->942 941->936 942->934 943 139c017-139c01e 942->943 943->941
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0139673D,00000000,00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue), ref: 0139BFED
    • GetLastError.KERNEL32(?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72), ref: 0139BFF9
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000), ref: 0139C007
    • FreeLibrary.KERNEL32(00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364), ref: 0139C029
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139C1F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47

    Control-flow Graph

    APIs
      • Part of subcall function 0139BF1F: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72,00000000), ref: 0139BF7F
    • LCMapStringEx.KERNELBASE(?,01396CBE,00000010,?,?,013974EC,?,?,00000000,?,?,?,?,?,01397178), ref: 0139C246
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,4DE85006,00000001,?,000000FF), ref: 0139C264
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139C191, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34

    Control-flow Graph

    APIs
      • Part of subcall function 0139BF1F: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72,00000000), ref: 0139BF7F
    • InitializeCriticalSectionEx.KERNELBASE ref: 0139C1D2
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0139B81B), ref: 0139C1DC
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    • InitializeCriticalSectionEx, xrefs: 0139C1AC
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138D985, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23com

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 964 138d985-138d9ca call 1385ccd OleInitialize SHGetMalloc
    APIs
      • Part of subcall function 01385CCD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01385CE8
      • Part of subcall function 01385CCD: LoadLibraryW.KERNEL32(?), ref: 01385D0A
    • OleInitialize.OLE32(00000000), ref: 0138D99B
    • SHGetMalloc.SHELL32(013C66C0), ref: 0138D9BE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138242C, Relevance: 4.6, APIs: 3, Instructions: 56

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 968 138242c-1382449 call 1391430 call 138350c 973 138244b-138244e 968->973 974 138245d-1382465 call 1382396 968->974 973->974 976 1382450-138245b CreateDirectoryW 973->976 981 1382467-138247b call 1383201 974->981 982 13824a3-13824ac GetLastError 974->982 976->974 978 1382490-1382494 976->978 979 138249f-13824a1 978->979 980 1382496-138249a call 1382669 978->980 986 13824bb-13824bf 979->986 980->979 981->982 990 138247d-138248e CreateDirectoryW 981->990 984 13824ae-13824b1 982->984 985 13824b8-13824ba 982->985 984->985 989 13824b3-13824b6 984->989 985->986 989->986 990->978 990->982
    APIs
      • Part of subcall function 0138350C: _wcslen.LIBCMT ref: 01383512
    • CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 01382453
    • GetLastError.KERNEL32(?,?), ref: 013824A3
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 01382486
      • Part of subcall function 01382669: SetFileAttributesW.KERNELBASE(?,00000000,?,?,0138249F,?,?), ref: 0138267D
      • Part of subcall function 01382669: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,0138249F,?,?), ref: 013826AE
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139CAAD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0139CAD2
      • Part of subcall function 0139DB79: MultiByteToWideChar.KERNEL32(?,00000000,4DE85006,01396CBE,00000000,00000000,013974EC,?,013974EC,?,00000001,01396CBE,4DE85006,00000001,013974EC,013974EC), ref: 0139DBC6
      • Part of subcall function 0139DB79: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0139DC4F
      • Part of subcall function 0139DB79: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0139DC61
      • Part of subcall function 0139DB79: __freea.LIBCMT ref: 0139DC6A
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139040D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
    APIs
    • __EH_prolog.LIBCMT ref: 01390412
      • Part of subcall function 01385B71: _wcslen.LIBCMT ref: 01385B87
      • Part of subcall function 0138C3A1: __EH_prolog.LIBCMT ref: 0138C3A6
    Strings
    • C:\Users\user\Desktop\Xtaqxu6frQ.exe, xrefs: 01390441
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139C036, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 0139BF1F: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72,00000000), ref: 0139BF7F
    • TlsAlloc.KERNEL32 ref: 0139C075
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139631E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
    APIs
      • Part of subcall function 01396112: GetProcAddress.KERNEL32(00000000,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000,?,013960A0,013DD1F0,00000FA0), ref: 01396176
    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 0139635B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139CE02, Relevance: 3.2, APIs: 2, Instructions: 168
    APIs
      • Part of subcall function 0139C9D5: GetOEMCP.KERNEL32(00000000,?,?,0139CC5E,?), ref: 0139CA00
      • Part of subcall function 0139C9D5: GetACP.KERNEL32(00000000,?,?,0139CC5E,?), ref: 0139CA17
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0139CCA3,?,00000000), ref: 0139CE76
    • GetCPInfo.KERNEL32(00000000,0139CCA3,?,?,?,0139CCA3,?,00000000), ref: 0139CE89
      • Part of subcall function 0139CAAD: GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0139CAD2
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381E53, Relevance: 3.1, APIs: 2, Instructions: 52
    APIs
      • Part of subcall function 01381CAE: __EH_prolog.LIBCMT ref: 01381CB3
    • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 01381EA7
    • GetLastError.KERNEL32 ref: 01381EB4
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01382669, Relevance: 3.0, APIs: 2, Instructions: 30
    APIs
    • SetFileAttributesW.KERNELBASE(?,00000000,?,?,0138249F,?,?), ref: 0138267D
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,0138249F,?,?), ref: 013826AE
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01382343, Relevance: 3.0, APIs: 2, Instructions: 28
    APIs
    • DeleteFileW.KERNELBASE(?,?,?,01381C15,?,?,01381A39), ref: 01382354
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,01381C15,?,?,01381A39), ref: 01382382
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013823AA, Relevance: 3.0, APIs: 2, Instructions: 26
    APIs
    • GetFileAttributesW.KERNELBASE(?), ref: 013823BB
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 013823E7
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01385CCD, Relevance: 3.0, APIs: 2, Instructions: 25library
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01385CE8
    • LoadLibraryW.KERNEL32(?), ref: 01385D0A
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138114B, Relevance: 3.0, APIs: 2, Instructions: 11
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138DCDD, Relevance: 1.6, APIs: 1, Instructions: 118
    APIs
    • __EH_prolog.LIBCMT ref: 0138DCE2
      • Part of subcall function 01381D27: CreateFileW.KERNEL32(?,?,?,00000000,00000003,-00000001,00000000), ref: 01381DA7
      • Part of subcall function 01381D27: GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 01381DB4
      • Part of subcall function 01381D27: CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000), ref: 01381DE9
      • Part of subcall function 01381D27: GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 01381DF1
      • Part of subcall function 013820A7: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 013820DD
      • Part of subcall function 013820A7: GetLastError.KERNEL32 ref: 013820E9
      • Part of subcall function 01381AA7: CloseHandle.KERNEL32(000000FF), ref: 01381AC2
      • Part of subcall function 01386962: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,013831E7,00000000,?,?), ref: 0138697E
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01391B71, Relevance: 1.6, APIs: 1, Instructions: 101
    APIs
      • Part of subcall function 01391EA3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01391EB0
      • Part of subcall function 01391EA3: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 01391F78
      • Part of subcall function 01391EA3: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01391F97
      • Part of subcall function 01391EA3: UnhandledExceptionFilter.KERNEL32(?), ref: 01391FA1
    • ___scrt_get_show_window_mode.LIBCMT ref: 01391C4D
      • Part of subcall function 01391FBE: GetStartupInfoW.KERNEL32(?), ref: 01391FD8
      • Part of subcall function 0139085C: OleInitialize.OLE32(00000000), ref: 0139086F
      • Part of subcall function 0139085C: GetCommandLineW.KERNEL32 ref: 01390892
      • Part of subcall function 0139085C: OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 013908B9
      • Part of subcall function 0139085C: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 013908CE
      • Part of subcall function 0139085C: UnmapViewOfFile.KERNEL32(00000000), ref: 013908FB
      • Part of subcall function 0139085C: CloseHandle.KERNEL32(00000000), ref: 01390902
      • Part of subcall function 0139085C: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Xtaqxu6frQ.exe,00000800), ref: 0139091C
      • Part of subcall function 0139085C: SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\Xtaqxu6frQ.exe), ref: 0139092E
      • Part of subcall function 0139085C: GetLocalTime.KERNEL32(?), ref: 01390935
      • Part of subcall function 0139085C: SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 01390986
      • Part of subcall function 0139085C: GetModuleHandleW.KERNEL32(00000000), ref: 01390989
      • Part of subcall function 0139085C: LoadIconW.USER32(00000000,00000064), ref: 013909A0
      • Part of subcall function 0139085C: LoadBitmapW.USER32(00000065), ref: 013909B3
      • Part of subcall function 0139085C: DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0000E35C,00000000), ref: 01390A03
      • Part of subcall function 0139085C: Sleep.KERNEL32(00000000), ref: 01390A3A
      • Part of subcall function 0139085C: DeleteObject.GDI32 ref: 01390A78
      • Part of subcall function 0139085C: DeleteObject.GDI32(24050713), ref: 01390A84
      • Part of subcall function 0139085C: CloseHandle.KERNEL32 ref: 01390AC6
      • Part of subcall function 0139085C: CoUninitialize.OLE32 ref: 01390ACC
      • Part of subcall function 01391FF1: GetModuleHandleW.KERNEL32(00000000,013990B3,013AB720,0000000C,0139929D,?,00000002,00000000,?,0139A277,00000003,0139AB23), ref: 01391FF3
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01396112, Relevance: 1.6, APIs: 1, Instructions: 66library
    APIs
    • GetProcAddress.KERNEL32(00000000,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000,?,013960A0,013DD1F0,00000FA0), ref: 01396176
      • Part of subcall function 013961B2: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,013DD1F0,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx), ref: 013961EA
      • Part of subcall function 013961B2: GetLastError.KERNEL32(?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000,?,013960A0), ref: 013961F6
      • Part of subcall function 013961B2: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx), ref: 01396204
      • Part of subcall function 013961B2: FreeLibrary.KERNEL32(00000000,?,?,01396159,?,013DD1F0,00000000,?,?,01396338,00000008,InitializeCriticalSectionEx,013A57D4,InitializeCriticalSectionEx,00000000), ref: 01396226
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139BF1F, Relevance: 1.6, APIs: 1, Instructions: 65library
    APIs
    • GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72,00000000), ref: 0139BF7F
      • Part of subcall function 0139BFBB: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0139673D,00000000,00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue), ref: 0139BFED
      • Part of subcall function 0139BFBB: GetLastError.KERNEL32(?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364,?,0139AB72), ref: 0139BFF9
      • Part of subcall function 0139BFBB: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000), ref: 0139C007
      • Part of subcall function 0139BFBB: FreeLibrary.KERNEL32(00000000,?,0139BF62,0139673D,00000000,00000000,00000000,?,0139C15F,00000006,FlsSetValue,013A7448,013A7450,00000000,00000364), ref: 0139C029
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381CAE, Relevance: 1.5, APIs: 1, Instructions: 35
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139A1E7, Relevance: 1.5, APIs: 1, Instructions: 32
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,013968D4,?,0000015D,?,?,?,?,01397453,000000FF,00000000,?,?), ref: 0139A219
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013907FB, Relevance: 1.5, APIs: 1, Instructions: 29
    APIs
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F63
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F79
    • SetDlgItemTextW.USER32(00000065,?), ref: 01390840
      • Part of subcall function 0138E1B3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138E1C4
      • Part of subcall function 0138E1B3: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138E1D5
      • Part of subcall function 0138E1B3: TranslateMessage.USER32(?), ref: 0138E1DF
      • Part of subcall function 0138E1B3: DispatchMessageW.USER32(?), ref: 0138E1E9
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139069D, Relevance: 1.5, APIs: 1, Instructions: 13window
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,0138691C), ref: 013906C2
      • Part of subcall function 0138E1B3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138E1C4
      • Part of subcall function 0138E1B3: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138E1D5
      • Part of subcall function 0138E1B3: TranslateMessage.USER32(?), ref: 0138E1DF
      • Part of subcall function 0138E1B3: DispatchMessageW.USER32(?), ref: 0138E1E9
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd

    Non-executed Functions

    Function 0138ECFC, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 289timewindow
    APIs
      • Part of subcall function 01381170: GetDlgItem.USER32(00000000,00003021), ref: 013811B4
      • Part of subcall function 01381170: SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0138ED8D
    • EndDialog.USER32(?,00000006), ref: 0138EDA0
    • GetDlgItem.USER32(?,0000006C), ref: 0138EDBC
    • SetFocus.USER32(00000000), ref: 0138EDC3
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0138EE03
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0138EE36
    • FindFirstFileW.KERNEL32(?,?), ref: 0138EE4C
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0138EE6A
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0138EE7A
    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0138EE97
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0138EEB5
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F63
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F79
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0138EEF8
    • FindClose.KERNEL32(00000000), ref: 0138EEFB
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0138EF69
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0138EF7F
      • Part of subcall function 013862B6: __aulldiv.INT64 ref: 013862BF
    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0138EF9F
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0138EFAF
    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0138EFC9
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0138EFE1
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0138F025
      • Part of subcall function 0138DB87: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0138DBAD
      • Part of subcall function 0138DB87: GetNumberFormatW.KERNEL32(00000400,00000000,?,013AD03C,?,?), ref: 0138DBFC
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0138F088
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01382816, Relevance: 7.6, APIs: 5, Instructions: 108
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,01382714,000000FF,?,?), ref: 0138284B
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,01382714,000000FF,?,?), ref: 01382881
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,01382714,000000FF,?,?), ref: 01382889
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,01382714,000000FF,?,?), ref: 013828B1
    • GetLastError.KERNEL32(?,?,?,?,01382714,000000FF,?,?), ref: 013828BD
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139EAEE, Relevance: 6.4, Strings: 4, Instructions: 1381
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01391EA3, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01391EB0
    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 01391F78
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01391F97
    • UnhandledExceptionFilter.KERNEL32(?), ref: 01391FA1
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01390F5F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
    APIs
    • VirtualQuery.KERNEL32(80000000,01390E81,0000001C,013910A4,00000000,?,?,?,?,?,?,?,01390E81,00000004,013DCE54,01391160), ref: 01390F70
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,01390E81,00000004,013DCE54,01391160), ref: 01390F8B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139C562, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
    APIs
      • Part of subcall function 0139A278: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,0139AACE,00000001,00000364,?,0139673D,00000200,00000000,?), ref: 0139A2B9
      • Part of subcall function 0139A4AF: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139A4B1
      • Part of subcall function 0139A4AF: GetCurrentProcess.KERNEL32(C0000417,013AB8C8,0000002C,0139A245,00000016,0139AB23), ref: 0139A4D3
      • Part of subcall function 0139A4AF: TerminateProcess.KERNEL32(00000000), ref: 0139A4DA
    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0139C6A7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139E640, Relevance: 3.5, APIs: 2, Instructions: 464
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138DB87, Relevance: 3.0, APIs: 2, Instructions: 46
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0138DBAD
      • Part of subcall function 01385982: __alldvrm.INT64 ref: 013859D1
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,013AD03C,?,?), ref: 0138DBFC
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01389E79, Relevance: 1.7, Strings: 1, Instructions: 445
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138929D, Relevance: 1.6, Strings: 1, Instructions: 354
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138299B, Relevance: 1.5, APIs: 1, Instructions: 28
    APIs
    • GetVersionExW.KERNEL32(?), ref: 013829C0
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01385C5C, Relevance: 1.3, Strings: 1, Instructions: 48
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139D230, Relevance: 1.3, APIs: 1, Instructions: 5
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01384D7F, Relevance: .7, Instructions: 694
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01393F2D, Relevance: .3, Instructions: 345
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01394362, Relevance: .3, Instructions: 341
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01393AF8, Relevance: .3, Instructions: 331
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013936E0, Relevance: .3, Instructions: 323
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013843C7, Relevance: .3, Instructions: 288
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013970A2, Relevance: .2, Instructions: 237
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01383FAF, Relevance: .2, Instructions: 190
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01384948, Relevance: .2, Instructions: 154
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381595, Relevance: .1, Instructions: 76
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01385D17, Relevance: 49.3, APIs: 21, Strings: 7, Instructions: 314libraryfilesleep
    APIs
    • GetModuleHandleW.KERNEL32 ref: 01385D2F
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 01385D47
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01385D6A
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01386015
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0138602D
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0138603F
    • ReadFile.KERNEL32(00000000,?,00007FFE,013A4488,00000000), ref: 0138605E
    • CloseHandle.KERNEL32(00000000), ref: 013860B6
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 013860CC
      • Part of subcall function 01383528: _wcslen.LIBCMT ref: 01383530
      • Part of subcall function 0138299B: GetVersionExW.KERNEL32(?), ref: 013829C0
    • CompareStringW.KERNEL32(00000400,00001001,013A44D4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 01386126
    • GetFileAttributesW.KERNEL32(?,?,013A44A0,00000800,?,00000000,?,00000800), ref: 0138614F
    • GetFileAttributesW.KERNEL32(?,?,013A4560,00000800), ref: 01386188
    • ExitProcess.KERNEL32 ref: 013862A3
      • Part of subcall function 01385CCD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01385CE8
      • Part of subcall function 01385CCD: LoadLibraryW.KERNEL32(?), ref: 01385D0A
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F63
      • Part of subcall function 01383F1E: LoadStringW.USER32(?,?,00000200,?), ref: 01383F79
    • AllocConsole.KERNEL32 ref: 0138624C
    • GetCurrentProcessId.KERNEL32 ref: 01386256
    • AttachConsole.KERNEL32(00000000), ref: 0138625D
    • _wcslen.LIBCMT ref: 01386272
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01386283
    • WriteConsoleW.KERNEL32(00000000), ref: 0138628A
    • Sleep.KERNEL32(00002710), ref: 01386295
    • FreeConsole.KERNEL32 ref: 0138629B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138F208, Relevance: 45.9, APIs: 22, Strings: 4, Instructions: 435window
    APIs
    • __EH_prolog.LIBCMT ref: 0138F20D
      • Part of subcall function 0138DF81: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0138E049
      • Part of subcall function 0138DC12: _wcschr.LIBVCRUNTIME ref: 0138DC76
      • Part of subcall function 01386C21: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01382CE4,?,?,?,01382C93,?,-00000002,?,00000000,?), ref: 01386C37
      • Part of subcall function 0138D5D8: GetCurrentDirectoryW.KERNEL32(?,?,0138DAB4,?,00000800), ref: 0138D5E0
    • SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,761A5509,?,00000000,0138E2BE,?,00000003), ref: 0138F342
      • Part of subcall function 0138311E: _wcschr.LIBVCRUNTIME ref: 01383163
      • Part of subcall function 0138311E: _wcschr.LIBVCRUNTIME ref: 01383173
      • Part of subcall function 0138311E: _wcslen.LIBCMT ref: 01383186
      • Part of subcall function 01382E13: _wcslen.LIBCMT ref: 01382E19
    • _wcslen.LIBCMT ref: 0138F37D
    • _wcslen.LIBCMT ref: 0138F391
    • _wcslen.LIBCMT ref: 0138F3B6
    • GetFileAttributesW.KERNEL32(-00003C84), ref: 0138F3FC
    • DeleteFileW.KERNEL32(-00003C84), ref: 0138F40A
    • GetFileAttributesW.KERNEL32(-0000103C), ref: 0138F442
    • MoveFileW.KERNEL32(-00003C84,-0000103C), ref: 0138F457
    • MoveFileExW.KERNEL32(-0000103C,00000005,00000004), ref: 0138F46B
      • Part of subcall function 013826D8: FindClose.KERNEL32(?), ref: 013826E4
      • Part of subcall function 0138E0D9: _wcslen.LIBCMT ref: 0138E12E
      • Part of subcall function 0138E0D9: _wcslen.LIBCMT ref: 0138E149
    • _wcslen.LIBCMT ref: 0138F4EC
    • _wcslen.LIBCMT ref: 0138F4F5
    • SetWindowTextW.USER32(?,-00005C84), ref: 0138F553
    • _wcslen.LIBCMT ref: 0138F595
    • _wcslen.LIBCMT ref: 0138F665
    • _wcslen.LIBCMT ref: 0138F689
    • _wcslen.LIBCMT ref: 0138F697
    • _wcsrchr.LIBVCRUNTIME ref: 0138F6D3
    • GetDlgItem.USER32(?,00000066), ref: 0138F713
    • SetWindowTextW.USER32(00000000,-0000103C), ref: 0138F723
    • SendMessageW.USER32(00000000,00000143,00000000,013D9E20), ref: 0138F737
    • SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 0138F760
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01383CB3, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
    APIs
      • Part of subcall function 0138367C: _wcschr.LIBVCRUNTIME ref: 013836AB
    • GetWindowRect.USER32(?,?), ref: 01383CEA
    • GetClientRect.USER32(?,?), ref: 01383CF6
    • GetWindowLongW.USER32(?,000000F0), ref: 01383D97
    • GetWindowRect.USER32(?,?), ref: 01383DC4
    • GetWindowTextW.USER32(?,?,00000400), ref: 01383DE3
    • SetWindowTextW.USER32(?,?), ref: 01383E0A
    • GetSystemMetrics.USER32(00000008), ref: 01383E12
    • GetWindow.USER32(?,00000005), ref: 01383E1D
    • GetWindowTextW.USER32(00000000,?,00000400), ref: 01383E48
    • GetWindow.USER32(00000000,00000002), ref: 01383EFA
      • Part of subcall function 0138370D: _strlen.LIBCMT ref: 01383793
      • Part of subcall function 0138370D: _strlen.LIBCMT ref: 013837C3
      • Part of subcall function 0138370D: _wcschr.LIBVCRUNTIME ref: 0138380D
      • Part of subcall function 0138370D: _wcsrchr.LIBVCRUNTIME ref: 01383859
    • SetWindowTextW.USER32(00000000,00000000), ref: 01383E75
    • GetWindowRect.USER32(00000000,?), ref: 01383E88
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013838B5, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256
    APIs
    • __EH_prolog.LIBCMT ref: 013838BA
    • _wcschr.LIBVCRUNTIME ref: 013838D8
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0138389C,?), ref: 013838F2
    • _wcsrchr.LIBVCRUNTIME ref: 01383900
      • Part of subcall function 01381D27: CreateFileW.KERNEL32(?,?,?,00000000,00000003,-00000001,00000000), ref: 01381DA7
      • Part of subcall function 01381D27: GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 01381DB4
      • Part of subcall function 01381D27: CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000), ref: 01381DE9
      • Part of subcall function 01381D27: GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 01381DF1
      • Part of subcall function 01386962: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,013831E7,00000000,?,?), ref: 0138697E
      • Part of subcall function 013820A7: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 013820DD
      • Part of subcall function 013820A7: GetLastError.KERNEL32 ref: 013820E9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139016B, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 172
    APIs
    • _wcslen.LIBCMT ref: 0139018A
      • Part of subcall function 013830BA: _wcsrchr.LIBVCRUNTIME ref: 013830D1
      • Part of subcall function 01382E43: GetFullPathNameW.KERNEL32(?,00000800,?,?), ref: 01382E7A
      • Part of subcall function 01382E43: GetFullPathNameW.KERNEL32(?,00000800,?,?,?,?,00000800), ref: 01382EB0
    • ShellExecuteExW.SHELL32(000001C0), ref: 013902A4
    • ShowWindow.USER32(?,00000000), ref: 013902E9
      • Part of subcall function 013905CC: WaitForSingleObject.KERNEL32(?,0000000A), ref: 013905D8
      • Part of subcall function 013905CC: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 013905F1
      • Part of subcall function 013905CC: WaitForSingleObject.KERNEL32(?,0000000A), ref: 013905FC
    • GetExitCodeProcess.KERNEL32(?,?), ref: 01390317
    • CloseHandle.KERNEL32(?), ref: 0139033B
    • ShowWindow.USER32(?,00000001), ref: 0139039F
      • Part of subcall function 01386C21: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01382CE4,?,?,?,01382C93,?,-00000002,?,00000000,?), ref: 01386C37
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138CA12, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 124
    APIs
    • _wcslen.LIBCMT ref: 0138CA37
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C4B
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C5C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C6C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C7A
      • Part of subcall function 01386C43: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,01382B72,__rar_,00000000,00000006,?,?,00000000), ref: 01386C95
    • _wcslen.LIBCMT ref: 0138CAD8
    • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,0138D23A,?), ref: 0138CAE7
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 0138CB08
      • Part of subcall function 0138C8C3: GetTickCount.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 0138C8DC
      • Part of subcall function 0138C8C3: GetTickCount.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 0138C8FA
      • Part of subcall function 0138C8C3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138C910
      • Part of subcall function 0138C8C3: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138C924
      • Part of subcall function 0138C8C3: TranslateMessage.USER32(?), ref: 0138C92F
      • Part of subcall function 0138C8C3: DispatchMessageW.USER32(?), ref: 0138C93A
      • Part of subcall function 0138C8C3: ShowWindow.USER32(?,00000005), ref: 0138C9EA
      • Part of subcall function 0138C8C3: SetWindowTextW.USER32(?,00000000), ref: 0138C9F4
      • Part of subcall function 0138CC1B: _wcslen.LIBCMT ref: 0138CC24
      • Part of subcall function 0138CC1B: _wcslen.LIBCMT ref: 0138CC59
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01390075, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82window
    APIs
    • GetWindow.USER32(?,00000005), ref: 01390096
    • GetClassNameW.USER32(00000000,?,00000800), ref: 013900C5
      • Part of subcall function 01386C21: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01382CE4,?,?,?,01382C93,?,-00000002,?,00000000,?), ref: 01386C37
    • GetWindowLongW.USER32(00000000,000000F0), ref: 013900E3
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 013900FA
      • Part of subcall function 0138D595: GetDC.USER32(00000000), ref: 0138D5A1
      • Part of subcall function 0138D595: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0138D5B0
      • Part of subcall function 0138D595: ReleaseDC.USER32(00000000,00000000), ref: 0138D5BE
      • Part of subcall function 0138D552: GetDC.USER32(00000000), ref: 0138D55E
      • Part of subcall function 0138D552: GetDeviceCaps.GDI32(00000000,00000058), ref: 0138D56D
      • Part of subcall function 0138D552: ReleaseDC.USER32(00000000,00000000), ref: 0138D57B
      • Part of subcall function 0138D642: DeleteObject.GDI32(00000000), ref: 0138D7F9
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 01390134
    • DeleteObject.GDI32(00000000), ref: 01390143
    • GetWindow.USER32(00000000,00000002), ref: 0139014C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138E1F4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96window
    APIs
      • Part of subcall function 01381170: GetDlgItem.USER32(00000000,00003021), ref: 013811B4
      • Part of subcall function 01381170: SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
    • SendMessageW.USER32(?,00000080,00000001,00100171), ref: 0138E264
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,24050713), ref: 0138E279
      • Part of subcall function 01390075: GetWindow.USER32(?,00000005), ref: 01390096
      • Part of subcall function 01390075: GetClassNameW.USER32(00000000,?,00000800), ref: 013900C5
      • Part of subcall function 01390075: GetWindowLongW.USER32(00000000,000000F0), ref: 013900E3
      • Part of subcall function 01390075: SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 013900FA
      • Part of subcall function 01390075: SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 01390134
      • Part of subcall function 01390075: DeleteObject.GDI32(00000000), ref: 01390143
      • Part of subcall function 01390075: GetWindow.USER32(00000000,00000002), ref: 0139014C
    • GetDlgItem.USER32(?,00000065), ref: 0138E288
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0138E29C
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0138E2AE
      • Part of subcall function 0138F208: __EH_prolog.LIBCMT ref: 0138F20D
      • Part of subcall function 0138F208: SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,761A5509,?,00000000,0138E2BE,?,00000003), ref: 0138F342
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F37D
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F391
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F3B6
      • Part of subcall function 0138F208: GetFileAttributesW.KERNEL32(-00003C84), ref: 0138F3FC
      • Part of subcall function 0138F208: DeleteFileW.KERNEL32(-00003C84), ref: 0138F40A
      • Part of subcall function 0138F208: GetFileAttributesW.KERNEL32(-0000103C), ref: 0138F442
      • Part of subcall function 0138F208: MoveFileW.KERNEL32(-00003C84,-0000103C), ref: 0138F457
      • Part of subcall function 0138F208: MoveFileExW.KERNEL32(-0000103C,00000005,00000004), ref: 0138F46B
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F4EC
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F4F5
      • Part of subcall function 0138F208: SetWindowTextW.USER32(?,-00005C84), ref: 0138F553
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F595
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F665
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F689
      • Part of subcall function 0138F208: _wcslen.LIBCMT ref: 0138F697
      • Part of subcall function 0138F208: _wcsrchr.LIBVCRUNTIME ref: 0138F6D3
      • Part of subcall function 0138F208: GetDlgItem.USER32(?,00000066), ref: 0138F713
      • Part of subcall function 0138F208: SetWindowTextW.USER32(00000000,-0000103C), ref: 0138F723
      • Part of subcall function 0138F208: SendMessageW.USER32(00000000,00000143,00000000,013D9E20), ref: 0138F737
      • Part of subcall function 0138F208: SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 0138F760
    • EndDialog.USER32(?,00000001), ref: 0138E2F8
      • Part of subcall function 0138D0D1: ShowWindow.USER32(?,00000000), ref: 0138D0EA
      • Part of subcall function 0138D0D1: GetWindowRect.USER32(?,?), ref: 0138D10F
      • Part of subcall function 0138D0D1: ShowWindow.USER32(?,00000005), ref: 0138D1A6
      • Part of subcall function 0138D0D1: SetWindowTextW.USER32(?,00000000), ref: 0138D1AE
      • Part of subcall function 0138D0D1: ShowWindow.USER32(00000000,00000005), ref: 0138D1C4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138C8C3, Relevance: 12.1, APIs: 8, Instructions: 135window
    APIs
    • GetTickCount.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 0138C8DC
    • GetTickCount.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 0138C8FA
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138C910
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138C924
    • TranslateMessage.USER32(?), ref: 0138C92F
    • DispatchMessageW.USER32(?), ref: 0138C93A
      • Part of subcall function 0138CEEC: _wcslen.LIBCMT ref: 0138CEF9
    • ShowWindow.USER32(?,00000005), ref: 0138C9EA
    • SetWindowTextW.USER32(?,00000000), ref: 0138C9F4
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138CEEC, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 163
    APIs
    • _wcslen.LIBCMT ref: 0138CEF9
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C4B
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C5C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C6C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C7A
      • Part of subcall function 01386C43: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,01382B72,__rar_,00000000,00000006,?,?,00000000), ref: 01386C95
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013A0CFD, Relevance: 10.7, APIs: 7, Instructions: 152file
    APIs
    • GetConsoleCP.KERNEL32 ref: 013A0D3F
    • __Stoull.NTSTC_LIBCMT ref: 013A0DBA
    • __Stoull.NTSTC_LIBCMT ref: 013A0DD5
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 013A0DFB
    • WriteFile.KERNEL32(?,00000000,00000000,013A1472,00000000), ref: 013A0E1A
    • WriteFile.KERNEL32(?,00000000,00000001,013A1472,00000000), ref: 013A0E53
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,013A1472,00000000,00000000,00000000,00000000,00000000,01397178), ref: 013A0E95
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138F879, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146window
    APIs
      • Part of subcall function 0138DC12: _wcschr.LIBVCRUNTIME ref: 0138DC76
      • Part of subcall function 01386C21: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01382CE4,?,?,?,01382C93,?,-00000002,?,00000000,?), ref: 01386C37
      • Part of subcall function 0138D5D8: GetCurrentDirectoryW.KERNEL32(?,?,0138DAB4,?,00000800), ref: 0138D5E0
      • Part of subcall function 0138311E: _wcschr.LIBVCRUNTIME ref: 01383163
      • Part of subcall function 0138311E: _wcschr.LIBVCRUNTIME ref: 01383173
      • Part of subcall function 0138311E: _wcslen.LIBCMT ref: 01383186
      • Part of subcall function 01382E13: _wcslen.LIBCMT ref: 01382E19
      • Part of subcall function 013826D8: FindClose.KERNEL32(?), ref: 013826E4
      • Part of subcall function 0138E0D9: _wcslen.LIBCMT ref: 0138E12E
      • Part of subcall function 0138E0D9: _wcslen.LIBCMT ref: 0138E149
    • SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,761A5509,?,00000000,0138E2BE,?,00000003), ref: 0138F342
    • _wcslen.LIBCMT ref: 0138F37D
    • _wcslen.LIBCMT ref: 0138F391
    • _wcslen.LIBCMT ref: 0138F3B6
    • GetFileAttributesW.KERNEL32(-00003C84), ref: 0138F3FC
    • DeleteFileW.KERNEL32(-00003C84), ref: 0138F40A
    • GetFileAttributesW.KERNEL32(-0000103C), ref: 0138F442
    • MoveFileW.KERNEL32(-00003C84,-0000103C), ref: 0138F457
    • MoveFileExW.KERNEL32(-0000103C,00000005,00000004), ref: 0138F46B
    • _wcslen.LIBCMT ref: 0138F4EC
    • _wcslen.LIBCMT ref: 0138F4F5
    • SetWindowTextW.USER32(?,-00005C84), ref: 0138F553
    • _wcslen.LIBCMT ref: 0138F595
    • _wcslen.LIBCMT ref: 0138F665
    • _wcslen.LIBCMT ref: 0138F689
    • _wcslen.LIBCMT ref: 0138F697
    • _wcsrchr.LIBVCRUNTIME ref: 0138F6D3
    • GetDlgItem.USER32(?,00000066), ref: 0138F713
    • SetWindowTextW.USER32(00000000,-0000103C), ref: 0138F723
    • SendMessageW.USER32(00000000,00000143,00000000,013D9E20), ref: 0138F737
    • SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 0138F760
    • GetTempPathW.KERNEL32(00000800,?), ref: 0138F88F
    • GetFileAttributesW.KERNEL32(?), ref: 0138F8FD
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0138F910
    • _wcschr.LIBVCRUNTIME ref: 0138F943
    • EndDialog.USER32(?,00000001), ref: 0138FA19
      • Part of subcall function 0138DF81: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0138E049
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138D0D1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
    APIs
    • ShowWindow.USER32(?,00000000), ref: 0138D0EA
    • GetWindowRect.USER32(?,?), ref: 0138D10F
    • ShowWindow.USER32(00000000,00000005), ref: 0138D1C4
      • Part of subcall function 0138CEEC: _wcslen.LIBCMT ref: 0138CEF9
    • ShowWindow.USER32(?,00000005), ref: 0138D1A6
    • SetWindowTextW.USER32(?,00000000), ref: 0138D1AE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01390E87, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50library
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,01390F17,?,?,01390E65,01391160), ref: 01390EA6
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive,?,?,01390F17,?,?,01390E65,01391160), ref: 01390EBC
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive,?,?,01390F17,?,?,01390E65,01391160), ref: 01390ED1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138632E, Relevance: 9.1, APIs: 6, Instructions: 97time
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0138638C
      • Part of subcall function 0138299B: GetVersionExW.KERNEL32(?), ref: 013829C0
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 013863AE
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 013863C8
    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 013863D9
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 013863E9
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 013863F5
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138CD33, Relevance: 9.1, APIs: 6, Instructions: 86
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01387EC2, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 293
    APIs
    • __alldiv.INT64 ref: 01387F51
      • Part of subcall function 01381CAE: __EH_prolog.LIBCMT ref: 01381CB3
    • _memcmp.LIBVCRUNTIME ref: 0138822C
      • Part of subcall function 01382343: DeleteFileW.KERNELBASE(?,?,?,01381C15,?,?,01381A39), ref: 01382354
      • Part of subcall function 01382343: DeleteFileW.KERNEL32(?,?,?,00000800,?,?,01381C15,?,?,01381A39), ref: 01382382
      • Part of subcall function 01382126: SetEndOfFile.KERNEL32(?,013882BA), ref: 01382129
      • Part of subcall function 01388C95: __EH_prolog.LIBCMT ref: 01388C9A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01383201, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146
    APIs
    • _wcslen.LIBCMT ref: 01383227
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01382E13: _wcslen.LIBCMT ref: 01382E19
    • _wcslen.LIBCMT ref: 01383345
      • Part of subcall function 01385A36: _wcslen.LIBCMT ref: 01385A3C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138370D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
    APIs
    • _strlen.LIBCMT ref: 01383793
      • Part of subcall function 01386B5B: WideCharToMultiByte.KERNEL32(00000000,00000000,013A4254,000000FF,?,00000001,00000000,00000000,00000000,?,?,013837B6,?,013836A4,00001000), ref: 01386B78
    • _strlen.LIBCMT ref: 013837C3
    • _wcschr.LIBVCRUNTIME ref: 0138380D
    • _wcsrchr.LIBVCRUNTIME ref: 01383859
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138CC1B, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 113
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138FFE3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
    APIs
      • Part of subcall function 01381170: GetDlgItem.USER32(00000000,00003021), ref: 013811B4
      • Part of subcall function 01381170: SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
    • EndDialog.USER32(?,00000001), ref: 0139002E
    • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 01390044
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0139005E
    • SetDlgItemTextW.USER32(?,00000066), ref: 01390069
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013991F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,013991EA,?,?,0139918A,?,013AB720,0000000C,0139929D,?,00000002), ref: 01399215
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000002,?,?,?,013991EA,?,?,0139918A,?,013AB720,0000000C,0139929D,?,00000002), ref: 01399228
    • FreeLibrary.KERNEL32(00000000,?,?,?,013991EA,?,?,0139918A,?,013AB720,0000000C,0139929D,?,00000002,00000000), ref: 0139924B
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01384BEF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20library
    APIs
      • Part of subcall function 01385CCD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01385CE8
      • Part of subcall function 01385CCD: LoadLibraryW.KERNEL32(?), ref: 01385D0A
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory,Crypt32.dll,?,01384C84,?,01384C68,?,?,?,?,?,00000080), ref: 01384C0E
    • GetProcAddress.KERNEL32(013B4C90,CryptUnprotectMemory,?,01384C84,?,01384C68,?,?,?,?,?,00000080), ref: 01384C1E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01386C43, Relevance: 7.5, APIs: 5, Instructions: 39
    APIs
    • _wcslen.LIBCMT ref: 01386C4B
    • _wcslen.LIBCMT ref: 01386C5C
    • _wcslen.LIBCMT ref: 01386C6C
    • _wcslen.LIBCMT ref: 01386C7A
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,01382B72,__rar_,00000000,00000006,?,?,00000000), ref: 01386C95
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01395A14, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
    APIs
      • Part of subcall function 013951B0: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139A251
    • EncodePointer.KERNEL32(00000000,00000000,?,?,?,?,?,?,013AB6E4,19930522,00000000,1FFFFFFF), ref: 01395A3B
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 01395A97
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138F099, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
    APIs
    • CharUpperW.USER32(?), ref: 0138F0F1
    • CharUpperW.USER32(?), ref: 0138F118
      • Part of subcall function 01384D18: _wcslen.LIBCMT ref: 01384D4E
    • CharUpperW.USER32(?), ref: 0138F174
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138DEDB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
    APIs
      • Part of subcall function 01381170: GetDlgItem.USER32(00000000,00003021), ref: 013811B4
      • Part of subcall function 01381170: SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
    • EndDialog.USER32(?,00000001), ref: 0138DF29
    • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 0138DF41
      • Part of subcall function 01384D18: _wcslen.LIBCMT ref: 01384D4E
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0138DF6F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138311E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139060D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
    APIs
    • DialogBoxParamW.USER32(RENAMEDLG,0138FFE3,?), ref: 01390673
    • DialogBoxParamW.USER32(REPLACEFILEDLG,0138ECFC,?,00000800,?), ref: 0139068B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01383C24, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 01383C33
    • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 01383C42
      • Part of subcall function 0138370D: _strlen.LIBCMT ref: 01383793
      • Part of subcall function 0138370D: _strlen.LIBCMT ref: 013837C3
      • Part of subcall function 0138370D: _wcschr.LIBVCRUNTIME ref: 0138380D
      • Part of subcall function 0138370D: _wcsrchr.LIBVCRUNTIME ref: 01383859
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139ACD3, Relevance: 6.3, APIs: 4, Instructions: 305
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138AB59, Relevance: 6.3, APIs: 4, Instructions: 287
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138B615, Relevance: 6.2, APIs: 4, Instructions: 191
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013824D0, Relevance: 6.1, APIs: 4, Instructions: 127time
    APIs
      • Part of subcall function 013823AA: GetFileAttributesW.KERNELBASE(?), ref: 013823BB
      • Part of subcall function 013823AA: GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 013823E7
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 01382576
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 013825BA
    • SetFileTime.KERNEL32(?,?,?,00000000), ref: 0138263B
    • CloseHandle.KERNEL32(?), ref: 01382642
      • Part of subcall function 01382669: SetFileAttributesW.KERNELBASE(?,00000000,?,?,0138249F,?,?), ref: 0138267D
      • Part of subcall function 01382669: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,0138249F,?,?), ref: 013826AE
      • Part of subcall function 013862B6: __aulldiv.INT64 ref: 013862BF
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383227
      • Part of subcall function 01383201: GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,?,?,?,01382377,?,?,00000800,?,?,01381C15,?), ref: 013832CD
      • Part of subcall function 01383201: _wcslen.LIBCMT ref: 01383345
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139DB79, Relevance: 6.1, APIs: 4, Instructions: 110
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,4DE85006,01396CBE,00000000,00000000,013974EC,?,013974EC,?,00000001,01396CBE,4DE85006,00000001,013974EC,013974EC), ref: 0139DBC6
      • Part of subcall function 0139A1E7: RtlAllocateHeap.NTDLL(00000000,?,?,?,013968D4,?,0000015D,?,?,?,?,01397453,000000FF,00000000,?,?), ref: 0139A219
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0139DC4F
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0139DC61
    • __freea.LIBCMT ref: 0139DC6A
      • Part of subcall function 01391CE3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0139235A
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0139D135, Relevance: 6.1, APIs: 4, Instructions: 68
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0139D13E
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0139D161
      • Part of subcall function 0139A1E7: RtlAllocateHeap.NTDLL(00000000,?,?,?,013968D4,?,0000015D,?,?,?,?,01397453,000000FF,00000000,?,?), ref: 0139A219
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0139D187
      • Part of subcall function 0139A1AD: HeapFree.KERNEL32(00000000,00000000), ref: 0139A1C3
      • Part of subcall function 0139A1AD: GetLastError.KERNEL32(00000000,?,0139DA87,00000000,00000000,00000000,00000000,?,0139DAAE,00000000,00000007,00000000,?,0139DEAB,00000000,00000000), ref: 0139A1D5
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0139D1A9
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 013921C4, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 013921F8
    • GetCurrentThreadId.KERNEL32 ref: 01392207
    • GetCurrentProcessId.KERNEL32 ref: 01392210
    • QueryPerformanceCounter.KERNEL32(?), ref: 0139221D
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138E1B3, Relevance: 6.0, APIs: 4, Instructions: 30window
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138E1C4
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138E1D5
    • TranslateMessage.USER32(?), ref: 0138E1DF
    • DispatchMessageW.USER32(?), ref: 0138E1E9
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01382A0B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
    APIs
    • _wcslen.LIBCMT ref: 01382A49
      • Part of subcall function 01382B98: _wcschr.LIBVCRUNTIME ref: 01382C3D
      • Part of subcall function 01382B98: _wcschr.LIBVCRUNTIME ref: 01382C7A
    • _wcslen.LIBCMT ref: 01382B32
      • Part of subcall function 01383528: _wcslen.LIBCMT ref: 01383530
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C4B
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C5C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C6C
      • Part of subcall function 01386C43: _wcslen.LIBCMT ref: 01386C7A
      • Part of subcall function 01386C43: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,01382B72,__rar_,00000000,00000006,?,?,00000000), ref: 01386C95
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 0138E0D9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
    APIs
    • _wcslen.LIBCMT ref: 0138E12E
    • _wcslen.LIBCMT ref: 0138E149
      • Part of subcall function 0138DF81: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0138E049
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01384C6E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
    APIs
    • GetCurrentProcessId.KERNEL32(?,00000080,?,01384C68), ref: 01384CEF
      • Part of subcall function 01384BEF: GetProcAddress.KERNEL32(00000000,CryptProtectMemory,Crypt32.dll,?,01384C84,?,01384C68,?,?,?,?,?,00000080), ref: 01384C0E
      • Part of subcall function 01384BEF: GetProcAddress.KERNEL32(013B4C90,CryptUnprotectMemory,?,01384C84,?,01384C68,?,?,?,?,?,00000080), ref: 01384C1E
    Strings
    • CryptProtectMemory failed, xrefs: 01384CAF
    • CryptUnprotectMemory failed, xrefs: 01384CE7
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd
    Function 01381170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
    APIs
    • GetDlgItem.USER32(00000000,00003021), ref: 013811B4
    • SetWindowTextW.USER32(00000000,013A4254), ref: 013811CA
      • Part of subcall function 01383C8C: GetWindowLongW.USER32(?,000000EC), ref: 01383C98
      • Part of subcall function 01383C8C: SetWindowLongW.USER32(00000030,000000EC,00000000), ref: 01383CAA
      • Part of subcall function 01383CB3: GetWindowRect.USER32(?,?), ref: 01383CEA
      • Part of subcall function 01383CB3: GetClientRect.USER32(?,?), ref: 01383CF6
      • Part of subcall function 01383CB3: GetWindowLongW.USER32(?,000000F0), ref: 01383D97
      • Part of subcall function 01383CB3: GetWindowRect.USER32(?,?), ref: 01383DC4
      • Part of subcall function 01383CB3: GetWindowTextW.USER32(?,?,00000400), ref: 01383DE3
      • Part of subcall function 01383CB3: SetWindowTextW.USER32(?,?), ref: 01383E0A
      • Part of subcall function 01383CB3: GetSystemMetrics.USER32(00000008), ref: 01383E12
      • Part of subcall function 01383CB3: GetWindow.USER32(?,00000005), ref: 01383E1D
      • Part of subcall function 01383CB3: GetWindowTextW.USER32(00000000,?,00000400), ref: 01383E48
      • Part of subcall function 01383CB3: SetWindowTextW.USER32(00000000,00000000), ref: 01383E75
      • Part of subcall function 01383CB3: GetWindowRect.USER32(00000000,?), ref: 01383E88
      • Part of subcall function 01383CB3: GetWindow.USER32(00000000,00000002), ref: 01383EFA
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.488273690.01381000.00000020.sdmp, Offset: 01380000, based on PE: true
    • Associated: 00000001.00000002.488267547.01380000.00000002.sdmp
    • Associated: 00000001.00000002.488282204.013A4000.00000002.sdmp
    • Associated: 00000001.00000002.488289481.013AD000.00000004.sdmp
    • Associated: 00000001.00000002.488298634.013DE000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1380000_Xtaqxu6frQ.jbxd

    Analysis Process: AcroRd32.exe PID: 3452 Parent PID: 3400

    Execution Graph

    Execution Coverage:15.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:11
    Total number of Limit Nodes:0

    Graph

    Callgraph

    Executed Functions

    Function 00579800, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 579800-57981c NtCreateFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 579e90-579e9c NtMapViewOfSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 005799D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4 5799d0-5799dc NtCreateKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 579890-57989c NtQueryAttributesFile
    APIs
    • NtQueryAttributesFile.NTDLL ref: 0057989A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579B50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 9 579b50-579b5c NtOpenSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579AD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 579ad0-579adc NtCreateMutant
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579850, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1 579850-57985c NtOpenFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579B10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 579b10-579b1c NtCreateSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579A10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 579a10-579a1c NtOpenKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579A50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 579a50-579a5c NtOpenKeyEx
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd
    Function 00579910, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 579910-57991c NtSetInformationFile
    APIs
    • NtSetInformationFile.NTDLL ref: 0057991A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.498995174.00579000.00000020.sdmp, Offset: 00579000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_579000_AcroRd32.jbxd

    Non-executed Functions

    Analysis Process: AcroRd32.exe PID: 3492 Parent PID: 3384

    Execution Graph

    Execution Coverage:16.5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:12
    Total number of Limit Nodes:0

    Graph

    Callgraph

    Executed Functions

    Function 00177000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 177000-17701c NtCreateFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 177250-17725c NtOpenKeyEx
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 001772D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 1772d0-1772dc NtCreateMutant
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177110, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 177110-17711c NtSetInformationFile
    APIs
    • NtSetInformationFile.NTDLL ref: 0017711A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 9 177350-17735c NtOpenSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 11 177690-17769c NtMapViewOfSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177390, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 177390-17739c NtDeleteValueKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177050, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1 177050-17705c NtOpenFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 177310-17731c NtCreateSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177090, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 177090-17709c NtQueryAttributesFile
    APIs
    • NtQueryAttributesFile.NTDLL ref: 0017709A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 001771D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4 1771d0-1771dc NtCreateKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd
    Function 00177210, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 177210-17721c NtOpenKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.790305868.00177000.00000020.sdmp, Offset: 00177000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_177000_AcroRd32.jbxd

    Non-executed Functions