Analysis Report

Overview

General Information

Analysis ID:	10158
Start time:	22:51:38
Start date:	22/07/2015
Overall analysis duration:	0h 3m 25s
Report type:	full
Sample file name:	1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 Native, physical Machine for testing VM-aware malware (Office 2003 SP3, Acrobat Reader 9.4.0, Flash 11.2, Internet Explorer 8)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 99% Number of executed functions: 169 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Connection to analysis system has been lost Exclude process from analysis (whitelisted): kmixer.sys Execution Graph export aborted for target 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe, PID 1560 because it has too many nodes Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	64	0 - 100	Report FP / FN

Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_1_00401D10 CancelWaitableTimer,KiUserApcDispatcher,GetKeyboardType,GetNextDlgTabItem,TextOutA,GetNumaAvailableMemoryNode,GetArcDirection,GetProcessHandleCount,GetProcessAffinityMask,VirtualAlloc,GetSystemMetrics,GetUserObjectInformationA,GetNumaNodeProcessorMask,DPtoLP,Polygon,IsZoomed,SetSystemPaletteUse,Escape,SetDeviceGammaRamp,GlobalCompact,EndPage,GetNearestPaletteIndex,ExcludeClipRect,LineTo,GetTextMetricsW,GetSysColor,GdiSetBatchLimit,OpenClipboard,AnyPopup,ConvertThreadToFiber,CreateIconFromResourceEx,

0_1_00401D10

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.0.20:1370 -> 194.165.16.15:55667
Source: global traffic	TCP traffic: 192.168.0.20:1371 -> 213.110.134.23:48755

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run shadow
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run shadow
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce shadow
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce shadow
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce shadow
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce shadow

Creates an undocumented autostart registry key

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Key value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Run

Monitors registry run keys for changes

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

File created: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_1_00409153 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_1_00409153

Generates new code (likely due to unpacking of malware or shellcode)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code execution: Found new code
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code execution: Found new code

PE file contains an invalid checksum

Show sources

Source: initial sample

Static PE information: real checksum: 0x0 should be: 0x5a690

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_004021F1 GetSystemDirectoryW,lstrcatW,FindFirstFileW,lstrcpyW,GetFileVersionInfoSizeW,lstrcpyW,FindClose,	0_2_004021F1
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_00405D96 FindFirstFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00405D96
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_00406925 memset,FindFirstFileW,Sleep,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00406925
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_0040A044 CoInitialize,FindFirstFileW,FindNextFileW,FindClose,CoUninitialize,	0_2_0040A044
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_01D02EC9 FindFirstFileW,FindNextFileW,FindClose,	0_2_01D02EC9
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_01D0311B FindFirstFileW,FindNextFileW,FindClose,	0_2_01D0311B

System Summary:

Tries to open an application configuration file (.cfg)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

File opened: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\jinstall.cfg

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_1_00405B40 RegisterClassW,SetHandleCount,IsBadReadPtr,TlsAlloc,SetDlgItemTextA,GetDC,WaitForMultipleObjects,GetDlgItem,ClientToScreen,GetCharWidthA,OleGetClipboard,AdjustTokenPrivileges,GetStringTypeA,		0_1_00405B40
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: 4_1_00405B40 RegisterClassW,SetHandleCount,IsBadReadPtr,TlsAlloc,SetDlgItemTextA,GetDC,WaitForMultipleObjects,GetDlgItem,ClientToScreen,GetCharWidthA,OleGetClipboard,AdjustTokenPrivileges,GetStringTypeA,		4_1_00405B40

Contains functionality to enum processes or threads

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00404E98 CreateToolhelp32Snapshot,memset,Process32FirstW,StrStrIW,Process32NextW,

0_2_00404E98

PE file has an executable .text section and no other executable section

Show sources

Source: initial sample

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

File read: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\desktop.ini

Spawns processes

Show sources

Source: unknown	Process created: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe
Source: unknown	Process created: C:\WINDOWS\system32\cmd.exe
Source: unknown	Process created: C:\WINDOWS\system32\cmd.exe
Source: unknown	Process created: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe
Source: unknown	Process created: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process created: C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 >> nul
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process created: C:\WINDOWS\system32\cmd.exe /d /c del C:\1B4268~1.EXE

Uses an in-process (OLE) Automation server

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Contains functionality to call native functions

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_004056E6 SetFileTime,RtlDosPathNameToNtPathName_U,NtDeleteFile,RtlFreeUnicodeString,	0_2_004056E6
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_004061DB GetCurrentProcess,ZwQueryInformationProcess,ZwQueryInformationProcess,ZwQueryInformationProcess,	0_2_004061DB
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_00404F33 VirtualAlloc,VirtualProtect,ZwOpenProcess,VirtualFree,OpenProcess,	0_2_00404F33
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_0040EB29 NtQueryVirtualMemory,	0_2_0040EB29
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_004050D0 ZwQuerySystemInformation,	0_2_004050D0
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_01D045B9 NtQueryVirtualMemory,	0_2_01D045B9

Creates files inside the system directory

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

File created: C:\WINDOWS\system32\WBEM\Logs\wbemprox.log

Creates mutexes

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Mutant created: \BaseNamedObjects\shell.{9ACF3D44-51A9-C55B-FB62-1EE7404E1F9F}
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Mutant created: \BaseNamedObjects\shell.{1328C3B7-1A18-B7BC-4C80-A7E5DA799A13}

Enables driver privileges

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Process token adjusted: Load Driver

Tries to load missing DLLs

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Section loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_004083CB AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004083CB

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_1_00406B7A SetUnhandledExceptionFilter,	0_1_00406B7A
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_1_00406218 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_1_00406218
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_1_00408A2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_1_00408A2E
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_1_0040B38C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_0040B38C
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: 4_1_00406B7A SetUnhandledExceptionFilter,	4_1_00406B7A
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: 4_1_00406218 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_00406218
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: 4_1_00408A2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_00408A2E
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: 4_1_0040B38C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_0040B38C

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Memory protected: page read and write and page guard

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00406791 rdtsc

0_2_00406791

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_1_00406218 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_1_00406218

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00404F33 VirtualProtect 00000000,00000008,00000104,?

0_2_00404F33

Contains functionality to dynamically determine API calls

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_1_00409153 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_1_00409153

Contains functionality to read the PEB

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_003E0000 mov eax, dword ptr fs:[00000030h]	0_2_003E0000
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_003E0000 mov ecx, dword ptr fs:[00000030h]	0_2_003E0000
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_003E0408 mov eax, dword ptr fs:[00000030h]	0_2_003E0408

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_0040E61F GetProcessHeaps,

0_2_0040E61F

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_1_00401530 SetProcessShutdownParameters,CheckRemoteDebuggerPresent,GetFileType,GlobalUnfix,

0_1_00401530

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_004021F1 GetSystemDirectoryW,lstrcatW,FindFirstFileW,lstrcpyW,GetFileVersionInfoSizeW,lstrcpyW,FindClose,	0_2_004021F1
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_00405D96 FindFirstFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00405D96
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_00406925 memset,FindFirstFileW,Sleep,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00406925
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_0040A044 CoInitialize,FindFirstFileW,FindNextFileW,FindClose,CoUninitialize,	0_2_0040A044
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_01D02EC9 FindFirstFileW,FindNextFileW,FindClose,	0_2_01D02EC9
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: 0_2_01D0311B FindFirstFileW,FindNextFileW,FindClose,	0_2_01D0311B

Contains functionality to query system information

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00402EF3 GetDateFormatA,GetTimeFormatA,wsprintfA,GetCurrentProcess,GetSystemInfo,GlobalMemoryStatusEx,GetUserNameExA,GetTickCount,GetTickCount,GetLastInputInfo,GetTickCount,

0_2_00402EF3

May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: vmhgfs.sys
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: vmmouse.sys
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: VBoxMouse.sys

Queries a list of all running processes

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Process information queried: ProcessInformation

Contains capabilities to detect virtual machines

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00406791 rdtsc

0_2_00406791

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_4-3806

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe TID: 1528	Thread sleep count: 334 > 100
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe TID: 2556	Thread sleep time: -60000ms >= -60000ms

Tries to detect sandboxes and other dynamic analysis tools (process name)

Show sources

Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: WIRESHARK.EXE
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: SNIFF_HIT.EXE
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: SBIEDLL.DLL
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: DIR_WATCH.DLL
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: API_LOG.DLL
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: OLLYDBG.EXE
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: DUMPCAP.EXE
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: SYSANALYZER.EXE

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Registry key monitored for changes: \REGISTRY\USER

Stores large binary data to the registry

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Key value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{86b09800-76a6-ae32-d0af-c33314a5849e} IA2YOebV-y0vfh

Creates files in the recycle bin to hide itself

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

File created: C:\Recycler\S-1-5-21-1417001333-113007714-2147148427-500\$ast-S-1-5-21-1417001333-113007714-2147148427-500

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Show sources

Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: ollydbg.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: wireshark.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: \??\C:\Programme\Avira\Antivirus\avcenter.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: \??\C:\Programme\Avira\Antivirus\avguard.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: \??\C:\Programme\Avira\Antivirus\sched.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: \??\C:\Dokumente und Einstellungen\Administrator\Desktop\procexp.exe
Source: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Binary or memory string: \??\C:\Programme\Avira\Antivirus\avgnt.exe

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_004054E1 GetModuleHandleW,GetProcAddress,GetSystemTimes,Sleep,GetSystemTimes,_allmul,_alldiv,

0_2_004054E1

Contains functionality to query the account / user name

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_00402EF3 GetDateFormatA,GetTimeFormatA,wsprintfA,GetCurrentProcess,GetSystemInfo,GlobalMemoryStatusEx,GetUserNameExA,GetTickCount,GetTickCount,GetLastInputInfo,GetTickCount,

0_2_00402EF3

Contains functionality to query windows version

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_0040547F memset,GetVersionExW,

0_2_0040547F

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Code function: GetLocaleInfoA,		0_1_0040BD88
Source: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Code function: GetLocaleInfoA,		4_1_0040BD88

Contains functionality to detect query CPU information (cpuid)

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe

Code function: 0_2_004015AC cpuid

0_2_004015AC

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Qeruies volume information: C:\ VolumeInformation
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Qeruies volume information: C:\ VolumeInformation
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Qeruies volume information: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe VolumeInformation
Source: C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe	Qeruies volume information: C:\Dokumente und Einstellungen\Administrator\Startmen \Programme\Autostart\shadow.lnk VolumeInformation

Yara Overview

No Yara matches

Screenshot

Startup

system is xp6native

1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe (PID: 1560 MD5: 9437EABF2FE5D32101E3FBF9F6027880)

cmd.exe (PID: 2260 cmdline: /c ping 127.0.0.1 >> nul MD5: 9B890F756D087991322464912FE68E75)

shadow.exe (PID: 3976 MD5: B47B4634A0DD6BCCD5309C3679856DA0)

shadow.exe (PID: 2988 MD5: B47B4634A0DD6BCCD5309C3679856DA0)

cmd.exe (PID: 2436 cmdline: /d /c del C:\1B4268~1.EXE MD5: 9B890F756D087991322464912FE68E75)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: D41D8CD98F00B204E9800998ECF8427E SHA: 10BF834EBD30419419FA1A966CF2904522D3BFA2 SHA-256: 36B3B1AAD488A22645A0F8F91AE7A9B9DC257FA3804A4661D69D2A47A45E589B SHA-512: 8E6F057E6B438A7ACDDEF86E70EF3E536A376DD64F576DC9D22865FC72B10D951D2FB6F10E88163E011E698D27A0203C44F13CD861B67E5769F0BFDF0A83E41D
C:\Dokumente und Einstellungen\Administrator\Startmen \Programme\Autostart\shadow.lnk	Type: MS Windows shortcut MD5: D41D8CD98F00B204E9800998ECF8427E SHA: 0278CA4C632420422C8427AAF203308F94BB4B04 SHA-256: A65146407A704147E966D9D6B28DC56D2806020EAB8BD06BD51659C6709F1E51 SHA-512: 4EF519F181E1FF2679094A1B4589710F725343BCE2B355673430B2B625A89598AB4AA848A971D293C54E0C7B9659535C3A1220297B8635B53334D2F623CA4F78
C:\RECYCLER\S-1-5-21-1417001333-113007714-2147148427-500\$ast-S-1-5-21-1417001333-113007714-2147148427-500\-LAYXHQzQlNxxGMa1I_bSU0J.dat	Type: MD5: D41D8CD98F00B204E9800998ECF8427E SHA: 281945A55BF931543A020B517A6BDF7C90474554 SHA-256: C335B96942FD2835B0380FE096F308AB690E146B942BEF97D3F76E12E0E651F4 SHA-512: 71F84D77DAD85EA81BF3C010DD78E8315B219668DC02D4692D6095C37B6EEC566E2EBE058953F2E7FBD83966A0DA823E3604D2E6868B8E4189559FA17768B85A
C:\RECYCLER\S-1-5-21-1417001333-113007714-2147148427-500\$ast-S-1-5-21-1417001333-113007714-2147148427-500\1m6jkOc-NuTHi9bWIpIow9mC.dat	Type: Compiled PSI (v1) data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: D810D30E5586403405DC95032DE294AFEC96A161 SHA-256: 4F03AE08DAF2E1F7402F3944EC969FC7927C4340239E464BAB307BCED3B1162A SHA-512: 9158600293CDB4634563AE683833C1AF0E29DF6CD0992CE8E1EBF075DBF4E8CF4810A04B0D1585FF4BE452DD63F36D68F0E2EFBBCED9FF326F97853907EDBA0E
C:\RECYCLER\S-1-5-21-1417001333-113007714-2147148427-500\$ast-S-1-5-21-1417001333-113007714-2147148427-500\JU4wVfMo_3T2SOC4tHExnA1GzN.dat	Type: Compiled PSI (v1) data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: EF8C3BF4B57D6FF8DDC4B493FA478508531F87CB SHA-256: 9D6E4B836B0AED05084BA4C24E7F62E8F0300A65ECB251C91316C6B4021DEF2D SHA-512: 515387FBFA081BC1546A0B36CB44B0CD16A4F5FB30AEE6DC6C0A29C17E07D2120561CB4018D4A851DC3C273DCF31283A02320EEF7CFCFD50DF29E29A0E40FBAA
C:\RECYCLER\S-1-5-21-1417001333-113007714-2147148427-500\$ast-S-1-5-21-1417001333-113007714-2147148427-500\V8h2-t0BS9QHXBVNd8BCT54z3UEc-.dat	Type: Compiled PSI (v1) data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: A425A6256B041DEAFD164AE5A831D8CFD95A69E6 SHA-256: 713726863A302001AC64846215655A98D1843BA3423D7CCA64CDA8DD04BDC9BE SHA-512: D5367829FEA71F4F55B01FE2ECC9073652D2EC340750CAA55CD7D9C939B45A41CB6D406A5382A613E82F512F409721B7BA06287BE7AB215BC1993129377CC53F
C:\WINDOWS\system32\wbem\Logs\wbemprox.log	Type: ASCII text, with CRLF line terminators MD5: D41D8CD98F00B204E9800998ECF8427E SHA: 2B7E822DDFDF3FA0528E3D69DD6AF671908CA0DA SHA-256: 644FB00EFA9BFE8D0012ACDF7FFED497CCF9FBE23DD4AEA9E8E77B503D5BC20C SHA-512: C1AEC4834008EBF3510E9B442C1B6940906C364602CA9E80FDF2E24FBE83FD90B14D579E51B522475AD3B9BFD2B988C38D1A856C8889835A2161FE8A049FA9EC
\samr	Type: Hitachi SH big-endian COFF object, not stripped MD5: D41D8CD98F00B204E9800998ECF8427E SHA: C7401D2A1C1B858C0D69237590FDB8CED500120D SHA-256: A924E8899A328353355434DB1AED4E5EB89ABFA85B2926165E8349A9FA10E966 SHA-512: F91C52499C4E2A7CF1C5FC175440F7438E339FF0C4E8367D4BE8534885988CFEBC476CAD6EE6FE45332DE891A3051F139E896632E9521D85265B860FED4F27E9
\srvsvc	Type: Hitachi SH big-endian COFF object, not stripped MD5: D41D8CD98F00B204E9800998ECF8427E SHA: 87D5F372BA2319C3F0475EB7D6EABEA3178E7CB2 SHA-256: 6547A2B904DAA11D272A62264A922997366AC2156B29D54B538C81DBC2A5A17D SHA-512: DF1D3889AC3A75BD9499295C951880E6F69F8501D1A981A9F241845BCD5E609F58DC8278F8B4F670E5AC31864956DA528643EF97F8F3320AD3165E0F0EDEA769

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Pingable	Open Ports
213.110.134.23	Ukraine	unknown	unknown
194.165.16.15	Russian Federation	unknown	unknown

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
TrID:	Win32 Executable MS Visual C++ (generic) (31208/45) 78.55% Win32 Executable (generic) (4510/7) 11.35% Generic Win/DOS Executable (2004/3) 5.04% DOS Executable Generic (2002/1) 5.04% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:	1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe
File size:	307712
MD5:	9437eabf2fe5d32101e3fbf9f6027880
SHA1:	1b42683bf2c6c0da6f6abd85720b64b387cbad99
SHA256:	e67aa9da71042fe85d03b7f57c18e611d3d16167ca9f86615088f2fd98b17a99
SHA512:	4b64ae10fd31564c04540885b09019c148a907b73d6edb673383d0713139965d07a0fc4fac2ebf0bf799a205be0e4aafd09993b44f82354bed72f247c60e9652

File Icon

Static PE Info

General
Entrypoint:	0x40641f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui 50
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x55AEABC8 [Tue Jul 21 20:30:00 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0

Entrypoint Preview

Instruction
call 00007F777CBDAF1Dh
jmp 00007F777CBD962Dh
mov edi, edi
push ebp
mov ebp, esp
push esi
push dword ptr [0041E7BCh]
mov esi, dword ptr [0040D0E4h]
call esi
test eax, eax
je 00007F777CBD97D3h
mov eax, dword ptr [0041E7B8h]
cmp eax, FFFFFFFFh
je 00007F777CBD97C9h
push eax
push dword ptr [0041E7BCh]
call esi
call eax
test eax, eax
je 00007F777CBD97BAh
mov eax, dword ptr [eax+000001F8h]
jmp 00007F777CBD97D9h
mov esi, 004190ACh
push esi
call dword ptr [0040D11Ch]
test eax, eax
jne 00007F777CBD97BDh
push esi
call 00007F777CBD9EC5h
pop ecx
test eax, eax
je 00007F777CBD97CAh
push 0041909Ch
push eax
call dword ptr [0040D120h]
test eax, eax
je 00007F777CBD97BAh
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp+08h], eax
mov eax, dword ptr [ebp+08h]
pop esi
pop ebp
ret
push 00000000h
call 00007F777CBD973Ch
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
push dword ptr [0041E7BCh]
mov esi, dword ptr [0040D0E4h]
call esi
test eax, eax
je 00007F777CBD97D3h
mov eax, dword ptr [0041E7B8h]
cmp eax, FFFFFFFFh
je 00007F777CBD97C9h
push eax
push dword ptr [0041E7BCh]
call esi
call eax
test eax, eax
je 00007F777CBD97BAh
mov eax, dword ptr [eax+000001FCh]
jmp 00007F777CBD97D9h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a4e4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x2e1a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a1e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x214	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
.text	0x1000	0xb4f4	0xb600	6.34633279914	False	0.579992273352	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0xe10e	0xe200	1.3561252733	False	0.0758780420354	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x24fdc	0x3400	4.48242579635	False	0.549278846154	ps database from kernel 8	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x41000	0x2e1a0	0x2e200	7.88320012192	False	0.972163998984	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	Xored PE
MUI	0x41420	0xf8	data	English	United States	False
RT_DIALOG	0x41518	0x100	data	English	United States	False
RT_DIALOG	0x41618	0xf8	data	English	United States	False
RT_DIALOG	0x41710	0x60	data	English	United States	False
RT_DIALOG	0x41770	0x100	data	English	United States	False
RT_DIALOG	0x41870	0xf8	data	English	United States	False
RT_DIALOG	0x41968	0x60	data	English	United States	False
RT_DIALOG	0x419c8	0xf8	data	English	United States	False
RT_DIALOG	0x41ac0	0xf0	data	English	United States	False
RT_DIALOG	0x41bb0	0x58	data	English	United States	False
RT_DIALOG	0x41c08	0xec	data	English	United States	False
RT_DIALOG	0x41cf4	0xe4	data	English	United States	False
RT_DIALOG	0x41dd8	0x4c	data	English	United States	False
RT_DIALOG	0x41e24	0xf0	data	English	United States	False
RT_DIALOG	0x41f14	0xe8	data	English	United States	False
RT_DIALOG	0x41ffc	0x50	data	English	United States	False
RT_VERSION	0x4204c	0x2b0	data			False
RT_MANIFEST	0x422fc	0x15a	ASCII text, with CRLF line terminators			False
None	0x42458	0x2cd48	data			False

Imports

DLL	Import
USER32.dll	AnyPopup, CreateIconFromResourceEx, GetDC, SetFocus, EndDialog, wsprintfW, CreateDialogParamW, GetCursorPos, FindWindowExW, GetAsyncKeyState, RegisterClassW, SetDlgItemTextA, MsgWaitForMultipleObjectsEx, GetDlgItem, ClientToScreen, SendMessageTimeoutW, SendMessageTimeoutA, GetScrollPos, GetSystemMetrics, GetKeyboardType, GetNextDlgTabItem, GetUserObjectInformationA, IsZoomed, GetSysColor, OpenClipboard
SHELL32.dll	ShellExecuteA
ole32.dll	OleGetClipboard, CoGetMalloc
ADVAPI32.dll	AdjustTokenPrivileges
GDI32.dll	GetCharWidthA, RectVisible, TextOutA, GetArcDirection, DPtoLP, Polygon, SetSystemPaletteUse, DeleteDC, SetDeviceGammaRamp, EndPage, GetNearestPaletteIndex, ExcludeClipRect, LineTo, GetTextMetricsW, GdiSetBatchLimit, CloseFigure, Escape, GetCharWidthW
KERNEL32.dll	IsValidCodePage, LoadLibraryA, GetACP, GetCPInfo, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, HeapAlloc, HeapReAlloc, RtlUnwind, GetLocaleInfoA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize, GetOEMCP, GetStringTypeA, GlobalUnfix, GetFileType, CheckRemoteDebuggerPresent, SetProcessShutdownParameters, ConvertThreadToFiber, GlobalCompact, GetNumaNodeProcessorMask, VirtualAlloc, GetProcessAffinityMask, GetProcessHandleCount, GetNumaAvailableMemoryNode, CancelWaitableTimer, FileTimeToDosDateTime, GetPrivateProfileStringA, GlobalMemoryStatus, SetLastError, lstrcpynA, GlobalReAlloc, TlsGetValue, GetSystemDirectoryW, VirtualProtect, GetComputerNameA, WaitForMultipleObjects, TlsAlloc, IsBadReadPtr, SetHandleCount, SystemTimeToFileTime, FlushFileBuffers, SetEnvironmentVariableA, GetSystemTimeAsFileTime, GetCommandLineA, GetStartupInfoA, GetModuleHandleW, GetProcAddress, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, GetLastError, InterlockedDecrement, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, DeleteCriticalSection, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId

Version Infos

Description	Data
LegalCopyright	Copyright Alexander Roshal 1993-2011
InternalName	Command line RAR
FileVersion	4.1.0
CompanyName	Alexander Roshal
ProductName	WinRAR
ProductVersion	4.1.0
FileDescription	Command line RAR
Translation	0x0000 0x0000

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2015 22:52:00.389138937 CEST	1370	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:00.389175892 CEST	55667	1370	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:00.389214993 CEST	1370	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:00.389388084 CEST	1370	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:00.389400005 CEST	55667	1370	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:00.389429092 CEST	1370	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:00.389712095 CEST	55667	1370	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:00.389796972 CEST	1370	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:01.861674070 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:01.861707926 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:01.861752987 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:01.861969948 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:01.861980915 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:01.862098932 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:01.862107038 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:02.739554882 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:02.791644096 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:02.791718006 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:02.791737080 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:02.840432882 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:02.840449095 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:02.840487003 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:02.840496063 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.719592094 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.778784990 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.778860092 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:03.778877020 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.778965950 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:03.820933104 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.932977915 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.933051109 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:03.933064938 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.933162928 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:03.960963011 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.960969925 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:03.961092949 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:03.961107969 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.035813093 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.035886049 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.035900116 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.041316032 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.041424036 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.041438103 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.048542976 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.048690081 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.048703909 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.050591946 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.050695896 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.050709963 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.059112072 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.059185028 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.059211969 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.059225082 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.059267998 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.203339100 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.212040901 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.212145090 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.212158918 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.214329958 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.214433908 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.214451075 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.220139980 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.220292091 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.220305920 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.247690916 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.247844934 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.247859001 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.249541998 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.249690056 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.249703884 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.249758959 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.249907970 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.249919891 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.251120090 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.251271963 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.251286983 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.251445055 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.251594067 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.251605034 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.256812096 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.256824017 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.282767057 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.282849073 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.282864094 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.282955885 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.376579046 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.382605076 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.382678986 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.382693052 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.382780075 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.383460045 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.385159016 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.385257959 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.385272026 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.385416031 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.385507107 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.385518074 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.397018909 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.397124052 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.397138119 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.397289991 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.397387028 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.397397995 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.397439003 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.398863077 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.400470972 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.400576115 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.400589943 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.400669098 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.400810003 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.400820017 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.406905890 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.407006979 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.407025099 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.412940025 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.412950993 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.413027048 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.413039923 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.413083076 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.415668011 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.415766954 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.415782928 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.416330099 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.416476011 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.416488886 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.423840046 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.423943996 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.423958063 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.427583933 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.427736044 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.427750111 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.428389072 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.428543091 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.428556919 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.428652048 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.432754040 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.432760954 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.432876110 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.434235096 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.434241056 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.434357882 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.434371948 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.438690901 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.438842058 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.438855886 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.464513063 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.464668989 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.464682102 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.475549936 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.546515942 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.546523094 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.546647072 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.552737951 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.553642035 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.553793907 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.553807974 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.560013056 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.560095072 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.560163021 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.560175896 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.563174963 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.563322067 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.563333988 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.564676046 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.564775944 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.564790010 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.566476107 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.566580057 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.566593885 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.567608118 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.567759991 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.567774057 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.568722963 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.568875074 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.568888903 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.569262981 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.576786995 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.577193022 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.577292919 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.577306986 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.582396984 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.582549095 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.582561970 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.584342003 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.584487915 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.584501028 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.584974051 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.585083008 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.585097075 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.585205078 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.585347891 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.585359097 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.586575985 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.586679935 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.586694002 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.594630003 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.594784021 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.594798088 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.598436117 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.598583937 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.598597050 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.600539923 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.607759953 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.607767105 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.607891083 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.647809029 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.648051977 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.648060083 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.648176908 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:04.716562033 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.716567993 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:04.716694117 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:05.346335888 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:05.346353054 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:05.346390963 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:05.346399069 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:06.261418104 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:06.378915071 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:06.378989935 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:06.379004002 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:06.403608084 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:06.403621912 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:06.403660059 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:06.403667927 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.301654100 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.313159943 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.313237906 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.313254118 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.313345909 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.318103075 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.324654102 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.324728012 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.324742079 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.324837923 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.327821016 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.327827930 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.327946901 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.397300959 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.415874004 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.415982962 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.415997982 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.425275087 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.425430059 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.425443888 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.429063082 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.429167986 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.429182053 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.649939060 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.650037050 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.650048971 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.912985086 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.927439928 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.927450895 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.927495003 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:07.927576065 CEST	48755	1371	213.110.134.23	192.168.0.20
Jul 22, 2015 22:52:07.927613974 CEST	1371	48755	192.168.0.20	213.110.134.23
Jul 22, 2015 22:52:10.242512941 CEST	1372	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:10.242558002 CEST	55667	1372	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:10.242599010 CEST	1372	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:10.242794037 CEST	1372	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:10.242806911 CEST	55667	1372	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:10.242826939 CEST	1372	55667	192.168.0.20	194.165.16.15
Jul 22, 2015 22:52:10.242925882 CEST	55667	1372	194.165.16.15	192.168.0.20
Jul 22, 2015 22:52:10.243139029 CEST	1372	55667	192.168.0.20	194.165.16.15

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe PID: 1560 Parent PID: 552

General

Start time:	22:51:54
Start date:	22/07/2015
Path:	C:\1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	307712 bytes
MD5 hash:	9437EABF2FE5D32101E3FBF9F6027880

Chronological Activities

Analysis Process: cmd.exe PID: 2260 Parent PID: 1560

General

Start time:	22:52:10
Start date:	22/07/2015
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ping 127.0.0.1 >> nul
Imagebase:	0x4ad00000
File size:	401920 bytes
MD5 hash:	9B890F756D087991322464912FE68E75

Chronological Activities

Analysis Process: cmd.exe PID: 2436 Parent PID: 1560

General

Start time:	22:52:10
Start date:	22/07/2015
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/d /c del C:\1B4268~1.EXE
Imagebase:	0x7e360000
File size:	401920 bytes
MD5 hash:	9B890F756D087991322464912FE68E75

Chronological Activities

Analysis Process: shadow.exe PID: 3976 Parent PID: 2260

General

Start time:	22:52:10
Start date:	22/07/2015
Path:	C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe
Wow64 process (32bit):	false
Commandline:	C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe
Imagebase:	0x400000
File size:	156672 bytes
MD5 hash:	B47B4634A0DD6BCCD5309C3679856DA0

Chronological Activities

Analysis Process: shadow.exe PID: 2988 Parent PID: 3976

General

Start time:	22:52:11
Start date:	22/07/2015
Path:	C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe
Wow64 process (32bit):
Commandline:	C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate\shadow.exe -watchdog
Imagebase:
File size:	156672 bytes
MD5 hash:	B47B4634A0DD6BCCD5309C3679856DA0

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe PID: 1560 Parent PID: 552

Executed Functions

Function 00401D10, Relevance: 153.5, APIs: 31, Strings: 55, Instructions: 3021

APIs

CancelWaitableTimer.KERNEL32(00000062), ref: 00402452
KiUserApcDispatcher.NTDLL(00000048), ref: 00402556
GetKeyboardType.USER32(0000001A), ref: 00402794
GetNextDlgTabItem.USER32(00000024,0000002E,0000001C), ref: 00402FD1
TextOutA.GDI32(00000045,00000023,0000000D,0000002D,00000049), ref: 0040313D
GetNumaAvailableMemoryNode.KERNEL32(00000041,00000064), ref: 0040321C
GetArcDirection.GDI32(00000047), ref: 004032B8
GetProcessHandleCount.KERNEL32(0000005A,00000046), ref: 00403418
GetProcessAffinityMask.KERNEL32(0000004B,0000002E,00000024), ref: 00403470
VirtualAlloc.KERNEL32(00000000,00002724,00001000,00000040), ref: 004034FD
GetSystemMetrics.USER32(00000000), ref: 00403544
GetUserObjectInformationA.USER32(00000063,00000063,00000068,0000007F,0000002F), ref: 004035AE

Part of subcall function 004013B0: MsgWaitForMultipleObjectsEx.USER32(?,00000013,00000033,0000005E,0000003E), ref: 00401421

GetNumaNodeProcessorMask.KERNEL32(00000023,00000063), ref: 00403675
DPtoLP.GDI32(00000042,0000002D,0000002E), ref: 0040372D
Polygon.GDI32(0000004A,FFFFFFF3,0000003A), ref: 00403964
IsZoomed.USER32(00000023), ref: 00403C14
SetSystemPaletteUse.GDI32(00000037,0000002A), ref: 00403C9F
Escape.GDI32(0000003B,0000001E,FFFFFFEA,00000004,00000041), ref: 00403E89
SetDeviceGammaRamp.GDI32(FFFFFFEA,0000003B), ref: 00403FD8
GlobalCompact.KERNEL32(00000024), ref: 0040402A
EndPage.GDI32(00000004), ref: 0040414A
GetNearestPaletteIndex.GDI32(00000042,0000004E), ref: 00404300
ExcludeClipRect.GDI32(0000002E,00000054,0000001D,0000002A,00000034), ref: 0040470C
LineTo.GDI32(00000067,0000003D,00000067), ref: 00404728
GetTextMetricsW.GDI32(00000031,0000002E), ref: 00404EE1
GetSysColor.USER32(00000054), ref: 004050A0
GdiSetBatchLimit.GDI32(00000019), ref: 004050F1
OpenClipboard.USER32(0000008E), ref: 004051A7
AnyPopup.USER32 ref: 004052F5
ConvertThreadToFiber.KERNEL32(0000003D), ref: 00405317
CreateIconFromResourceEx.USER32(0000003D,00000064,00000052,00000027,0000002F,00000011,0000002F), ref: 0040537A

Part of subcall function 00401530: SetProcessShutdownParameters.KERNEL32(0000001A,00000061), ref: 00401614
Part of subcall function 00401530: CheckRemoteDebuggerPresent.KERNEL32(00000013,00000064), ref: 00401695
Part of subcall function 00401530: GetFileType.KERNEL32(0000001F), ref: 00401710
Part of subcall function 00401530: GlobalUnfix.KERNEL32(0000005B), ref: 004018B1

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Strings

F, xrefs: 00403234
], xrefs: 0040555B
Nhmsfh? czkcbvomyvdu? fgjnkncr?(.), xrefs: 004041A8
;, xrefs: 0040384C
P, xrefs: 00404931
h, xrefs: 00405565
`, xrefs: 00401D93
P, xrefs: 00402DC6
K, xrefs: 00402544
', xrefs: 004052BF
p, xrefs: 004053DA
W, xrefs: 00404AA3
8, xrefs: 0040215C
P, xrefs: 00404B72
Y, xrefs: 004055AD
6, xrefs: 00405509
_, xrefs: 00402019
]r, xrefs: 00403882
Excshtjg! eqfdiwxqei! pbfixnmm!(.), xrefs: 00404B0C
-, xrefs: 00405650
', xrefs: 00402BD8
Rygtmhk nhuonop gtzjzyjqvjm urrvlvxr szrtck mawaxlhyts?(!), xrefs: 00404A72
], xrefs: 004024AB
X, xrefs: 004041F6
L, xrefs: 00405419
Dbncrwiw unhbi rxlzgakc?(!), xrefs: 00401EA9
T, xrefs: 004053C4
$, xrefs: 004032E5
3, xrefs: 004040A6
d, xrefs: 00405420
6, xrefs: 004020DF
<, xrefs: 004051C7
:, xrefs: 00402318
, xrefs: 0040252C
#, xrefs: 0040273D
S, xrefs: 004023AB
T, xrefs: 00405702
=, xrefs: 00402A9E
*, xrefs: 0040458D
Raegcbtv pvecswlhnby ylgsr mutkwl.(!), xrefs: 004033B8
9, xrefs: 00401E93
>, xrefs: 00402460
a, xrefs: 00402F82
Bdwkcdf qvqtcvlqnul wxgmone olivr cdzukqlw!(.), xrefs: 00403997
!, xrefs: 004042CE
0, xrefs: 0040259A
Cthumzqxhxlra ntfelcnhwclf qiscjknu tnsjjxhmvbg,(.), xrefs: 00405139
Brcjzv mrmbmugllhn uaoqizm dwvmqreuh,(c), xrefs: 00402CEA
], xrefs: 00404583
Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.), xrefs: 004053B7
Rnjheeon ohqxrzxy dfhslxydku cbqmelxv,(!), xrefs: 00403891
Bnyhhiovaa alwxaybdf uidfxpy sgcoxv wbnxwuwmpjd.(!), xrefs: 004025C9
Y, xrefs: 00402A37
Bcdxqessgcjhj cdurbdno yvyrtxhx stbfqgmqb!(c), xrefs: 00404B97
, xrefs: 00404A63

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401530, Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 239

APIs

SetProcessShutdownParameters.KERNEL32(0000001A,00000061), ref: 00401614
CheckRemoteDebuggerPresent.KERNEL32(00000013,00000064), ref: 00401695
GetFileType.KERNEL32(0000001F), ref: 00401710
GlobalUnfix.KERNEL32(0000005B), ref: 004018B1

Strings

Y, xrefs: 00401581
E, xrefs: 00401642
R, xrefs: 00401989
., xrefs: 004016E6
\, xrefs: 004016C0
1, xrefs: 004016FA
Y, xrefs: 00401780
8, xrefs: 004019CC
A, xrefs: 0040167A
,, xrefs: 00401763
J, xrefs: 004015C1

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402EF3, Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 639

APIs

Part of subcall function 00401D91: GetLocalTime.KERNEL32(?), ref: 00401DF2

GetDateFormatA.KERNEL32(00000400,00000001,?,00000000,?,00000014), ref: 00403078
GetTimeFormatA.KERNEL32(00000400,00000008,?,00000000,?,00000014), ref: 0040308C
wsprintfA.USER32(?,%s %s,?,?), ref: 004030A6

Part of subcall function 00402D25: GetFileVersionInfoSizeA.VERSION(?,00000000), ref: 00402D32
Part of subcall function 00402D25: GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 00402D52
Part of subcall function 00402D25: VerQueryValueA.VERSION(00000000,00000000,?,?), ref: 00402D7B
Part of subcall function 00402D25: memcpy.NTDLL(?,?,?), ref: 00402D97

GetCurrentProcess.KERNEL32 ref: 0040318A

Part of subcall function 00405166: GetModuleHandleA.KERNEL32(00000000), ref: 0040519C
Part of subcall function 00405166: GetProcAddress.KERNEL32(00000000), ref: 004051A3
Part of subcall function 00405166: IsWow64Process.KERNEL32(00403196,00000000,?,?,00000000,?,?,00403196), ref: 004051B5

Part of subcall function 00402DEC: StrNCatA.SHLWAPI(?,000000FF,00000010), ref: 00402E26
Part of subcall function 00402DEC: StrNCatA.SHLWAPI(?,000000FF,00000010), ref: 00402E4A
Part of subcall function 00402DEC: StrNCatA.SHLWAPI(?,000000FF,00000010), ref: 00402E6C

GetSystemInfo.KERNEL32(?), ref: 0040328F

Part of subcall function 004051ED: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,00000000), ref: 0040521A
Part of subcall function 004051ED: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,0000000F,96EBEDC5), ref: 0040524F
Part of subcall function 004051ED: RegCloseKey.ADVAPI32(00000000), ref: 00405258

GlobalMemoryStatusEx.KERNEL32(?), ref: 004032FC
GetUserNameExA.SECUR32(00000002,?,?), ref: 00403353

Part of subcall function 0040547F: memset.NTDLL(?,00000000), ref: 00405498
Part of subcall function 0040547F: GetVersionExW.KERNEL32(?), ref: 004054B1

Part of subcall function 00402E77: RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 00402EA0
Part of subcall function 00402E77: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004), ref: 00402ED5
Part of subcall function 00402E77: RegCloseKey.ADVAPI32(?), ref: 00402EE8

Part of subcall function 00402594: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 004025C7
Part of subcall function 00402594: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004), ref: 004025FF
Part of subcall function 00402594: RegCloseKey.ADVAPI32(?), ref: 00402612

Part of subcall function 00402DAF: GlobalMemoryStatusEx.KERNEL32(?), ref: 00402DC0

Part of subcall function 004054E1: GetModuleHandleW.KERNEL32(00000000), ref: 00405518
Part of subcall function 004054E1: GetProcAddress.KERNEL32(00000000), ref: 0040551F
Part of subcall function 004054E1: GetSystemTimes.KERNEL32(004121F4,60C31DE3,?,?,?,?,?,?,00000008,00000000,00000000), ref: 0040553B
Part of subcall function 004054E1: Sleep.KERNEL32(000003E8), ref: 00405563
Part of subcall function 004054E1: GetSystemTimes.KERNEL32(004121F4,60C31DE3,?,?,?,?,?,?,00000008,00000000,00000000), ref: 00405575
Part of subcall function 004054E1: _allmul.NTDLL ref: 004055A4
Part of subcall function 004054E1: _alldiv.NTDLL ref: 004055BE

GetTickCount.KERNEL32 ref: 0040355E
GetLastInputInfo.USER32(?), ref: 0040356A
GetTickCount.KERNEL32 ref: 004035BC

Part of subcall function 00402DD5: StrFromTimeIntervalA.SHLWAPI(00000064,00000064,004035C4,0000000A), ref: 00402DE1

Part of subcall function 00402CA4: socket.WSOCK32(00000002,00000001,00000006), ref: 00402CCD
Part of subcall function 00402CA4: htons.WSOCK32(?), ref: 00402CF1
Part of subcall function 00402CA4: connect.WSOCK32(00000000,?,00000010), ref: 00402D02

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Part of subcall function 0040876C: lstrlenW.KERNEL32(00000000), ref: 00408791

Part of subcall function 00401C60: CoInitialize.OLE32(00000000), ref: 00401CD6
Part of subcall function 00401C60: CoCreateGuid.OLE32(?), ref: 00401CE0

Part of subcall function 00403AE8: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00403B03
Part of subcall function 00403AE8: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00403B1C
Part of subcall function 00403AE8: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00403B31
Part of subcall function 00403AE8: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00403B43
Part of subcall function 00403AE8: UnmapViewOfFile.KERNEL32(00000000), ref: 00403B62
Part of subcall function 00403AE8: CloseHandle.KERNEL32(00000000), ref: 00403B69
Part of subcall function 00403AE8: CloseHandle.KERNEL32(00401E64), ref: 00403B72

Part of subcall function 004036C2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004036E9
Part of subcall function 004036C2: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,00000006,00000000), ref: 00403721
Part of subcall function 004036C2: RegCreateKeyW.ADVAPI32(00000006,?,00000000), ref: 00403760
Part of subcall function 004036C2: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00411D40), ref: 00403771
Part of subcall function 004036C2: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 004037AB
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000000), ref: 00403845
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000006), ref: 0040384E
Part of subcall function 004036C2: ReleaseMutex.KERNEL32 ref: 0040385A

Strings

@, xrefs: 004032F2
%s %s, xrefs: 004030A0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004021F1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00402209
lstrcatW.KERNEL32(?,00000000), ref: 00402251
FindFirstFileW.KERNEL32(?,?), ref: 00402281

Part of subcall function 00401EF1: StrStrIW.SHLWAPI(?,00AC1318), ref: 004021D6

lstrcpyW.KERNEL32(?,?), ref: 004022A8
GetFileVersionInfoSizeW.VERSION(?,00000000), ref: 004022BD
lstrcpyW.KERNEL32(:=@,?), ref: 004022D5
FindClose.KERNEL32(?), ref: 004022DE

Strings

:=@, xrefs: 004022D2

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004054E1, Relevance: 10.6, APIs: 7, Instructions: 91

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00405518
GetProcAddress.KERNEL32(00000000), ref: 0040551F
GetSystemTimes.KERNEL32(004121F4,60C31DE3,?,?,?,?,?,?,00000008,00000000,00000000), ref: 0040553B
Sleep.KERNEL32(000003E8), ref: 00405563
GetSystemTimes.KERNEL32(004121F4,60C31DE3,?,?,?,?,?,?,00000008,00000000,00000000), ref: 00405575
_allmul.NTDLL ref: 004055A4
_alldiv.NTDLL ref: 004055BE

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405D96, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

FindFirstFileW.KERNEL32(?,?), ref: 00405DF0

Part of subcall function 00405760: SetFileAttributesW.KERNEL32(?,00000080), ref: 00405784
Part of subcall function 00405760: GetLastError.KERNEL32(?,?,00405E62,?,?,?,?,?,?,6$@,?,?,?,?,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00405794
Part of subcall function 00405760: Sleep.KERNEL32(0000000A), ref: 004057A6

FindNextFileW.KERNEL32(00000000,?), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E77
RemoveDirectoryW.KERNEL32(6$@), ref: 00405E82

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00405DA4
6$@, xrefs: 00405DA0, 00405DA5, 00405DBB, 00405E18, 00405E81

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004056E6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

SetFileTime.KERNEL32(00000000,?,00000000,00000208,?,00000000), ref: 00405704
RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 0040571B
NtDeleteFile.NTDLL(?), ref: 00405746
RtlFreeUnicodeString.NTDLL(?), ref: 00405755

Strings

@, xrefs: 00405739
6$@, xrefs: 004056EF

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404E98, Relevance: 7.6, APIs: 5, Instructions: 53

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404EBE
memset.NTDLL(?,00000000), ref: 00404ED8
Process32FirstW.KERNEL32(00000000,?), ref: 00404EF2
StrStrIW.SHLWAPI(?,004013DB), ref: 00404F04
Process32NextW.KERNEL32(00000000,0000022C), ref: 00404F16

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003E0000, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 285

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,72D08B8C), ref: 003E018C
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 003E01FD

Part of subcall function 003E05DB: LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,003E0327,2B14D0EE,?), ref: 003E0607

Strings

, xrefs: 003E02D6
a, xrefs: 003E02CB

Memory Dump Source

Source File: 00000000.00000002.58311474329395.003E0000.00000040.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004061DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31

APIs

GetCurrentProcess.KERNEL32 ref: 004061F5
ZwQueryInformationProcess.NTDLL(00000000), ref: 00406202

Part of subcall function 0040819D: GetCurrentProcessId.KERNEL32 ref: 004081C5
Part of subcall function 0040819D: CreateThread.KERNEL32(00000000,00000000,00407FD2,00000000), ref: 004081E1

Strings

, xrefs: 0040620C

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D0311B, Relevance: 4.6, APIs: 3, Instructions: 66

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01D03160

Part of subcall function 01D02E09: CoCreateInstance.OLE32(01D05470,00000000,00000001,01D05460,?), ref: 01D02E34
Part of subcall function 01D02E09: lstrcmpiW.KERNEL32(01D02FA0,?), ref: 01D02E93

FindNextFileW.KERNEL32(00000000,?), ref: 01D031AF

Part of subcall function 01D01E60: lstrcpyW.KERNEL32(00000004,01D0329B), ref: 01D01E8E
Part of subcall function 01D01E60: lstrcpyW.KERNEL32(0000020C,01D031CD), ref: 01D01E9A

FindClose.KERNEL32(00000000), ref: 01D031D3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02EC9, Relevance: 4.6, APIs: 3, Instructions: 59

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01D02F0E

Part of subcall function 01D02E09: CoCreateInstance.OLE32(01D05470,00000000,00000001,01D05460,?), ref: 01D02E34
Part of subcall function 01D02E09: lstrcmpiW.KERNEL32(01D02FA0,?), ref: 01D02E93

FindNextFileW.KERNEL32(00000000,?), ref: 01D02F5D
FindClose.KERNEL32(00000000), ref: 01D02F6C

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040547F, Relevance: 3.0, APIs: 2, Instructions: 31

APIs

memset.NTDLL(?,00000000), ref: 00405498
GetVersionExW.KERNEL32(?), ref: 004054B1

Part of subcall function 004082C8: GetCurrentProcess.KERNEL32 ref: 004082E7
Part of subcall function 004082C8: OpenProcessToken.ADVAPI32(00000000), ref: 004082EE
Part of subcall function 004082C8: memset.NTDLL(?,00000000), ref: 00408313
Part of subcall function 004082C8: GetVersionExW.KERNEL32(00000114), ref: 00408322
Part of subcall function 004082C8: GetTokenInformation.ADVAPI32(?,00000012,?,00000004,?), ref: 0040834E
Part of subcall function 004082C8: GetTokenInformation.ADVAPI32(?,00000013,004054D5,00000004,?), ref: 00408369
Part of subcall function 004082C8: DuplicateToken.ADVAPI32(?,00000001,004054D5), ref: 0040837D
Part of subcall function 004082C8: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00408399
Part of subcall function 004082C8: CheckTokenMembership.ADVAPI32(004054D5,?,?), ref: 004083AE

Part of subcall function 00408425: memset.NTDLL(?,00000000), ref: 0040843E
Part of subcall function 00408425: GetCurrentProcess.KERNEL32 ref: 0040845F
Part of subcall function 00408425: OpenProcessToken.ADVAPI32(00000000), ref: 00408466
Part of subcall function 00408425: GetTokenInformation.ADVAPI32(004054CE,00000014,?,00000004,?), ref: 0040847F

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406B7A, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006B38), ref: 00406B7F

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404077, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 279

APIs

Part of subcall function 004013F2: SetErrorMode.KERNEL32(00008000), ref: 00401400
Part of subcall function 004013F2: GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401412
Part of subcall function 004013F2: lstrcatW.KERNEL32(?,00000000), ref: 0040143F

ExitProcess.KERNEL32 ref: 00404091

Part of subcall function 0040849B: GetCurrentProcess.KERNEL32 ref: 004084AC
Part of subcall function 0040849B: OpenProcessToken.ADVAPI32(00000000), ref: 004084B3
Part of subcall function 0040849B: GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,?), ref: 004084D2
Part of subcall function 0040849B: GetLastError.KERNEL32(?,?,?,?,?,0040409C), ref: 004084D8
Part of subcall function 0040849B: LocalAlloc.KERNEL32(00000040,?), ref: 004084E9
Part of subcall function 0040849B: GetTokenInformation.ADVAPI32(?,00000019,00000000,?,?), ref: 00408502
Part of subcall function 0040849B: GetSidSubAuthority.ADVAPI32(00000000,00000000,?,?,?,?,?,?,0040409C), ref: 0040850B
Part of subcall function 0040849B: LocalFree.KERNEL32(00000000), ref: 00408514

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004040B0

Part of subcall function 00403EE5: CoInitializeEx.OLE32(00000000,00000006), ref: 00403EF3
Part of subcall function 00403EE5: GetCurrentProcessId.KERNEL32 ref: 00403F11
Part of subcall function 00403EE5: memset.NTDLL(?,00000000), ref: 00403F30
Part of subcall function 00403EE5: GetForegroundWindow.USER32 ref: 00403F82
Part of subcall function 00403EE5: ShellExecuteExW.SHELL32(0000003C), ref: 00403F8F
Part of subcall function 00403EE5: Sleep.KERNEL32(00000001), ref: 00403FA1
Part of subcall function 00403EE5: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403FAE
Part of subcall function 00403EE5: CoUninitialize.OLE32 ref: 00403FBC

Part of subcall function 0040819D: GetCurrentProcessId.KERNEL32 ref: 004081C5
Part of subcall function 0040819D: CreateThread.KERNEL32(00000000,00000000,00407FD2,00000000), ref: 004081E1

GetCommandLineW.KERNEL32 ref: 004040E5
CommandLineToArgvW.SHELL32(00000000), ref: 004040EC
lstrcmpiW.KERNEL32(?,00412380), ref: 00404103
StrToIntW.SHLWAPI(?), ref: 00404117

Part of subcall function 004050A6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004050AB

Part of subcall function 0040D411: lstrcmpiA.KERNEL32(?,00000000,?,00400000,?,00000000,00404852,00000000,S$W,00000005,4F708F5B,00000000), ref: 0040D453

Part of subcall function 00407BED: inet_addr.WSOCK32(?,00000000,00404900,?,00000000), ref: 00407BF2
Part of subcall function 00407BED: gethostbyname.WSOCK32(?), ref: 00407C03

Part of subcall function 0040D4E9: StrToInt64ExA.SHLWAPI(?,00000000,?), ref: 0040D540

LocalFree.KERNEL32(00000000), ref: 00404125
WSAStartup.WSOCK32(00000202,?), ref: 00404147
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00404152

Part of subcall function 004039BB: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 004039C0

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004042C2
lstrcatW.KERNEL32(C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate,00000000), ref: 004042E0

Part of subcall function 00402446: CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040247D
Part of subcall function 00402446: CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040248A
Part of subcall function 00402446: RemoveDirectoryW.KERNEL32(C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004024D6
Part of subcall function 00402446: SHDeleteKeyW.SHLWAPI(80000001,00000000), ref: 004024FD

Part of subcall function 0040251C: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,004042F0,00000000), ref: 0040254E
Part of subcall function 0040251C: RegSetValueExW.ADVAPI32(004042F0,00000000,00000000,00000004,00000001,00000004), ref: 00402582
Part of subcall function 0040251C: RegCloseKey.ADVAPI32(004042F0), ref: 0040258B

Part of subcall function 00405D1C: PathSkipRootW.SHLWAPI(C$@), ref: 00405D3B
Part of subcall function 00405D1C: GetFileAttributesW.KERNEL32(C$@), ref: 00405D63
Part of subcall function 00405D1C: NlsGetCacheUpdateCount.KERNEL32(C$@,00000000), ref: 00405D71

Part of subcall function 00407EC5: lstrcpynA.KERNEL32(?,00000018,00000032,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate,00000000), ref: 00407F1F

Part of subcall function 00403C6C: PathFindFileNameW.SHLWAPI(?), ref: 00403D5A
Part of subcall function 00403C6C: MessageBoxW.USER32(00000000,fdgdfgdher,00000000,00000003), ref: 00403D7F
Part of subcall function 00403C6C: OutputDebugStringW.KERNEL32(werewrwer), ref: 00403D8F
Part of subcall function 00403C6C: ExitProcess.KERNEL32 ref: 00403D96

GetModuleHandleW.KERNEL32(00000000), ref: 00404382
GetModuleFileNameW.KERNEL32(00000000), ref: 00404389
GetFileAttributesW.KERNEL32(C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00404390
SetFileAttributesW.KERNEL32(C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate,00000000), ref: 0040439B

Part of subcall function 00406ADB: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 00406B2D
Part of subcall function 00406ADB: GetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B43
Part of subcall function 00406ADB: CreateFileW.KERNEL32(00401EE7,00000100,00000000,00000000,00000003,02000000,00000000), ref: 00406B5E
Part of subcall function 00406ADB: SetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B74

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Part of subcall function 00403E4C: MessageBoxW.USER32(00000000,gregergerhr,00000000,00000003), ref: 00403E60
Part of subcall function 00403E4C: OutputDebugStringW.KERNEL32(herhreh), ref: 00403E70
Part of subcall function 00403E4C: ExitProcess.KERNEL32 ref: 00403E78
Part of subcall function 00403E4C: GetEnvironmentVariableW.KERNEL32(00000000), ref: 00403EA1

Part of subcall function 00403FC5: GetFullPathNameW.KERNEL32(00000000,?,00000000,00400000), ref: 00403FF6
Part of subcall function 00403FC5: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040400E
Part of subcall function 00403FC5: GetCurrentProcess.KERNEL32 ref: 00404031
Part of subcall function 00403FC5: GetProcessMemoryInfo.PSAPI(00000000), ref: 00404038
Part of subcall function 00403FC5: WriteFile.KERNEL32(00000000,00000030,00000002,?,00000000), ref: 00404068

Part of subcall function 00403B7F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 00403B98
Part of subcall function 00403B7F: GetEnvironmentVariableW.KERNEL32(00000000), ref: 00403BBD
Part of subcall function 00403B7F: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00403BD2

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 004042AB, 004042B0, 004042BC, 004042DF, 004042F0, 004042F7, 0040438F, 0040439A, 004043A8, 004043BD

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406839, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 112

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406843
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040686A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00406877
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00406884
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00406891
TlsAlloc.KERNEL32 ref: 004068E1
TlsSetValue.KERNEL32(00000000), ref: 004068FC

Part of subcall function 00406429: TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
Part of subcall function 00406429: TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
Part of subcall function 00406429: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
Part of subcall function 00406429: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483
Part of subcall function 00406429: RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,004407B0,00000000,00000314,?,0040702F,004407B0,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

Part of subcall function 00406590: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
Part of subcall function 00406590: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
Part of subcall function 00406590: GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6
Part of subcall function 00406590: InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

GetCurrentThreadId.KERNEL32 ref: 004069AB

Part of subcall function 00406553: TlsFree.KERNEL32(FFFFFFFF), ref: 0040657E
Part of subcall function 00406553: DeleteCriticalSection.KERNEL32(00000000,00000000,KERNEL32.DLL,?,004069C1), ref: 00407C8A
Part of subcall function 00406553: DeleteCriticalSection.KERNEL32(FFFFFFFF,KERNEL32.DLL,?,004069C1), ref: 00407CB4

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

Strings

FlsFree, xrefs: 00406886
FlsAlloc, xrefs: 00406864
FlsSetValue, xrefs: 00406879
KERNEL32.DLL, xrefs: 0040683D, 00406842, 0040684D
FlsGetValue, xrefs: 0040686C

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004082C8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89

APIs

GetCurrentProcess.KERNEL32 ref: 004082E7
OpenProcessToken.ADVAPI32(00000000), ref: 004082EE
memset.NTDLL(?,00000000), ref: 00408313
GetVersionExW.KERNEL32(00000114), ref: 00408322
GetTokenInformation.ADVAPI32(?,00000012,?,00000004,?), ref: 0040834E
GetTokenInformation.ADVAPI32(?,00000013,004054D5,00000004,?), ref: 00408369
DuplicateToken.ADVAPI32(?,00000001,004054D5), ref: 0040837D
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00408399
CheckTokenMembership.ADVAPI32(004054D5,?,?), ref: 004083AE

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Strings

D, xrefs: 00408392

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401063, Relevance: 16.7, APIs: 11, Instructions: 182

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401091
GetModuleHandleW.KERNEL32(00000000), ref: 004010B1
GetModuleHandleW.KERNEL32(00000000), ref: 004010D1
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004010EB
StrStrIW.SHLWAPI(?,00000000), ref: 00401114
GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401126
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00401146
GetModuleHandleW.KERNEL32(00000000), ref: 0040119F

Part of subcall function 00401000: OpenMutexW.KERNEL32(00100000,00000000,F1F1C337), ref: 0040100D

Part of subcall function 00401026: CreateFileW.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00401036
Part of subcall function 00401026: GetLastError.KERNEL32 ref: 0040104D

StrStrIW.SHLWAPI(?,00000000), ref: 0040124A
StrStrIW.SHLWAPI(?,00000000), ref: 0040126D
StrStrIW.SHLWAPI(?,00000000), ref: 00401290

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402775, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83

APIs

Part of subcall function 00402763: GetCurrentProcessId.KERNEL32 ref: 00402763

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00402799

Part of subcall function 004078C0: GetVersionExW.KERNEL32(?), ref: 004078F6
Part of subcall function 004078C0: ConvertSidToStringSidW.ADVAPI32(?,004027AA), ref: 00407910
Part of subcall function 004078C0: ConvertSidToStringSidW.ADVAPI32(?,004027AA), ref: 00407949
Part of subcall function 004078C0: LocalFree.KERNEL32(004027AA), ref: 0040797D

Part of subcall function 00407734: GetCurrentProcess.KERNEL32 ref: 0040775E
Part of subcall function 00407734: OpenProcessToken.ADVAPI32(00000000), ref: 00407765
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00407784
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004077A3
Part of subcall function 00407734: GetLengthSid.ADVAPI32(00000000), ref: 004077AB

ConvertSidToStringSidW.ADVAPI32(00402508,?), ref: 004027CC
LocalFree.KERNEL32(?), ref: 004027FF

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Part of subcall function 00405C00: lstrlenW.KERNEL32 ref: 00405C31

Part of subcall function 00405D1C: PathSkipRootW.SHLWAPI(C$@), ref: 00405D3B
Part of subcall function 00405D1C: GetFileAttributesW.KERNEL32(C$@), ref: 00405D63
Part of subcall function 00405D1C: NlsGetCacheUpdateCount.KERNEL32(C$@,00000000), ref: 00405D71

StrCpyNW.SHLWAPI(?,00AC2AF0,00AC2AF7), ref: 0040283C
GetFileAttributesW.KERNEL32(?), ref: 0040284F
SetFileAttributesW.KERNEL32(?,00000000), ref: 00402862
GetFileAttributesW.KERNEL32 ref: 0040286A
SetFileAttributesW.KERNEL32(00000000), ref: 00402876

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 0040277F

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004019C2, Relevance: 15.2, APIs: 10, Instructions: 197

APIs

Part of subcall function 004014FE: wsprintfW.USER32 ref: 00401528
Part of subcall function 004014FE: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 00401558
Part of subcall function 004014FE: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00401578
Part of subcall function 004014FE: RegEnumKeyW.ADVAPI32(?,00000000,?,00000064), ref: 0040158F
Part of subcall function 004014FE: RegCloseKey.ADVAPI32(?), ref: 0040159E

Part of subcall function 0040147D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040149A
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014B8
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014DF
Part of subcall function 0040147D: RegCloseKey.ADVAPI32(?), ref: 004014F1

StrStrIW.SHLWAPI(00000000,00000000), ref: 00401A40
StrStrIW.SHLWAPI(?,00000000), ref: 00401AAD
StrStrIW.SHLWAPI(00000000,00000000), ref: 00401B0A

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 00401B49
RegCloseKey.ADVAPI32(?), ref: 00401B56
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00401B6A
lstrcatW.KERNEL32(?,00000000), ref: 00401B93
lstrlenW.KERNEL32(?), ref: 00401B9C
lstrcatW.KERNEL32(?,00000000), ref: 00401BC1

Part of subcall function 004057C5: GetFileAttributesW.KERNEL32(?), ref: 004057DF

lstrcatW.KERNEL32(?,00000000), ref: 00401C00

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D01B37, Relevance: 15.2, APIs: 10, Instructions: 175

APIs

RegOpenKeyExW.ADVAPI32(80000003,?,00000000,0002011F,?), ref: 01D01BC9
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 01D01BD8
RegNotifyChangeKeyValue.ADVAPI32(?,00000000,00000005,00000000,00000001), ref: 01D01BF0

Part of subcall function 01D0385F: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 01D03898
Part of subcall function 01D0385F: memcpy.NTDLL(0000000C,?,00000040,?), ref: 01D0392E
Part of subcall function 01D0385F: CreateThread.KERNEL32 ref: 01D0395C
Part of subcall function 01D0385F: WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01D03994
Part of subcall function 01D0385F: WaitForMultipleObjects.KERNEL32(?,?,00000000,00000001), ref: 01D03A01

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 01D01CA7
RegFlushKey.ADVAPI32(00000000), ref: 01D01CAF
RegNotifyChangeKeyValue.ADVAPI32(00000000,00000000,00000005,?,00000001), ref: 01D01CC2
ResetEvent.KERNEL32(00000000), ref: 01D01CC6
RegNotifyChangeKeyValue.ADVAPI32(00000000,00000000,00000005,?,00000001), ref: 01D01CD6

Part of subcall function 01D02CDF: GetLastError.KERNEL32(01D057F0,0000000C,01D02072,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CED
Part of subcall function 01D02CDF: GetCurrentThreadId.KERNEL32 ref: 01D02D13
Part of subcall function 01D02CDF: LeaveCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D26
Part of subcall function 01D02CDF: SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D3C

WaitForSingleObject.KERNEL32(?,00000000), ref: 01D01CEE
RegCloseKey.ADVAPI32(?), ref: 01D01D14

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

Part of subcall function 01D02C71: GetLastError.KERNEL32(01D05810,0000000C,01D01FD8,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C7F
Part of subcall function 01D02C71: EnterCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CB4
Part of subcall function 01D02C71: GetCurrentThreadId.KERNEL32 ref: 01D02CBA
Part of subcall function 01D02C71: SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CD3

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406503, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00406539
memcpy.NTDLL(00000000,004149F8,0004022C), ref: 00406557
memcpy.NTDLL(?,?,?), ref: 00406591
IsBadWritePtr.KERNEL32(?,00000004), ref: 00406600
TlsAlloc.KERNEL32 ref: 0040660A
CreateThread.KERNEL32(00000000,00000000,00002000,00000000), ref: 00406690

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 004061DB: GetCurrentProcess.KERNEL32 ref: 004061F5
Part of subcall function 004061DB: ZwQueryInformationProcess.NTDLL(00000000), ref: 00406202

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004066B3

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 0040650A

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004036C2, Relevance: 13.7, APIs: 9, Instructions: 152

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004036E9
RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,00000006,00000000), ref: 00403721
RegCreateKeyW.ADVAPI32(00000006,?,00000000), ref: 00403760
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00411D40), ref: 00403771
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 004037AB
RegQueryValueExA.ADVAPI32(00000000,CE56F72D,00000000,00000000,00000000,00000004), ref: 004037DA

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

RegCloseKey.ADVAPI32(00000000), ref: 00403845
RegCloseKey.ADVAPI32(00000006), ref: 0040384E
ReleaseMutex.KERNEL32 ref: 0040385A

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403868, Relevance: 13.6, APIs: 9, Instructions: 119

APIs

WaitForMultipleObjects.KERNEL32(00000002,00401D31,00000000,000000FF), ref: 00403890
RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 004038C8
RegCreateKeyW.ADVAPI32(?,?,00000006), ref: 00403907
lstrlenA.KERNEL32(00000006,?,?,?,?,?,?,CE56F72D,?,?,00000000,00411D40), ref: 00403918
RegSetValueExA.ADVAPI32(00000006,00411D40,00000000,00000003,00000000,00000014), ref: 00403971
RegFlushKey.ADVAPI32(00000006), ref: 00403988

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

RegCloseKey.ADVAPI32(00000006), ref: 00403998
RegCloseKey.ADVAPI32(?), ref: 004039A1
ReleaseMutex.KERNEL32 ref: 004039AD

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402881, Relevance: 13.6, APIs: 9, Instructions: 96

APIs

Part of subcall function 00402763: GetCurrentProcessId.KERNEL32 ref: 00402763

Part of subcall function 00407734: GetCurrentProcess.KERNEL32 ref: 0040775E
Part of subcall function 00407734: OpenProcessToken.ADVAPI32(00000000), ref: 00407765
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00407784
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004077A3
Part of subcall function 00407734: GetLengthSid.ADVAPI32(00000000), ref: 004077AB

ConvertSidToStringSidW.ADVAPI32(00402C96,?), ref: 004028AE
lstrlenW.KERNEL32(?), ref: 004028CE
CharUpperBuffW.USER32(?,00000000), ref: 004028D9
CharLowerBuffW.USER32(?,00000026), ref: 004028E5
RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00402508,00000000), ref: 00402945
RegCreateKeyW.ADVAPI32(00402508,00000000,?), ref: 0040296D
RegCloseKey.ADVAPI32(?), ref: 00402980
RegCloseKey.ADVAPI32(00402508), ref: 00402985
LocalFree.KERNEL32(?), ref: 0040298A

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403C6C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126

APIs

Part of subcall function 00407056: EnterCriticalSection.KERNEL32(00000014,00000000,00000000,?,?,?,00402BBF,00000000,?,?,00000000,?,?,?,00000000,?), ref: 00407075
Part of subcall function 00407056: StrCmpNIA.SHLWAPI(-0000001C,00000000,?), ref: 004070A0
Part of subcall function 00407056: LeaveCriticalSection.KERNEL32(00402BBF,?,?,?,00402BBF,00000000,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004070D3

PathFindFileNameW.SHLWAPI(?), ref: 00403D5A
MessageBoxW.USER32(00000000,fdgdfgdher,00000000,00000003), ref: 00403D7F
OutputDebugStringW.KERNEL32(werewrwer), ref: 00403D8F
ExitProcess.KERNEL32 ref: 00403D96

Part of subcall function 00401E06: CreateFileW.KERNEL32(00AC6910,40000000,00000000,00000000,00000002,00000001,00000000), ref: 00401E44
Part of subcall function 00401E06: WriteFile.KERNEL32(00403DB3,?,?,?,00000000), ref: 00401E75
Part of subcall function 00401E06: FlushFileBuffers.KERNEL32(00403DB3), ref: 00401E89
Part of subcall function 00401E06: GetModuleHandleW.KERNEL32(00000000), ref: 00401ECB
Part of subcall function 00401E06: GetModuleFileNameW.KERNEL32(00000000), ref: 00401ED2

Part of subcall function 004070DF: EnterCriticalSection.KERNEL32(00000014,00000000,00402BD6,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004070EF
Part of subcall function 004070DF: FlushFileBuffers.KERNEL32(?), ref: 00407104
Part of subcall function 004070DF: LeaveCriticalSection.KERNEL32(00000014,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00407144
Part of subcall function 004070DF: DeleteCriticalSection.KERNEL32(00000014,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 0040714B

Part of subcall function 004021F1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00402209
Part of subcall function 004021F1: lstrcatW.KERNEL32(?,00000000), ref: 00402251
Part of subcall function 004021F1: FindFirstFileW.KERNEL32(?,?), ref: 00402281
Part of subcall function 004021F1: lstrcpyW.KERNEL32(?,?), ref: 004022A8
Part of subcall function 004021F1: GetFileVersionInfoSizeW.VERSION(?,00000000), ref: 004022BD
Part of subcall function 004021F1: lstrcpyW.KERNEL32(:=@,?), ref: 004022D5
Part of subcall function 004021F1: FindClose.KERNEL32(?), ref: 004022DE

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Part of subcall function 004051C1: GetNativeSystemInfo.KERNEL32(00000000), ref: 004051DA

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00403C76, 00403D61
werewrwer, xrefs: 00403D8A
fdgdfgdher, xrefs: 00403D79

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004077DF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91

APIs

SetErrorMode.KERNEL32(00000001), ref: 004077F2
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0000001E), ref: 00407831
StrCmpNIW.SHLWAPI(?,00000000,00000003), ref: 0040785D
StrCmpNIW.SHLWAPI(?,00000000,00000005), ref: 0040787F
StrCmpNIW.SHLWAPI(?,00000000,00000004), ref: 004078A6
SetErrorMode.KERNEL32(004078D4), ref: 004078B6

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 004077ED

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407734, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71

APIs

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

GetCurrentProcess.KERNEL32 ref: 0040775E
OpenProcessToken.ADVAPI32(00000000), ref: 00407765
GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00407784
GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004077A3
GetLengthSid.ADVAPI32(00000000), ref: 004077AB

Part of subcall function 0040E85E: memcpy.NTDLL(00000000,00000000,004077B9,004128B8,0000000C,004077B9,00000000), ref: 0040E887

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 0040776F
x@, xrefs: 004077D8

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406429, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42

APIs

TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,004407B0,00000000,00000314,?,0040702F,004407B0,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483

Strings

EncodePointer, xrefs: 0040647D
KERNEL32.DLL, xrefs: 00406462, 00406467, 00406472

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004064A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42

APIs

TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE

Strings

DecodePointer, xrefs: 004064F8
KERNEL32.DLL, xrefs: 004064DD, 004064E2, 004064ED

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004017A3, Relevance: 12.2, APIs: 8, Instructions: 174

APIs

Part of subcall function 004014FE: wsprintfW.USER32 ref: 00401528
Part of subcall function 004014FE: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 00401558
Part of subcall function 004014FE: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00401578
Part of subcall function 004014FE: RegEnumKeyW.ADVAPI32(?,00000000,?,00000064), ref: 0040158F
Part of subcall function 004014FE: RegCloseKey.ADVAPI32(?), ref: 0040159E

Part of subcall function 0040147D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040149A
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014B8
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014DF
Part of subcall function 0040147D: RegCloseKey.ADVAPI32(?), ref: 004014F1

StrStrIW.SHLWAPI(00000000,00000000), ref: 00401819
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040187C
StrStrIW.SHLWAPI(00000000,00000000), ref: 004018DF

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 0040191C
RegCloseKey.ADVAPI32(?), ref: 0040192A
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040193E
lstrcatW.KERNEL32(?,00000000), ref: 00401965
lstrcatW.KERNEL32(?,00000000), ref: 00401982

Part of subcall function 004057C5: GetFileAttributesW.KERNEL32(?), ref: 004057DF

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040849B, Relevance: 12.1, APIs: 8, Instructions: 60

APIs

GetCurrentProcess.KERNEL32 ref: 004084AC
OpenProcessToken.ADVAPI32(00000000), ref: 004084B3
GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,?), ref: 004084D2
GetLastError.KERNEL32(?,?,?,?,?,0040409C), ref: 004084D8
LocalAlloc.KERNEL32(00000040,?), ref: 004084E9
GetTokenInformation.ADVAPI32(?,00000019,00000000,?,?), ref: 00408502
GetSidSubAuthority.ADVAPI32(00000000,00000000,?,?,?,?,?,?,0040409C), ref: 0040850B
LocalFree.KERNEL32(00000000), ref: 00408514

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040E304, Relevance: 11.5, APIs: 9, Instructions: 243

APIs

memset.NTDLL(00000002,00000009), ref: 0040E36C
memset.NTDLL(00000001,00000009), ref: 0040E533

Part of subcall function 0040DFB4: StrChrA.SHLWAPI(00000000), ref: 0040E01A

lstrlenA.KERNEL32(00000000), ref: 0040E421
lstrlenA.KERNEL32(?), ref: 0040E429
memset.NTDLL(00000002,00000009), ref: 0040E4B1
lstrcpyA.KERNEL32(00000001,?,?,?,00000000,00AB3E78,00000000), ref: 0040E4C4
lstrlenA.KERNEL32(?,?,?,00000000,00AB3E78,00000000), ref: 0040E4D1
lstrcpyA.KERNEL32(00000002,?,?,?,00000000,00AB3E78,00000000), ref: 0040E4E6
lstrlenA.KERNEL32(?,?,?,00000000,00AB3E78,00000000), ref: 0040E4EE

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040AE6F, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 235

APIs

VirtualProtect.KERNEL32(00000000,0000001E,00000040,?), ref: 0040AE9C
memset.NTDLL(?,00000000), ref: 0040AECF
memcpy.NTDLL(?,?,00000006), ref: 0040B0AB
memcpy.NTDLL(0040814A,?,?), ref: 0040B0D7

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Strings

%, xrefs: 0040B00D
6>@, xrefs: 0040AE6F

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D019EC, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

FindFirstChangeNotificationW.KERNEL32(?,00000000,00000019), ref: 01D01A4C
WaitForSingleObject.KERNEL32(?,00000000), ref: 01D01A71

Part of subcall function 01D02C71: GetLastError.KERNEL32(01D05810,0000000C,01D01FD8,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C7F
Part of subcall function 01D02C71: EnterCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CB4
Part of subcall function 01D02C71: GetCurrentThreadId.KERNEL32 ref: 01D02CBA
Part of subcall function 01D02C71: SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CD3

FindNextChangeNotification.KERNEL32(00000000), ref: 01D01ADD
ResetEvent.KERNEL32(00000000), ref: 01D01AE1
FindNextChangeNotification.KERNEL32(00000000), ref: 01D01AE9

Part of subcall function 01D02CDF: GetLastError.KERNEL32(01D057F0,0000000C,01D02072,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CED
Part of subcall function 01D02CDF: GetCurrentThreadId.KERNEL32 ref: 01D02D13
Part of subcall function 01D02CDF: LeaveCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D26
Part of subcall function 01D02CDF: SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D3C

Part of subcall function 01D02F7A: CoInitialize.OLE32(00000000), ref: 01D02F91
Part of subcall function 01D02F7A: CoCreateInstance.OLE32(01D05470,00000000,00000001,01D05460,01D01F59), ref: 01D02FC1
Part of subcall function 01D02F7A: memset.NTDLL(?,00000000), ref: 01D02FE5
Part of subcall function 01D02F7A: PathFindFileNameW.SHLWAPI ref: 01D02FEE
Part of subcall function 01D02F7A: memcpy.NTDLL(?,?,00000000), ref: 01D02FFF
Part of subcall function 01D02F7A: CoUninitialize.OLE32 ref: 01D030D4

WaitForSingleObject.KERNEL32(?,00000000), ref: 01D01AFE
FindCloseChangeNotification.KERNEL32(00000000), ref: 01D01B1B

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Part of subcall function 01D0385F: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 01D03898
Part of subcall function 01D0385F: memcpy.NTDLL(0000000C,?,00000040,?), ref: 01D0392E
Part of subcall function 01D0385F: CreateThread.KERNEL32 ref: 01D0395C
Part of subcall function 01D0385F: WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01D03994
Part of subcall function 01D0385F: WaitForMultipleObjects.KERNEL32(?,?,00000000,00000001), ref: 01D03A01

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03A11, Relevance: 10.6, APIs: 7, Instructions: 86

APIs

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

Part of subcall function 01D02A11: IsBadReadPtr.KERNEL32(?,?), ref: 01D02A28

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01D03A4B
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,00000000), ref: 01D03A93
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000208), ref: 01D03AC9
PathUnquoteSpacesW.SHLWAPI(?), ref: 01D03ADA
ExpandEnvironmentStringsW.KERNEL32(?,00000208,00000104), ref: 01D03AEF
RegCloseKey.ADVAPI32(00000000), ref: 01D03B03
LocalFree.KERNEL32(?), ref: 01D03B0C

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402446, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76

APIs

CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040247D
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040248A

Part of subcall function 004057C5: GetFileAttributesW.KERNEL32(?), ref: 004057DF

RemoveDirectoryW.KERNEL32(C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004024D6

Part of subcall function 0040240F: GetTempPathW.KERNEL32(00000104,?), ref: 00402424

SHDeleteKeyW.SHLWAPI(80000001,00000000), ref: 004024FD

Part of subcall function 00402C78: SHDeleteKeyW.SHLWAPI(80000001,00000000), ref: 00402C9C

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 00406925: memset.NTDLL(?,00000000), ref: 004069A5
Part of subcall function 00406925: FindFirstFileW.KERNEL32(?,?), ref: 004069C5
Part of subcall function 00406925: PathMatchSpecW.SHLWAPI(?,00000005), ref: 00406A22
Part of subcall function 00406925: Sleep.KERNEL32(00000000), ref: 00406A54
Part of subcall function 00406925: Sleep.KERNEL32(00000000), ref: 00406A88
Part of subcall function 00406925: FindNextFileW.KERNEL32(00000001,?), ref: 00406AB6
Part of subcall function 00406925: FindClose.KERNEL32(00000001), ref: 00406AD0

Strings

B@, xrefs: 0040250F
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00402450, 0040248C, 00402491, 0040249F, 004024CC, 004024D5

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403AE8, Relevance: 10.6, APIs: 7, Instructions: 61

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00403B03
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00403B1C
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00403B31
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00403B43
UnmapViewOfFile.KERNEL32(00000000), ref: 00403B62
CloseHandle.KERNEL32(00000000), ref: 00403B69
CloseHandle.KERNEL32(00401E64), ref: 00403B72

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403E4C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37

APIs

MessageBoxW.USER32(00000000,gregergerhr,00000000,00000003), ref: 00403E60
OutputDebugStringW.KERNEL32(herhreh), ref: 00403E70
ExitProcess.KERNEL32 ref: 00403E78
GetEnvironmentVariableW.KERNEL32(00000000), ref: 00403EA1

Part of subcall function 004053D1: memset.NTDLL(?,00000000), ref: 00405422
Part of subcall function 004053D1: CreateProcessW.KERNEL32(?,00403C11,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040545B

Strings

gregergerhr, xrefs: 00403E59
herhreh, xrefs: 00403E6B

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02F7A, Relevance: 9.1, APIs: 6, Instructions: 121

APIs

CoInitialize.OLE32(00000000), ref: 01D02F91

Part of subcall function 01D02EC9: FindFirstFileW.KERNEL32(?,?), ref: 01D02F0E
Part of subcall function 01D02EC9: FindNextFileW.KERNEL32(00000000,?), ref: 01D02F5D
Part of subcall function 01D02EC9: FindClose.KERNEL32(00000000), ref: 01D02F6C

CoCreateInstance.OLE32(01D05470,00000000,00000001,01D05460,01D01F59), ref: 01D02FC1
memset.NTDLL(?,00000000), ref: 01D02FE5
PathFindFileNameW.SHLWAPI ref: 01D02FEE
memcpy.NTDLL(?,?,00000000), ref: 01D02FFF

Part of subcall function 01D02079: PathFindFileNameW.SHLWAPI(?), ref: 01D02096
Part of subcall function 01D02079: lstrlenW.KERNEL32(00000000), ref: 01D0209F
Part of subcall function 01D02079: memcpy.NTDLL(?,00000000,?,?,?,?,?,?,00000000), ref: 01D020CC

Part of subcall function 01D04003: PathSkipRootW.SHLWAPI(?), ref: 01D04022
Part of subcall function 01D04003: GetFileAttributesW.KERNEL32(?), ref: 01D0404A
Part of subcall function 01D04003: CreateDirectoryW.KERNEL32(?,00000000), ref: 01D04058

Part of subcall function 01D020DE: _chkstk.NTDLL(?,01D0306C,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D020E6
Part of subcall function 01D020DE: GetFileVersionInfoSizeW.VERSION(00000006,?,?,00000000,?,01D0306C,?,00000006), ref: 01D020F6
Part of subcall function 01D020DE: GetFileVersionInfoW.VERSION(00000006,00000000,00000000,00000000,?,?,00000000,?,01D0306C,?,00000006), ref: 01D0211E
Part of subcall function 01D020DE: VerQueryValueW.VERSION(00000000,00000000,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D0214E

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

CoUninitialize.OLE32 ref: 01D030D4

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03328, Relevance: 9.1, APIs: 6, Instructions: 88

APIs

RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020119,?), ref: 01D03349
lstrcpyW.KERNEL32(00000000,?), ref: 01D03380
RegEnumValueW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 01D033B4

Part of subcall function 01D032BF: RegQueryValueExW.ADVAPI32(00000104,01D033CF,00000000,00000000,00000000,?), ref: 01D032DA
Part of subcall function 01D032BF: RegQueryValueExW.ADVAPI32(00000104,01D033CF,00000000,00000000,00000000,?), ref: 01D032FD
Part of subcall function 01D032BF: PathUnquoteSpacesW.SHLWAPI(00000000), ref: 01D03304
Part of subcall function 01D032BF: lstrcmpiW.KERNEL32(00000000,?), ref: 01D0330E

RegEnumValueW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 01D033F5
lstrcpyW.KERNEL32(00000000,?), ref: 01D0340C
RegCloseKey.ADVAPI32(?), ref: 01D0341B

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D01018, Relevance: 9.1, APIs: 6, Instructions: 64

APIs

memset.NTDLL(?,00000000), ref: 01D01032
GetVersionExW.KERNEL32(?), ref: 01D0104B
CreateThread.KERNEL32(00000000,00000000,01D01000,00000000), ref: 01D01081

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

SHGetFolderPathW.SHELL32(00000000,00000007,00000000,00000000,?), ref: 01D010A7
SetFileAttributesW.KERNEL32(?,00000006), ref: 01D010B6
SHChangeNotify.SHELL32(00000004,00000005,?,00000000), ref: 01D010C8

Part of subcall function 01D01651: GetCurrentProcess.KERNEL32 ref: 01D01670
Part of subcall function 01D01651: OpenProcessToken.ADVAPI32(00000000), ref: 01D01677
Part of subcall function 01D01651: memset.NTDLL(?,00000000), ref: 01D0169C
Part of subcall function 01D01651: GetVersionExW.KERNEL32(00000114), ref: 01D016AB
Part of subcall function 01D01651: GetTokenInformation.ADVAPI32(?,00000012,?,00000004,?), ref: 01D016D7
Part of subcall function 01D01651: GetTokenInformation.ADVAPI32(?,00000013,01D01062,00000004,?), ref: 01D016F2
Part of subcall function 01D01651: DuplicateToken.ADVAPI32(?,00000001,01D01062), ref: 01D01706
Part of subcall function 01D01651: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 01D01722
Part of subcall function 01D01651: CheckTokenMembership.ADVAPI32(01D01062,?,?), ref: 01D01737

Part of subcall function 01D017AE: memset.NTDLL(?,00000000), ref: 01D017C7
Part of subcall function 01D017AE: GetCurrentProcess.KERNEL32 ref: 01D017E8
Part of subcall function 01D017AE: OpenProcessToken.ADVAPI32(00000000), ref: 01D017EF
Part of subcall function 01D017AE: GetTokenInformation.ADVAPI32(01D0106B,00000014,?,00000004,?), ref: 01D01808

Part of subcall function 01D01824: lstrlenW.KERNEL32(01D022A2), ref: 01D0183B
Part of subcall function 01D01824: lstrcpynW.KERNEL32(00000000,01D022A2,00000001), ref: 01D0185C

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404C57, Relevance: 9.1, APIs: 6, Instructions: 58

APIs

GetTickCount.KERNEL32 ref: 00404C6C
ioctlsocket.WSOCK32(00000004,4004667F,00000000,00000000,?,00000000,?,?,00404DD3,00000000,?,00000004), ref: 00404C89
#16.WSOCK32(00000004,?,00000000,00000000,?,?,00404DD3,00000000,?,00000004), ref: 00404CAB
GetTickCount.KERNEL32 ref: 00404CBD
Sleep.KERNEL32(00000001), ref: 00404CCC
GetTickCount.KERNEL32 ref: 00404CD2

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405D1C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

PathSkipRootW.SHLWAPI(C$@), ref: 00405D3B
GetFileAttributesW.KERNEL32(C$@), ref: 00405D63
NlsGetCacheUpdateCount.KERNEL32(C$@,00000000), ref: 00405D71

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00405D37
C$@, xrefs: 00405D1D, 00405D21, 00405D38, 00405D5F, 00405D70

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040B123, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51

APIs

VirtualProtect.KERNEL32(?,00000005,00000040,?), ref: 0040B14C

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

VirtualProtect.KERNEL32(?,00000005,?,?), ref: 0040B179
GetCurrentProcess.KERNEL32 ref: 0040B17F
FlushInstructionCache.KERNEL32 ref: 0040B186

Strings

6>@, xrefs: 0040B123

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D020DE, Relevance: 7.6, APIs: 5, Instructions: 144

APIs

_chkstk.NTDLL(?,01D0306C,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D020E6
GetFileVersionInfoSizeW.VERSION(00000006,?,?,00000000,?,01D0306C,?,00000006), ref: 01D020F6
GetFileVersionInfoW.VERSION(00000006,00000000,00000000,00000000,?,?,00000000,?,01D0306C,?,00000006), ref: 01D0211E
VerQueryValueW.VERSION(00000000,00000000,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D0214E
VerQueryValueW.VERSION(00000000,?,?,?), ref: 01D02294

Part of subcall function 01D01824: lstrlenW.KERNEL32(01D022A2), ref: 01D0183B
Part of subcall function 01D01824: lstrcpynW.KERNEL32(00000000,01D022A2,00000001), ref: 01D0185C

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401E06, Relevance: 7.6, APIs: 5, Instructions: 84

APIs

CreateFileW.KERNEL32(00AC6910,40000000,00000000,00000000,00000002,00000001,00000000), ref: 00401E44
WriteFile.KERNEL32(00403DB3,?,?,?,00000000), ref: 00401E75
FlushFileBuffers.KERNEL32(00403DB3), ref: 00401E89

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 00405760: SetFileAttributesW.KERNEL32(?,00000080), ref: 00405784
Part of subcall function 00405760: GetLastError.KERNEL32(?,?,00405E62,?,?,?,?,?,?,6$@,?,?,?,?,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00405794
Part of subcall function 00405760: Sleep.KERNEL32(0000000A), ref: 004057A6

Part of subcall function 00403AE8: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00403B03
Part of subcall function 00403AE8: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00403B1C
Part of subcall function 00403AE8: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00403B31
Part of subcall function 00403AE8: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00403B43
Part of subcall function 00403AE8: UnmapViewOfFile.KERNEL32(00000000), ref: 00403B62
Part of subcall function 00403AE8: CloseHandle.KERNEL32(00000000), ref: 00403B69
Part of subcall function 00403AE8: CloseHandle.KERNEL32(00401E64), ref: 00403B72

GetModuleHandleW.KERNEL32(00000000), ref: 00401ECB
GetModuleFileNameW.KERNEL32(00000000), ref: 00401ED2

Part of subcall function 00406ADB: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 00406B2D
Part of subcall function 00406ADB: GetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B43
Part of subcall function 00406ADB: CreateFileW.KERNEL32(00401EE7,00000100,00000000,00000000,00000003,02000000,00000000), ref: 00406B5E
Part of subcall function 00406ADB: SetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B74

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03D1B, Relevance: 7.6, APIs: 5, Instructions: 71

APIs

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

GetCurrentProcess.KERNEL32 ref: 01D03D45
OpenProcessToken.ADVAPI32(00000000,?,01D01095), ref: 01D03D4C
GetTokenInformation.ADVAPI32(01D01095,00000001,00000000,00000000,?), ref: 01D03D6B
GetTokenInformation.ADVAPI32(01D01095,00000001,00000000,?,?), ref: 01D03D8A
GetLengthSid.ADVAPI32(00000000,?,01D01095,?), ref: 01D03D92

Part of subcall function 01D042EC: memcpy.NTDLL(00000000,01D01095,?,01D057C0,0000000C,01D03DA0,00000000,00000000,?,01D01095), ref: 01D04315

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004014FE, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

wsprintfW.USER32 ref: 00401528
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 00401558
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00401578
RegEnumKeyW.ADVAPI32(?,00000000,?,00000064), ref: 0040158F
RegCloseKey.ADVAPI32(?), ref: 0040159E

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03C05, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

SHGetFolderPathW.SHELL32(00000000,00000028,000000FF,00000001,?), ref: 01D03C39
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01D03C4D
lstrlenW.KERNEL32(?), ref: 01D03C5A
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 01D03C71
lstrcpyW.KERNEL32(?,?), ref: 01D03C86

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040251C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,004042F0,00000000), ref: 0040254E
RegSetValueExW.ADVAPI32(004042F0,00000000,00000000,00000004,00000001,00000004), ref: 00402582
RegCloseKey.ADVAPI32(004042F0), ref: 0040258B

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00402521

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D034F5, Relevance: 6.1, APIs: 4, Instructions: 108

APIs

Part of subcall function 01D02079: PathFindFileNameW.SHLWAPI(?), ref: 01D02096
Part of subcall function 01D02079: lstrlenW.KERNEL32(00000000), ref: 01D0209F
Part of subcall function 01D02079: memcpy.NTDLL(?,00000000,?,?,?,?,?,?,00000000), ref: 01D020CC

Part of subcall function 01D03328: RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020119,?), ref: 01D03349
Part of subcall function 01D03328: lstrcpyW.KERNEL32(00000000,?), ref: 01D03380
Part of subcall function 01D03328: RegEnumValueW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 01D033B4
Part of subcall function 01D03328: RegEnumValueW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 01D033F5
Part of subcall function 01D03328: lstrcpyW.KERNEL32(00000000,?), ref: 01D0340C
Part of subcall function 01D03328: RegCloseKey.ADVAPI32(?), ref: 01D0341B

RegCreateKeyExW.ADVAPI32(80000003,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 01D035C5
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 01D035E3
RegFlushKey.ADVAPI32(?), ref: 01D035F5
RegCloseKey.ADVAPI32(?), ref: 01D035FF

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004078C0, Relevance: 6.1, APIs: 4, Instructions: 81

APIs

Part of subcall function 004077DF: SetErrorMode.KERNEL32(00000001), ref: 004077F2
Part of subcall function 004077DF: GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0000001E), ref: 00407831
Part of subcall function 004077DF: StrCmpNIW.SHLWAPI(?,00000000,00000003), ref: 0040785D
Part of subcall function 004077DF: StrCmpNIW.SHLWAPI(?,00000000,00000005), ref: 0040787F
Part of subcall function 004077DF: StrCmpNIW.SHLWAPI(?,00000000,00000004), ref: 004078A6
Part of subcall function 004077DF: SetErrorMode.KERNEL32(004078D4), ref: 004078B6

Part of subcall function 00407734: GetCurrentProcess.KERNEL32 ref: 0040775E
Part of subcall function 00407734: OpenProcessToken.ADVAPI32(00000000), ref: 00407765
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00407784
Part of subcall function 00407734: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004077A3
Part of subcall function 00407734: GetLengthSid.ADVAPI32(00000000), ref: 004077AB

GetVersionExW.KERNEL32(?), ref: 004078F6
ConvertSidToStringSidW.ADVAPI32(?,004027AA), ref: 00407910
ConvertSidToStringSidW.ADVAPI32(?,004027AA), ref: 00407949
LocalFree.KERNEL32(004027AA), ref: 0040797D

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406ADB, Relevance: 6.1, APIs: 4, Instructions: 76

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 00406B2D
GetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B43

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

CreateFileW.KERNEL32(00401EE7,00000100,00000000,00000000,00000003,02000000,00000000), ref: 00406B5E
SetFileTime.KERNEL32(00000000,?,?,00401EE7), ref: 00406B74

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03B17, Relevance: 6.1, APIs: 4, Instructions: 75

APIs

NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,01D03C01,?,?), ref: 01D03B44
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 01D03B74
NetApiBufferFree.NETAPI32(?), ref: 01D03BA7
NetApiBufferFree.NETAPI32(00000000), ref: 01D03BBB

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402D25, Relevance: 6.1, APIs: 4, Instructions: 62

APIs

GetFileVersionInfoSizeA.VERSION(?,00000000), ref: 00402D32
GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 00402D52
VerQueryValueA.VERSION(00000000,00000000,?,?), ref: 00402D7B
memcpy.NTDLL(?,?,?), ref: 00402D97

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040147D, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040149A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014B8
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014DF

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

RegCloseKey.ADVAPI32(?), ref: 004014F1

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402AD4, Relevance: 6.1, APIs: 4, Instructions: 56

APIs

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

Part of subcall function 00402881: ConvertSidToStringSidW.ADVAPI32(00402C96,?), ref: 004028AE
Part of subcall function 00402881: lstrlenW.KERNEL32(?), ref: 004028CE
Part of subcall function 00402881: CharUpperBuffW.USER32(?,00000000), ref: 004028D9
Part of subcall function 00402881: CharLowerBuffW.USER32(?,00000026), ref: 004028E5
Part of subcall function 00402881: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00402508,00000000), ref: 00402945
Part of subcall function 00402881: RegCreateKeyW.ADVAPI32(00402508,00000000,?), ref: 0040296D
Part of subcall function 00402881: RegCloseKey.ADVAPI32(?), ref: 00402980
Part of subcall function 00402881: RegCloseKey.ADVAPI32(00402508), ref: 00402985
Part of subcall function 00402881: LocalFree.KERNEL32(?), ref: 0040298A

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 00402B0E

Part of subcall function 00402A93: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00402AC7

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,00000000), ref: 00402B36
RegFlushKey.ADVAPI32(00000000), ref: 00402B47
RegCloseKey.ADVAPI32(00000000), ref: 00402B50

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D032BF, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

RegQueryValueExW.ADVAPI32(00000104,01D033CF,00000000,00000000,00000000,?), ref: 01D032DA
RegQueryValueExW.ADVAPI32(00000104,01D033CF,00000000,00000000,00000000,?), ref: 01D032FD
PathUnquoteSpacesW.SHLWAPI(00000000), ref: 01D03304
lstrcmpiW.KERNEL32(00000000,?), ref: 01D0330E

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408B9B, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

GetLastError.KERNEL32(00412908,0000000C,004056DE,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BA9

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BF8

Part of subcall function 00408AA8: GetCurrentProcessId.KERNEL32 ref: 00408AA8

GetCurrentThreadId.KERNEL32 ref: 00408BCF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BE2

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004053D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

memset.NTDLL(?,00000000), ref: 00405422
CreateProcessW.KERNEL32(?,00403C11,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040545B

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Strings

D, xrefs: 0040544D

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040819D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68

APIs

Part of subcall function 00407F93: GetCurrentProcessId.KERNEL32 ref: 00407F93

GetCurrentProcessId.KERNEL32 ref: 004081C5
CreateThread.KERNEL32(00000000,00000000,00407FD2,00000000), ref: 004081E1

Part of subcall function 00408B2D: GetLastError.KERNEL32(00412928,0000000C,00405636,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B3B
Part of subcall function 00408B2D: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B70
Part of subcall function 00408B2D: GetCurrentThreadId.KERNEL32 ref: 00408B76
Part of subcall function 00408B2D: SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B8F

Part of subcall function 00407311: IsBadCodePtr.KERNEL32(?), ref: 0040731E

Part of subcall function 00408B9B: GetLastError.KERNEL32(00412908,0000000C,004056DE,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BA9
Part of subcall function 00408B9B: GetCurrentThreadId.KERNEL32 ref: 00408BCF
Part of subcall function 00408B9B: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BE2
Part of subcall function 00408B9B: SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BF8

Part of subcall function 0040B198: VirtualProtect.KERNEL32(00000000,0000002E,00000040,?), ref: 0040B224

Part of subcall function 00408ABA: GetLastError.KERNEL32(00412918,00000010,004055EE,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408ACD
Part of subcall function 00408ABA: InitializeCriticalSection.KERNEL32(?), ref: 00408AF6
Part of subcall function 00408ABA: GetCurrentProcessId.KERNEL32 ref: 00408AFC
Part of subcall function 00408ABA: SetLastError.KERNEL32(?,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B1E

Strings

6>@, xrefs: 004081FC, 0040820B

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407C58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6

APIs

shutdown.WSOCK32(DM@,00000002,00404D44,00000000), ref: 00407C5E
closesocket.WSOCK32(?), ref: 00407C68

Strings

DM@, xrefs: 00407C5A

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040E738, Relevance: 5.1, APIs: 4, Instructions: 60

APIs

GetLastError.KERNEL32(00403BFF,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?,?,?,00412988,00000010), ref: 0040E73C

Part of subcall function 0040E5AF: GetCurrentProcessId.KERNEL32 ref: 0040E5AF

HeapAlloc.KERNEL32(00000008,00403C10,00000000,00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?), ref: 0040E7A7

Part of subcall function 0040E5C1: HeapValidate.KERNEL32(00000000,623637B5,004128A8), ref: 0040E5E4

HeapReAlloc.KERNEL32(00000008,?,00403C10,00000000,00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C), ref: 0040E793
SetLastError.KERNEL32(00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?,?,?,00412988), ref: 0040E7C7

Part of subcall function 0040E668: HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040E68B
Part of subcall function 0040E668: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004), ref: 0040E6AA
Part of subcall function 0040E668: GetCurrentProcessId.KERNEL32 ref: 0040E6B0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004029A1, Relevance: 4.6, APIs: 3, Instructions: 97

APIs

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

Part of subcall function 00402775: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00402799
Part of subcall function 00402775: ConvertSidToStringSidW.ADVAPI32(00402508,?), ref: 004027CC
Part of subcall function 00402775: LocalFree.KERNEL32(?), ref: 004027FF
Part of subcall function 00402775: StrCpyNW.SHLWAPI(?,00AC2AF0,00AC2AF7), ref: 0040283C
Part of subcall function 00402775: GetFileAttributesW.KERNEL32(?), ref: 0040284F
Part of subcall function 00402775: SetFileAttributesW.KERNEL32(?,00000000), ref: 00402862
Part of subcall function 00402775: GetFileAttributesW.KERNEL32 ref: 0040286A
Part of subcall function 00402775: SetFileAttributesW.KERNEL32(00000000), ref: 00402876

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00402A2F
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00402A49
FlushFileBuffers.KERNEL32(00000000), ref: 00402A5F

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004015DF, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 89

APIs

Part of subcall function 004014FE: wsprintfW.USER32 ref: 00401528
Part of subcall function 004014FE: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,?), ref: 00401558
Part of subcall function 004014FE: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00401578
Part of subcall function 004014FE: RegEnumKeyW.ADVAPI32(?,00000000,?,00000064), ref: 0040158F
Part of subcall function 004014FE: RegCloseKey.ADVAPI32(?), ref: 0040159E

Part of subcall function 0040147D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040149A
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014B8
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014DF
Part of subcall function 0040147D: RegCloseKey.ADVAPI32(?), ref: 004014F1

StrStrIW.SHLWAPI(00000000,00000000), ref: 0040165A
StrStrIW.SHLWAPI(00000000,00000000), ref: 004016B9

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Strings

t.PJ, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404D78, Relevance: 4.6, APIs: 3, Instructions: 80

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000,00000000), ref: 00404D86

Part of subcall function 00404CEB: socket.WSOCK32(00000002,00000001,00000006,00000000,?), ref: 00404CF9
Part of subcall function 00404CEB: htons.WSOCK32(0000BE73), ref: 00404D1C
Part of subcall function 00404CEB: connect.WSOCK32(00000000,?,00000010), ref: 00404D33

InterlockedIncrement.KERNEL32(?), ref: 00404DA9

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

InterlockedDecrement.KERNEL32(?), ref: 00404E2F

Part of subcall function 00407C58: shutdown.WSOCK32(DM@,00000002,00404D44,00000000), ref: 00407C5E
Part of subcall function 00407C58: closesocket.WSOCK32(?), ref: 00407C68

Part of subcall function 00404C57: GetTickCount.KERNEL32 ref: 00404C6C
Part of subcall function 00404C57: ioctlsocket.WSOCK32(00000004,4004667F,00000000,00000000,?,00000000,?,?,00404DD3,00000000,?,00000004), ref: 00404C89
Part of subcall function 00404C57: #16.WSOCK32(00000004,?,00000000,00000000,?,?,00404DD3,00000000,?,00000004), ref: 00404CAB
Part of subcall function 00404C57: GetTickCount.KERNEL32 ref: 00404CBD
Part of subcall function 00404C57: Sleep.KERNEL32(00000001), ref: 00404CCC
Part of subcall function 00404C57: GetTickCount.KERNEL32 ref: 00404CD2

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004079F1, Relevance: 4.6, APIs: 3, Instructions: 65

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 00407A07
CoCreateInstance.OLE32(00411480,00000000,00004401,004113B0,?), ref: 00407A30
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00407A63

Part of subcall function 004079B8: CoUninitialize.OLE32 ref: 004079E4

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402CA4, Relevance: 4.6, APIs: 3, Instructions: 56

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00402CCD
htons.WSOCK32(?), ref: 00402CF1
connect.WSOCK32(00000000,?,00000010), ref: 00402D02

Part of subcall function 00407C58: shutdown.WSOCK32(DM@,00000002,00404D44,00000000), ref: 00407C5E
Part of subcall function 00407C58: closesocket.WSOCK32(?), ref: 00407C68

Part of subcall function 00407C18: send.WSOCK32(?,?,?,00000000,?,?,00000000,00402D18,00000000), ref: 00407C3B

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03236, Relevance: 4.6, APIs: 3, Instructions: 52

APIs

CoInitialize.OLE32(00000000), ref: 01D03247
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01D03283
CoUninitialize.OLE32 ref: 01D032AC

Part of subcall function 01D0311B: FindFirstFileW.KERNEL32(?,?), ref: 01D03160
Part of subcall function 01D0311B: FindNextFileW.KERNEL32(00000000,?), ref: 01D031AF
Part of subcall function 01D0311B: FindClose.KERNEL32(00000000), ref: 01D031D3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402594, Relevance: 4.6, APIs: 3, Instructions: 51

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 004025C7
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004), ref: 004025FF
RegCloseKey.ADVAPI32(?), ref: 00402612

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403B7F, Relevance: 4.5, APIs: 3, Instructions: 49

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 00403B98
GetEnvironmentVariableW.KERNEL32(00000000), ref: 00403BBD
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00403BD2

Part of subcall function 004053D1: memset.NTDLL(?,00000000), ref: 00405422
Part of subcall function 004053D1: CreateProcessW.KERNEL32(?,00403C11,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040545B

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004013F2, Relevance: 4.5, APIs: 3, Instructions: 48

APIs

SetErrorMode.KERNEL32(00008000), ref: 00401400
GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401412
lstrcatW.KERNEL32(?,00000000), ref: 0040143F

Part of subcall function 004057C5: GetFileAttributesW.KERNEL32(?), ref: 004057DF

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402E77, Relevance: 4.5, APIs: 3, Instructions: 44

APIs

RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 00402EA0
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004), ref: 00402ED5
RegCloseKey.ADVAPI32(?), ref: 00402EE8

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405760, Relevance: 4.5, APIs: 3, Instructions: 43

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

GetLastError.KERNEL32(?,?,00405E62,?,?,?,?,?,?,6$@,?,?,?,?,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00405794
Sleep.KERNEL32(0000000A), ref: 004057A6
SetFileAttributesW.KERNEL32(?,00000080), ref: 00405784

Part of subcall function 004056E6: SetFileTime.KERNEL32(00000000,?,00000000,00000208,?,00000000), ref: 00405704
Part of subcall function 004056E6: RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 0040571B
Part of subcall function 004056E6: NtDeleteFile.NTDLL(?), ref: 00405746
Part of subcall function 004056E6: RtlFreeUnicodeString.NTDLL(?), ref: 00405755

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404CEB, Relevance: 4.5, APIs: 3, Instructions: 42

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,?), ref: 00404CF9
htons.WSOCK32(0000BE73), ref: 00404D1C
connect.WSOCK32(00000000,?,00000010), ref: 00404D33

Part of subcall function 00407C58: shutdown.WSOCK32(DM@,00000002,00404D44,00000000), ref: 00407C5E
Part of subcall function 00407C58: closesocket.WSOCK32(?), ref: 00407C68

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004051ED, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020119,00000000), ref: 0040521A
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,0000000F,96EBEDC5), ref: 0040524F
RegCloseKey.ADVAPI32(00000000), ref: 00405258

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D0418B, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

GetLastError.KERNEL32(77DA7305,00000000,01D01095,01D041F7,00000008,01D03D7A,?,?,01D01095,?), ref: 01D04190

Part of subcall function 01D0407D: GetCurrentProcessId.KERNEL32 ref: 01D0407D

RtlRemoveVectoredExceptionHandler.NTDLL(?,?,?,01D01095,?), ref: 01D041C0
SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D041E0

Part of subcall function 01D04136: HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 01D04159
Part of subcall function 01D04136: HeapSetInformation.KERNEL32(00000000,00000000,01D041A6,00000004), ref: 01D04178
Part of subcall function 01D04136: GetCurrentProcessId.KERNEL32 ref: 01D0417E

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040E6BD, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

GetLastError.KERNEL32(00000000,00AAB910,0000000C,0040E729,00000008,00405656,00000014,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 0040E6C2

Part of subcall function 0040E5AF: GetCurrentProcessId.KERNEL32 ref: 0040E5AF

RtlRemoveVectoredExceptionHandler.NTDLL(00401434,00000007,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 0040E6F2
SetLastError.KERNEL32(00000000,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 0040E712

Part of subcall function 0040E668: HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040E68B
Part of subcall function 0040E668: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004), ref: 0040E6AA
Part of subcall function 0040E668: GetCurrentProcessId.KERNEL32 ref: 0040E6B0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405166, Relevance: 4.5, APIs: 3, Instructions: 34

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040519C
GetProcAddress.KERNEL32(00000000), ref: 004051A3
IsWow64Process.KERNEL32(00403196,00000000,?,?,00000000,?,?,00403196), ref: 004051B5

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D04136, Relevance: 4.5, APIs: 3, Instructions: 29

APIs

Part of subcall function 01D0407D: GetCurrentProcessId.KERNEL32 ref: 01D0407D

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 01D04159
HeapSetInformation.KERNEL32(00000000,00000000,01D041A6,00000004), ref: 01D04178
GetCurrentProcessId.KERNEL32 ref: 01D0417E

Part of subcall function 01D040ED: GetProcessHeaps.KERNEL32(000000FF,?,00000000), ref: 01D04105

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040E668, Relevance: 4.5, APIs: 3, Instructions: 29

APIs

Part of subcall function 0040E5AF: GetCurrentProcessId.KERNEL32 ref: 0040E5AF

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040E68B
HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004), ref: 0040E6AA
GetCurrentProcessId.KERNEL32 ref: 0040E6B0

Part of subcall function 0040E61F: GetProcessHeaps.KERNEL32(000000FF,?,00000000), ref: 0040E637

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004026A3, Relevance: 4.5, APIs: 3, Instructions: 25

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00402508,00000000), ref: 004026B4
SetFileSecurityW.ADVAPI32(?,00000004,00402508), ref: 004026C6
LocalFree.KERNEL32(00402508), ref: 004026D4

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040651F, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 17

APIs

TlsGetValue.KERNEL32(Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),0040668E), ref: 00406528

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

TlsSetValue.KERNEL32(00000000,004054DD), ref: 00406549

Strings

Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.), xrefs: 00406521

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407056, Relevance: 3.8, APIs: 3, Instructions: 58

APIs

EnterCriticalSection.KERNEL32(00000014,00000000,00000000,?,?,?,00402BBF,00000000,?,?,00000000,?,?,?,00000000,?), ref: 00407075

Part of subcall function 004089E0: lstrlenW.KERNEL32(00402BBF), ref: 00408A10

StrCmpNIA.SHLWAPI(-0000001C,00000000,?), ref: 004070A0

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

LeaveCriticalSection.KERNEL32(00402BBF,?,?,?,00402BBF,00000000,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004070D3

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405C62, Relevance: 3.8, APIs: 3, Instructions: 46

APIs

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

lstrlenW.KERNEL32(?), ref: 00405C93
lstrlenW.KERNEL32 ref: 00405C99

Part of subcall function 0040E738: GetLastError.KERNEL32(00403BFF,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?,?,?,00412988,00000010), ref: 0040E73C
Part of subcall function 0040E738: HeapReAlloc.KERNEL32(00000008,?,00403C10,00000000,00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C), ref: 0040E793
Part of subcall function 0040E738: HeapAlloc.KERNEL32(00000008,00403C10,00000000,00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?), ref: 0040E7A7
Part of subcall function 0040E738: SetLastError.KERNEL32(00000000,?,?,00405A48,?,?,00000000,?,00000004,00000004,?,00405B7C,?,?,?,00412988), ref: 0040E7C7

lstrcpynW.KERNEL32(00000000,?,00000001), ref: 00405CC0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405263, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92

APIs

Part of subcall function 004073CF: IsBadStringPtrA.KERNEL32(0000000C,0000000C), ref: 004073E6

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

GetComputerNameA.KERNEL32(?,00000000), ref: 004052A5

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Strings

n#@, xrefs: 00405263

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402A93, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00402AC7

Strings

$+@, xrefs: 00402AA8

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402DAF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 00402DC0

Strings

@, xrefs: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004062A1, Relevance: 3.1, APIs: 2, Instructions: 100

APIs

GetStartupInfoA.KERNEL32(?), ref: 004062B6

Part of subcall function 0040796E: HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00407983

Part of subcall function 00406839: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406843
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040686A
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00406877
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00406884
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00406891
Part of subcall function 00406839: TlsAlloc.KERNEL32 ref: 004068E1
Part of subcall function 00406839: TlsSetValue.KERNEL32(00000000), ref: 004068FC
Part of subcall function 00406839: GetCurrentThreadId.KERNEL32 ref: 004069AB

Part of subcall function 004076CE: GetStartupInfoA.KERNEL32(?), ref: 004076E3
Part of subcall function 004076CE: GetFileType.KERNEL32(00000040), ref: 0040780D
Part of subcall function 004076CE: GetStdHandle.KERNEL32(-000000F6), ref: 00407897
Part of subcall function 004076CE: GetFileType.KERNEL32(00000000), ref: 004078A9
Part of subcall function 004076CE: SetHandleCount.KERNEL32 ref: 00407901

GetCommandLineA.KERNEL32 ref: 0040634B

Part of subcall function 00407597: GetEnvironmentStringsW.KERNEL32 ref: 004075B5
Part of subcall function 00407597: GetLastError.KERNEL32 ref: 004075C9
Part of subcall function 00407597: GetEnvironmentStringsW.KERNEL32 ref: 004075F0
Part of subcall function 00407597: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040762A
Part of subcall function 00407597: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040764D
Part of subcall function 00407597: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00407663
Part of subcall function 00407597: GetEnvironmentStrings.KERNEL32 ref: 00407676
Part of subcall function 00407597: FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076A8
Part of subcall function 00407597: FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076C1

Part of subcall function 004074DC: GetModuleFileNameA.KERNEL32(00000000,00440AC8,00000104), ref: 00407508

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401C60, Relevance: 3.1, APIs: 2, Instructions: 98

APIs

Part of subcall function 004036C2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004036E9
Part of subcall function 004036C2: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,00000006,00000000), ref: 00403721
Part of subcall function 004036C2: RegCreateKeyW.ADVAPI32(00000006,?,00000000), ref: 00403760
Part of subcall function 004036C2: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00411D40), ref: 00403771
Part of subcall function 004036C2: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 004037AB
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000000), ref: 00403845
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000006), ref: 0040384E
Part of subcall function 004036C2: ReleaseMutex.KERNEL32 ref: 0040385A

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

CoInitialize.OLE32(00000000), ref: 00401CD6
CoCreateGuid.OLE32(?), ref: 00401CE0

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

Part of subcall function 00403868: WaitForMultipleObjects.KERNEL32(00000002,00401D31,00000000,000000FF), ref: 00403890
Part of subcall function 00403868: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 004038C8
Part of subcall function 00403868: RegCreateKeyW.ADVAPI32(?,?,00000006), ref: 00403907
Part of subcall function 00403868: lstrlenA.KERNEL32(00000006,?,?,?,?,?,?,CE56F72D,?,?,00000000,00411D40), ref: 00403918
Part of subcall function 00403868: RegSetValueExA.ADVAPI32(00000006,00411D40,00000000,00000003,00000000,00000014), ref: 00403971
Part of subcall function 00403868: RegFlushKey.ADVAPI32(00000006), ref: 00403988
Part of subcall function 00403868: RegCloseKey.ADVAPI32(00000006), ref: 00403998
Part of subcall function 00403868: RegCloseKey.ADVAPI32(?), ref: 004039A1
Part of subcall function 00403868: ReleaseMutex.KERNEL32 ref: 004039AD

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02E09, Relevance: 3.1, APIs: 2, Instructions: 66

APIs

CoCreateInstance.OLE32(01D05470,00000000,00000001,01D05460,?), ref: 01D02E34
lstrcmpiW.KERNEL32(01D02FA0,?), ref: 01D02E93

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404936, Relevance: 3.1, APIs: 2, Instructions: 59

APIs

GetTickCount.KERNEL32 ref: 00404940
lstrlenA.KERNEL32(00404A8B,?,?,?,?,?,?,?,?,00404A8B,?), ref: 00404998

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407EC5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55

APIs

lstrcpynA.KERNEL32(?,00000018,00000032,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate,00000000), ref: 00407F1F

Part of subcall function 00408800: lstrlenA.KERNEL32(00000000,00000000,00000000,?,004088B9,623637BD,00000000,00000000,0000000C,623637BD), ref: 00408820

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 00407ECC

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D0371B, Relevance: 3.0, APIs: 2, Instructions: 33

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01D03735
LocalFree.KERNEL32(?), ref: 01D03752

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D01962, Relevance: 3.0, APIs: 2, Instructions: 26

APIs

GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
CloseHandle.KERNEL32(01D01095), ref: 01D01989

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404E5F, Relevance: 3.0, APIs: 2, Instructions: 26

APIs

GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
CloseHandle.KERNEL32(?), ref: 00404E86

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401026, Relevance: 3.0, APIs: 2, Instructions: 25

APIs

CreateFileW.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00401036
GetLastError.KERNEL32 ref: 0040104D

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03641, Relevance: 3.0, APIs: 2, Instructions: 23

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01D0364F

Part of subcall function 01D034F5: RegCreateKeyExW.ADVAPI32(80000003,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 01D035C5
Part of subcall function 01D034F5: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 01D035E3
Part of subcall function 01D034F5: RegFlushKey.ADVAPI32(?), ref: 01D035F5
Part of subcall function 01D034F5: RegCloseKey.ADVAPI32(?), ref: 01D035FF

LocalFree.KERNEL32(?), ref: 01D0366B

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004016D3, Relevance: 2.6, APIs: 2, Instructions: 79

APIs

Part of subcall function 0040147D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040149A
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014B8
Part of subcall function 0040147D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004014DF
Part of subcall function 0040147D: RegCloseKey.ADVAPI32(?), ref: 004014F1

StrStrIW.SHLWAPI(00000000,00000000), ref: 00401730
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040178E

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004086D8, Relevance: 2.5, APIs: 2, Instructions: 22

APIs

lstrlenA.KERNEL32(0000000C,?,00408893,000004E3,623637BD,00000000,?,004056C4,?,00000000), ref: 004086E2
MultiByteToWideChar.KERNEL32(623637BD,00000000,0000000C,00000000,00000000,00411B80), ref: 004086F5

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407A81, Relevance: 1.6, APIs: 1, Instructions: 91

APIs

#9.OLEAUT32(?,?,?,?,?,?,?,?,00000000,?,?,?,00407B97,?,?), ref: 00407B5C

Part of subcall function 00405C00: lstrlenW.KERNEL32 ref: 00405C31

Part of subcall function 00405C62: lstrlenW.KERNEL32(?), ref: 00405C93
Part of subcall function 00405C62: lstrlenW.KERNEL32 ref: 00405C99
Part of subcall function 00405C62: lstrcpynW.KERNEL32(00000000,?,00000001), ref: 00405CC0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040B198, Relevance: 1.6, APIs: 1, Instructions: 82

APIs

VirtualProtect.KERNEL32(00000000,0000002E,00000040,?), ref: 0040B224

Part of subcall function 0040AE6F: VirtualProtect.KERNEL32(00000000,0000001E,00000040,?), ref: 0040AE9C
Part of subcall function 0040AE6F: memset.NTDLL(?,00000000), ref: 0040AECF
Part of subcall function 0040AE6F: memcpy.NTDLL(?,?,00000006), ref: 0040B0AB
Part of subcall function 0040AE6F: memcpy.NTDLL(0040814A,?,?), ref: 0040B0D7

Part of subcall function 0040B123: VirtualProtect.KERNEL32(?,00000005,00000040,?), ref: 0040B14C
Part of subcall function 0040B123: VirtualProtect.KERNEL32(?,00000005,?,?), ref: 0040B179
Part of subcall function 0040B123: GetCurrentProcess.KERNEL32 ref: 0040B17F
Part of subcall function 0040B123: FlushInstructionCache.KERNEL32 ref: 0040B186

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003E05DB, Relevance: 1.6, APIs: 1, Instructions: 56

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,003E0327,2B14D0EE,?), ref: 003E0607

Memory Dump Source

Source File: 00000000.00000002.58311474329395.003E0000.00000040.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401D91, Relevance: 1.6, APIs: 1, Instructions: 50

APIs

Part of subcall function 004036C2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004036E9
Part of subcall function 004036C2: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F013F,00000000,00000006,00000000), ref: 00403721
Part of subcall function 004036C2: RegCreateKeyW.ADVAPI32(00000006,?,00000000), ref: 00403760
Part of subcall function 004036C2: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00411D40), ref: 00403771
Part of subcall function 004036C2: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 004037AB
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000000), ref: 00403845
Part of subcall function 004036C2: RegCloseKey.ADVAPI32(00000006), ref: 0040384E
Part of subcall function 004036C2: ReleaseMutex.KERNEL32 ref: 0040385A

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

GetLocalTime.KERNEL32(?), ref: 00401DF2

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407C18, Relevance: 1.5, APIs: 1, Instructions: 34

APIs

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

send.WSOCK32(?,?,?,00000000,?,?,00000000,00402D18,00000000), ref: 00407C3B

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D03FC4, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

CreateThread.KERNEL32(00000000,00000000,01D03F7F,00000000), ref: 01D03FEB

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404BF0, Relevance: 1.5, APIs: 1, Instructions: 21

APIs

send.WSOCK32(?,00404A8B,004049BA,00000000,00000000,00000000,00404C32,?,00000004,?,004049BA,00404A8B,00000000,?,00000000), ref: 00404C01

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040796E, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00407983

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004051C1, Relevance: 1.5, APIs: 1, Instructions: 19

APIs

GetNativeSystemInfo.KERNEL32(00000000), ref: 004051DA

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040240F, Relevance: 1.5, APIs: 1, Instructions: 17

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00402424

Part of subcall function 00405D96: FindFirstFileW.KERNEL32(?,?), ref: 00405DF0
Part of subcall function 00405D96: FindNextFileW.KERNEL32(00000000,?), ref: 00405E6C
Part of subcall function 00405D96: FindClose.KERNEL32(00000000), ref: 00405E77
Part of subcall function 00405D96: RemoveDirectoryW.KERNEL32(6$@), ref: 00405E82

Part of subcall function 00405D1C: PathSkipRootW.SHLWAPI(C$@), ref: 00405D3B
Part of subcall function 00405D1C: GetFileAttributesW.KERNEL32(C$@), ref: 00405D63
Part of subcall function 00405D1C: NlsGetCacheUpdateCount.KERNEL32(C$@,00000000), ref: 00405D71

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402C78, Relevance: 1.5, APIs: 1, Instructions: 15

APIs

Part of subcall function 00402775: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00402799
Part of subcall function 00402775: ConvertSidToStringSidW.ADVAPI32(00402508,?), ref: 004027CC
Part of subcall function 00402775: LocalFree.KERNEL32(?), ref: 004027FF
Part of subcall function 00402775: StrCpyNW.SHLWAPI(?,00AC2AF0,00AC2AF7), ref: 0040283C
Part of subcall function 00402775: GetFileAttributesW.KERNEL32(?), ref: 0040284F
Part of subcall function 00402775: SetFileAttributesW.KERNEL32(?,00000000), ref: 00402862
Part of subcall function 00402775: GetFileAttributesW.KERNEL32 ref: 0040286A
Part of subcall function 00402775: SetFileAttributesW.KERNEL32(00000000), ref: 00402876

Part of subcall function 00405D96: FindFirstFileW.KERNEL32(?,?), ref: 00405DF0
Part of subcall function 00405D96: FindNextFileW.KERNEL32(00000000,?), ref: 00405E6C
Part of subcall function 00405D96: FindClose.KERNEL32(00000000), ref: 00405E77
Part of subcall function 00405D96: RemoveDirectoryW.KERNEL32(6$@), ref: 00405E82

Part of subcall function 00402881: ConvertSidToStringSidW.ADVAPI32(00402C96,?), ref: 004028AE
Part of subcall function 00402881: lstrlenW.KERNEL32(?), ref: 004028CE
Part of subcall function 00402881: CharUpperBuffW.USER32(?,00000000), ref: 004028D9
Part of subcall function 00402881: CharLowerBuffW.USER32(?,00000026), ref: 004028E5
Part of subcall function 00402881: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00402508,00000000), ref: 00402945
Part of subcall function 00402881: RegCreateKeyW.ADVAPI32(00402508,00000000,?), ref: 0040296D
Part of subcall function 00402881: RegCloseKey.ADVAPI32(?), ref: 00402980
Part of subcall function 00402881: RegCloseKey.ADVAPI32(00402508), ref: 00402985
Part of subcall function 00402881: LocalFree.KERNEL32(?), ref: 0040298A

SHDeleteKeyW.SHLWAPI(80000001,00000000), ref: 00402C9C

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403E36, Relevance: 1.5, APIs: 1, Instructions: 8

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00403E40

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00402DD5, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

StrFromTimeIntervalA.SHLWAPI(00000064,00000064,004035C4,0000000A), ref: 00402DE1

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004039BB, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 004039C0

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040B053, Relevance: 1.3, APIs: 1, Instructions: 93

APIs

HeapAlloc.KERNEL32(00000008,?,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214,?,004054DD), ref: 0040B111

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A905, Relevance: 1.3, APIs: 1, Instructions: 84

APIs

memset.NTDLL(00000000,00000000), ref: 0040A9E3

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D01B1, Relevance: 1.3, Strings: 1, Instructions: 82

Strings

d, xrefs: 003D01C3

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040ADCA, Relevance: 1.3, APIs: 1, Instructions: 65

APIs

Part of subcall function 0040AD05: memset.NTDLL(00000010,00000000), ref: 0040AD5F

memcpy.NTDLL(?,00000008,-00000007), ref: 0040AE55

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040885A, Relevance: 1.3, APIs: 1, Instructions: 59

APIs

Part of subcall function 004073F6: IsBadWritePtr.KERNEL32(00000000,00000004), ref: 00407410

lstrlenA.KERNEL32(623637BD,0000000C,00000000,00000000,?,004056C4,?,00000000), ref: 00408877

Part of subcall function 004086D8: lstrlenA.KERNEL32(0000000C,?,00408893,000004E3,623637BD,00000000,?,004056C4,?,00000000), ref: 004086E2
Part of subcall function 004086D8: MultiByteToWideChar.KERNEL32(623637BD,00000000,0000000C,00000000,00000000,00411B80), ref: 004086F5

Part of subcall function 00408800: lstrlenA.KERNEL32(00000000,00000000,00000000,?,004088B9,623637BD,00000000,00000000,0000000C,623637BD), ref: 00408820

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D02DB, Relevance: 1.3, Strings: 1, Instructions: 53

Strings

s, xrefs: 003D02E3

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404AA6, Relevance: 1.3, APIs: 1, Instructions: 45

APIs

lstrlenA.KERNEL32(00000000,?,?,00000000,?,?,?,00404E13,00000000,00000000,00000000), ref: 00404AD9

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408933, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 0040B053: HeapAlloc.KERNEL32(00000008,?,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214,?,004054DD), ref: 0040B111

Sleep.KERNEL32(00000000), ref: 0040895B

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407FD2, Relevance: 1.3, APIs: 1, Instructions: 23

APIs

Sleep.KERNEL32(00000096), ref: 00407FDE

Part of subcall function 00408B2D: GetLastError.KERNEL32(00412928,0000000C,00405636,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B3B
Part of subcall function 00408B2D: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B70
Part of subcall function 00408B2D: GetCurrentThreadId.KERNEL32 ref: 00408B76
Part of subcall function 00408B2D: SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B8F

Part of subcall function 0040B123: VirtualProtect.KERNEL32(?,00000005,00000040,?), ref: 0040B14C
Part of subcall function 0040B123: VirtualProtect.KERNEL32(?,00000005,?,?), ref: 0040B179
Part of subcall function 0040B123: GetCurrentProcess.KERNEL32 ref: 0040B17F
Part of subcall function 0040B123: FlushInstructionCache.KERNEL32 ref: 0040B186

Part of subcall function 00408B9B: GetLastError.KERNEL32(00412908,0000000C,004056DE,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BA9
Part of subcall function 00408B9B: GetCurrentThreadId.KERNEL32 ref: 00408BCF
Part of subcall function 00408B9B: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BE2
Part of subcall function 00408B9B: SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BF8

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408BEE, Relevance: 1.3, APIs: 1, Instructions: 6

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408BF8

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0084, Relevance: .1, Instructions: 119

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00A0, Relevance: .1, Instructions: 118

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D006F, Relevance: .1, Instructions: 116

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0081, Relevance: .1, Instructions: 114

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D009B, Relevance: .1, Instructions: 113

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00B3, Relevance: .1, Instructions: 112

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00D5, Relevance: .1, Instructions: 112

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D010B, Relevance: .1, Instructions: 109

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00C7, Relevance: .1, Instructions: 109

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00EE, Relevance: .1, Instructions: 106

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D00FE, Relevance: .1, Instructions: 105

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D012A, Relevance: .1, Instructions: 105

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0156, Relevance: .1, Instructions: 97

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D014D, Relevance: .1, Instructions: 96

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0193, Relevance: .1, Instructions: 75

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0211, Relevance: .1, Instructions: 74

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D01F7, Relevance: .1, Instructions: 73

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D01E5, Relevance: .1, Instructions: 72

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D023E, Relevance: .1, Instructions: 71

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D01D5, Relevance: .1, Instructions: 71

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0226, Relevance: .1, Instructions: 70

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0266, Relevance: .1, Instructions: 70

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0291, Relevance: .1, Instructions: 58

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D02C1, Relevance: .1, Instructions: 55

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D02AC, Relevance: .1, Instructions: 55

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D02B7, Relevance: .1, Instructions: 54

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D02F6, Relevance: .0, Instructions: 50

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D030B, Relevance: .0, Instructions: 45

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0330, Relevance: .0, Instructions: 42

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D033C, Relevance: .0, Instructions: 42

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D0357, Relevance: .0, Instructions: 38

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D03F0, Relevance: .0, Instructions: 15

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D03F7, Relevance: .0, Instructions: 14

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003D03FE, Relevance: .0, Instructions: 11

Memory Dump Source

Source File: 00000000.00000002.58311471455769.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Non-executed Functions

Function 00409153, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 128

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 0040917B
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00409197

Part of subcall function 00406429: TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
Part of subcall function 00406429: TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
Part of subcall function 00406429: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
Part of subcall function 00406429: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483
Part of subcall function 00406429: RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,004407B0,00000000,00000314,?,0040702F,004407B0,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

GetProcAddress.KERNEL32(00000000,00000000), ref: 004091B4
GetProcAddress.KERNEL32(00000000,00000000), ref: 004091C9
GetProcAddress.KERNEL32(00000000,00000000), ref: 004091DE
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004091F6

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Strings

GetLastActivePopup, xrefs: 004091BC
GetProcessWindowStation, xrefs: 004091F0
GetUserObjectInformationA, xrefs: 004091D1
USER32.DLL, xrefs: 00409176
MessageBoxA, xrefs: 00409191
GetActiveWindow, xrefs: 004091A7

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406925, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137

APIs

Part of subcall function 0040737C: IsBadStringPtrW.KERNEL32(?,00000104,?,004057D3,?,00401451,?), ref: 00407393

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

Part of subcall function 00407311: IsBadCodePtr.KERNEL32(?), ref: 0040731E

Part of subcall function 004068D4: PathCombineW.SHLWAPI(?,?,004124CC), ref: 004068F3

memset.NTDLL(?,00000000), ref: 004069A5
FindFirstFileW.KERNEL32(?,?), ref: 004069C5

Part of subcall function 00406925: PathMatchSpecW.SHLWAPI(?,00000005), ref: 00406A22
Part of subcall function 00406925: Sleep.KERNEL32(00000000), ref: 00406A54
Part of subcall function 00406925: Sleep.KERNEL32(00000000), ref: 00406A88

FindNextFileW.KERNEL32(00000001,?), ref: 00406AB6
FindClose.KERNEL32(00000001), ref: 00406AD0

Strings

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate, xrefs: 004069DB

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A044, Relevance: 7.6, APIs: 5, Instructions: 69

APIs

CoInitialize.OLE32(00000000), ref: 0040A056
FindFirstFileW.KERNEL32(?,?), ref: 0040A093

Part of subcall function 00409F84: CoCreateInstance.OLE32(00411550,00000000,00000001,00411540,?), ref: 00409FAF
Part of subcall function 00409F84: lstrcmpiW.KERNEL32(0040685F,?), ref: 0040A00E

FindNextFileW.KERNEL32(00000000,?), ref: 0040A0E4

Part of subcall function 00405760: SetFileAttributesW.KERNEL32(?,00000080), ref: 00405784
Part of subcall function 00405760: GetLastError.KERNEL32(?,?,00405E62,?,?,?,?,?,?,6$@,?,?,?,?,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00405794
Part of subcall function 00405760: Sleep.KERNEL32(0000000A), ref: 004057A6

FindClose.KERNEL32(00000000), ref: 0040A102
CoUninitialize.OLE32 ref: 0040A108

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408A2E, Relevance: 7.6, APIs: 5, Instructions: 67

APIs

IsDebuggerPresent.KERNEL32 ref: 00408B0A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00408B14
UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00408B21
GetCurrentProcess.KERNEL32 ref: 00408B3C
TerminateProcess.KERNEL32(00000000), ref: 00408B43

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406218, Relevance: 7.6, APIs: 5, Instructions: 58

APIs

IsDebuggerPresent.KERNEL32 ref: 00406A81
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
GetCurrentProcess.KERNEL32 ref: 00406ABD
TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00404F33, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 00404F4E
VirtualProtect.KERNEL32(00000000,00000008,00000104,?), ref: 00404F71
ZwOpenProcess.NTDLL(?,00000001,00000018,00000000,?,004050A1,?,?,?,?,00000000), ref: 00404F9B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404FDE

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004083CB, Relevance: 4.5, APIs: 3, Instructions: 38

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004083F4
CheckTokenMembership.ADVAPI32(00000000,?,00408454), ref: 00408409
FreeSid.ADVAPI32(?), ref: 00408419

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00405B40, Relevance: 4.0, Strings: 3, Instructions: 210

Strings

1, xrefs: 00405CEA
[, xrefs: 00405E3E
Cjkimkwvvun ljjnrwbujaqn gwvnlo jvrqokq nocqv gpisnohoow yisctc.(r), xrefs: 00405F1F

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040B38C, Relevance: 3.1, APIs: 2, Instructions: 62

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040B488
UnhandledExceptionFilter.KERNEL32(?), ref: 0040B495

Part of subcall function 00406EC0: GetModuleFileNameA.KERNEL32(00000000,004407C9,00000104), ref: 00406F63
Part of subcall function 00406EC0: GetStdHandle.KERNEL32(000000F4), ref: 00407036
Part of subcall function 00406EC0: WriteFile.KERNEL32(00000000,00000000,00000000,004054DD,00000000), ref: 00407060

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D045B9, Relevance: 1.7, APIs: 1, Instructions: 195

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?), ref: 01D0466A

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040EB29, Relevance: 1.7, APIs: 1, Instructions: 195

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?), ref: 0040EBDA

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004050D0, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

ZwQuerySystemInformation.NTDLL(00000005,00000000,00008000,00000000,?,?,0040512D,?,004023E2,?), ref: 004050EA

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040E61F, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

GetProcessHeaps.KERNEL32(000000FF,?,00000000), ref: 0040E637

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040BD88, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 003E0408, Relevance: 1.4, Strings: 1, Instructions: 145

Strings

.dll, xrefs: 003E055F

Memory Dump Source

Source File: 00000000.00000002.58311474329395.003E0000.00000040.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406791, Relevance: .0, Instructions: 36

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004015AC, Relevance: .0, Instructions: 28

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D01651, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89

APIs

GetCurrentProcess.KERNEL32 ref: 01D01670
OpenProcessToken.ADVAPI32(00000000), ref: 01D01677
memset.NTDLL(?,00000000), ref: 01D0169C
GetVersionExW.KERNEL32(00000114), ref: 01D016AB
GetTokenInformation.ADVAPI32(?,00000012,?,00000004,?), ref: 01D016D7
GetTokenInformation.ADVAPI32(?,00000013,01D01062,00000004,?), ref: 01D016F2
DuplicateToken.ADVAPI32(?,00000001,01D01062), ref: 01D01706
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 01D01722
CheckTokenMembership.ADVAPI32(01D01062,?,?), ref: 01D01737

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

Strings

D, xrefs: 01D0171B

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040AB50, Relevance: 16.8, APIs: 11, Instructions: 340

APIs

LCMapStringW.KERNEL32(00000000,00000100,0041A19C,00000001,00000000,00000000), ref: 0040AB82
GetLastError.KERNEL32 ref: 0040AB94
MultiByteToWideChar.KERNEL32(00000100,00000000,?,?,00000000,00000000), ref: 0040AC20
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040AC8C
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040ACA8
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 0040ACE2
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 0040AD46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0040AD69

Part of subcall function 0040BD88: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040ADF9

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

LCMapStringA.KERNEL32(?,?,?,?,00000000,?), ref: 0040AE6B
LCMapStringA.KERNEL32(?,?,?,?,00000000,?), ref: 0040AEB8

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403EE5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66

APIs

CoInitializeEx.OLE32(00000000,00000006), ref: 00403EF3
GetCurrentProcessId.KERNEL32 ref: 00403F11
memset.NTDLL(?,00000000), ref: 00403F30
GetForegroundWindow.USER32 ref: 00403F82
ShellExecuteExW.SHELL32(0000003C), ref: 00403F8F
Sleep.KERNEL32(00000001), ref: 00403FA1
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403FAE

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

CoUninitialize.OLE32 ref: 00403FBC

Strings

<, xrefs: 00403F46

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D010D2, Relevance: 15.2, APIs: 10, Instructions: 180

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01D010ED
PathFindFileNameW.SHLWAPI(?), ref: 01D0110C

Part of subcall function 01D018F3: lstrlenW.KERNEL32(?), ref: 01D01911
Part of subcall function 01D018F3: lstrcatW.KERNEL32(?,?), ref: 01D0193A

Part of subcall function 01D020DE: VerQueryValueW.VERSION(00000000,?,?,?), ref: 01D02294

#2.OLEAUT32(00000000,?,?,?,?,?,00000000,00000000), ref: 01D0115E
#6.OLEAUT32(?,?,?,?,?,?,00000000,00000000), ref: 01D01172
#2.OLEAUT32(00000000,?,?,?,?,?,00000000,00000000), ref: 01D01189
#6.OLEAUT32(?,?,?,?,?,?,00000000,00000000), ref: 01D0119D
#2.OLEAUT32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01224
#6.OLEAUT32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01237
#2.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01269
#6.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D0127C

Part of subcall function 01D020DE: _chkstk.NTDLL(?,01D0306C,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D020E6
Part of subcall function 01D020DE: GetFileVersionInfoSizeW.VERSION(00000006,?,?,00000000,?,01D0306C,?,00000006), ref: 01D020F6
Part of subcall function 01D020DE: GetFileVersionInfoW.VERSION(00000006,00000000,00000000,00000000,?,?,00000000,?,01D0306C,?,00000006), ref: 01D0211E
Part of subcall function 01D020DE: VerQueryValueW.VERSION(00000000,00000000,?,00000006,?,?,?,?,?,?,?,?,?), ref: 01D0214E

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407597, Relevance: 13.6, APIs: 9, Instructions: 132

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004075B5
GetLastError.KERNEL32 ref: 004075C9
GetEnvironmentStringsW.KERNEL32 ref: 004075F0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040762A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040764D

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00407663
GetEnvironmentStrings.KERNEL32 ref: 00407676

Part of subcall function 004088EE: Sleep.KERNEL32(00000000), ref: 0040890F

FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076A8
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076C1

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406EC0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 161

APIs

GetModuleFileNameA.KERNEL32(00000000,004407C9,00000104), ref: 00406F63

Part of subcall function 00409153: LoadLibraryA.KERNEL32(USER32.DLL), ref: 0040917B
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00409197
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091B4
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091C9
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091DE
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004091F6

Part of subcall function 00408A2E: IsDebuggerPresent.KERNEL32 ref: 00408B0A
Part of subcall function 00408A2E: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00408B14
Part of subcall function 00408A2E: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00408B21
Part of subcall function 00408A2E: GetCurrentProcess.KERNEL32 ref: 00408B3C
Part of subcall function 00408A2E: TerminateProcess.KERNEL32(00000000), ref: 00408B43

GetStdHandle.KERNEL32(000000F4), ref: 00407036
WriteFile.KERNEL32(00000000,00000000,00000000,004054DD,00000000), ref: 00407060

Strings

..., xrefs: 00406FB2
Runtime Error!Program: , xrefs: 00406F25
<program name unknown>, xrefs: 00406F6D
Microsoft Visual C++ Runtime Library, xrefs: 00407024

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406590, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(004054DD,00000001,004054DD), ref: 00407F2C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(8BFFFFFE,?,0040664C), ref: 00407F39
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(A48589FF,?,0040664C), ref: 00407F46
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FFFEA485,?,0040664C), ref: 00407F53
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F60
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F7C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(000026CC,?,0040664C), ref: 00407F8C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(B9FFFF4C,?,0040664C), ref: 00407FA2

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

Strings

EncodePointer, xrefs: 004065CA
DecodePointer, xrefs: 004065DE
KERNEL32.DLL, xrefs: 0040659C, 004065A1, 004065AC

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407FA9, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(00409541,00000000), ref: 00407FC3
InterlockedDecrement.KERNEL32(03E28302,?,0041EA08), ref: 00407FD0
InterlockedDecrement.KERNEL32(?), ref: 00407FDD
InterlockedDecrement.KERNEL32(?), ref: 00407FEA
InterlockedDecrement.KERNEL32(?), ref: 00407FF7
InterlockedDecrement.KERNEL32(?), ref: 00408013
InterlockedDecrement.KERNEL32(00000000), ref: 00408023
InterlockedDecrement.KERNEL32(?), ref: 00408039

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407F1A, Relevance: 12.1, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(004054DD,00000001,004054DD), ref: 00407F2C
InterlockedIncrement.KERNEL32(8BFFFFFE,?,0040664C), ref: 00407F39
InterlockedIncrement.KERNEL32(A48589FF,?,0040664C), ref: 00407F46
InterlockedIncrement.KERNEL32(FFFEA485,?,0040664C), ref: 00407F53
InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F60
InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F7C
InterlockedIncrement.KERNEL32(000026CC,?,0040664C), ref: 00407F8C
InterlockedIncrement.KERNEL32(B9FFFF4C,?,0040664C), ref: 00407FA2

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040BDD1, Relevance: 10.7, APIs: 7, Instructions: 175

APIs

GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D012A9, Relevance: 10.6, APIs: 7, Instructions: 144

APIs

#2.OLEAUT32(?), ref: 01D0132D
PathFindFileNameW.SHLWAPI(?), ref: 01D01349
lstrcpyW.KERNEL32(?,00000000), ref: 01D01357
PathRemoveExtensionW.SHLWAPI(?), ref: 01D01364
#2.OLEAUT32(?), ref: 01D01371
#6.OLEAUT32(?), ref: 01D013E6
#6.OLEAUT32(?), ref: 01D013EF

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407422, Relevance: 10.6, APIs: 7, Instructions: 87

APIs

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

Part of subcall function 0040732E: IsBadReadPtr.KERNEL32(0000000C,0000000C), ref: 00407345

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0040745F
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 004074A9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000208), ref: 004074E1
PathUnquoteSpacesW.SHLWAPI(?), ref: 004074F2
ExpandEnvironmentStringsW.KERNEL32(?,00000208,00000104), ref: 00407507
RegCloseKey.ADVAPI32(?), ref: 0040751B
LocalFree.KERNEL32(?), ref: 00407524

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403FC5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68

APIs

GetFullPathNameW.KERNEL32(00000000,?,00000000,00400000), ref: 00403FF6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040400E
GetCurrentProcess.KERNEL32 ref: 00404031
GetProcessMemoryInfo.PSAPI(00000000), ref: 00404038
WriteFile.KERNEL32(00000000,00000030,00000002,?,00000000), ref: 00404068

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Strings

1, xrefs: 00404058

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A908, Relevance: 9.2, APIs: 6, Instructions: 166

APIs

GetStringTypeW.KERNEL32(00000001,0041A19C,00000001,?), ref: 0040A937
GetLastError.KERNEL32(?,0040AAF2,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A949
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040A9AE

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000), ref: 0040AA18
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0040AA26

Part of subcall function 0040BD88: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

GetStringTypeA.KERNEL32(?,?,?,?,?), ref: 0040AA9B

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(00419104), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D014CC, Relevance: 9.2, APIs: 6, Instructions: 166

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 01D014D9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01D014F3
CoCreateInstance.OLE32(01D053D0,00000000,00000001,01D051C0,?), ref: 01D01515
#2.OLEAUT32(00000000), ref: 01D0158F
#6.OLEAUT32(00000000), ref: 01D01635

Part of subcall function 01D010D2: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01D010ED
Part of subcall function 01D010D2: PathFindFileNameW.SHLWAPI(?), ref: 01D0110C
Part of subcall function 01D010D2: #2.OLEAUT32(00000000,?,?,?,?,?,00000000,00000000), ref: 01D0115E
Part of subcall function 01D010D2: #6.OLEAUT32(?,?,?,?,?,?,00000000,00000000), ref: 01D01172
Part of subcall function 01D010D2: #2.OLEAUT32(00000000,?,?,?,?,?,00000000,00000000), ref: 01D01189
Part of subcall function 01D010D2: #6.OLEAUT32(?,?,?,?,?,?,00000000,00000000), ref: 01D0119D
Part of subcall function 01D010D2: #2.OLEAUT32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01224
Part of subcall function 01D010D2: #6.OLEAUT32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01237
Part of subcall function 01D010D2: #2.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D01269
Part of subcall function 01D010D2: #6.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01D0127C

Part of subcall function 01D01418: #2.OLEAUT32(00000000,01D01615,?,?), ref: 01D0148F
Part of subcall function 01D01418: #6.OLEAUT32(00000000), ref: 01D014A6

CoUninitialize.OLE32 ref: 01D01644

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A1CC, Relevance: 9.1, APIs: 6, Instructions: 88

APIs

RegOpenKeyExW.ADVAPI32(80000003,0040A480,00000000,00020119,0040A480), ref: 0040A1ED
lstrcpyW.KERNEL32(3151ECF7,00000001), ref: 0040A224
RegEnumValueW.ADVAPI32(0040A480,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A258

Part of subcall function 0040A163: RegQueryValueExW.ADVAPI32(00000104,0040A273,00000000,00000000,00000000,?), ref: 0040A17E
Part of subcall function 0040A163: RegQueryValueExW.ADVAPI32(00000104,0040A273,00000000,00000000,00000000,?), ref: 0040A1A1
Part of subcall function 0040A163: PathUnquoteSpacesW.SHLWAPI(00000000), ref: 0040A1A8
Part of subcall function 0040A163: lstrcmpiW.KERNEL32(00000000,0040A480), ref: 0040A1B2

RegEnumValueW.ADVAPI32(0040A480,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040A299
lstrcpyW.KERNEL32(3151ECF7,?), ref: 0040A2B0
RegCloseKey.ADVAPI32(0040A480), ref: 0040A2BF

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407FD2, Relevance: 9.0, APIs: 6, Instructions: 44

APIs

InterlockedDecrement.KERNEL32(?), ref: 00407FDD
InterlockedDecrement.KERNEL32(?), ref: 00407FEA
InterlockedDecrement.KERNEL32(?), ref: 00407FF7
InterlockedDecrement.KERNEL32(?), ref: 00408013
InterlockedDecrement.KERNEL32(00000000), ref: 00408023
InterlockedDecrement.KERNEL32(?), ref: 00408039

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004076CE, Relevance: 7.7, APIs: 5, Instructions: 190

APIs

GetStartupInfoA.KERNEL32(?), ref: 004076E3

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

GetFileType.KERNEL32(00000040), ref: 0040780D
GetStdHandle.KERNEL32(-000000F6), ref: 00407897
GetFileType.KERNEL32(00000000), ref: 004078A9

Part of subcall function 004090BC: InitializeCriticalSectionAndSpinCount.KERNEL32(004054DD,?), ref: 004090D2

SetHandleCount.KERNEL32 ref: 00407901

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D0385F, Relevance: 7.7, APIs: 5, Instructions: 152

APIs

Part of subcall function 01D02A11: IsBadReadPtr.KERNEL32(?,?), ref: 01D02A28

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 01D03898
memcpy.NTDLL(0000000C,?,00000040,?), ref: 01D0392E
CreateThread.KERNEL32 ref: 01D0395C
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01D03994

Part of subcall function 01D042A0: GetLastError.KERNEL32(77DA7305,00000000,01D03DB1,00000000,?,01D01095,?), ref: 01D042AB
Part of subcall function 01D042A0: HeapFree.KERNEL32(00000000,?,?,01D01095,?), ref: 01D042DC
Part of subcall function 01D042A0: SetLastError.KERNEL32(00000000,?,01D01095,?), ref: 01D042E3

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

WaitForMultipleObjects.KERNEL32(?,?,00000000,00000001), ref: 01D03A01

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040761D, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

SHGetFolderPathW.SHELL32(00000000,00000028,000000FF,00000001,?), ref: 00407651
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00407665
lstrlenW.KERNEL32(?), ref: 00407672
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00407689
lstrcpyW.KERNEL32(?,?), ref: 0040769E

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00407B8C, Relevance: 7.6, APIs: 5, Instructions: 53

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407BC3
GetCurrentProcessId.KERNEL32 ref: 00407BCF
GetCurrentThreadId.KERNEL32 ref: 00407BD7
GetTickCount.KERNEL32 ref: 00407BDF
QueryPerformanceCounter.KERNEL32(?), ref: 00407BEB

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040614A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040619E
RtlImageNtHeader.NTDLL(00000000), ref: 004061A7

Part of subcall function 00408261: GetCurrentThreadId.KERNEL32 ref: 00408295

Strings

", xrefs: 00406175
<5Ik, xrefs: 004061A7

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406553, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

TlsFree.KERNEL32(FFFFFFFF), ref: 0040657E
DeleteCriticalSection.KERNEL32(00000000,00000000,KERNEL32.DLL,?,004069C1), ref: 00407C8A

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

DeleteCriticalSection.KERNEL32(FFFFFFFF,KERNEL32.DLL,?,004069C1), ref: 00407CB4

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Strings

KERNEL32.DLL, xrefs: 00407C76

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406677, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

GetLastError.KERNEL32(?,Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),004066F8,Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),00406210,?,004054DD,00000000), ref: 0040667B

Part of subcall function 0040651F: TlsGetValue.KERNEL32(Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),0040668E), ref: 00406528
Part of subcall function 0040651F: TlsSetValue.KERNEL32(00000000,004054DD), ref: 00406549

SetLastError.KERNEL32(00000000,?,004054DD,00000000), ref: 004066E5

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

GetCurrentThreadId.KERNEL32 ref: 004066CD

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 00406590: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
Part of subcall function 00406590: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
Part of subcall function 00406590: GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6
Part of subcall function 00406590: InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

Strings

Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.), xrefs: 00406679

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00403A50, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34

APIs

StrToIntExA.SHLWAPI(?,00000001,00000000), ref: 00403A9F

Strings

%02x, xrefs: 00403A71
0x, xrefs: 00403A99
^;@, xrefs: 00403A69, 00403A6D

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00406BE1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll), ref: 00406BEB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00406BFB

Strings

CorExitProcess, xrefs: 00406BF5
mscoree.dll, xrefs: 00406BE6

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040B171, Relevance: 6.4, APIs: 5, Instructions: 181

APIs

GetLastError.KERNEL32(?,00408C4D,00000000,00000010,?,?,?,00408CD9,?,0041A3C8,0000000C,00408D05,?,?,00406CC2,00407948), ref: 0040B379

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

HeapAlloc.KERNEL32(00000000,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B24E

Part of subcall function 00409935: VirtualFree.KERNEL32(?,00008000,00004000), ref: 00409B7E
Part of subcall function 00409935: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00409BD9
Part of subcall function 00409935: HeapFree.KERNEL32(00000000,?), ref: 00409BEB

HeapReAlloc.KERNEL32(00000000,?,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B2A5
GetLastError.KERNEL32(?,00408C4D,00000000,00000010,?,?,?,00408CD9,?,0041A3C8,0000000C,00408D05,?,?,00406CC2,00407948), ref: 0040B2EC
HeapReAlloc.KERNEL32(00000000,?,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B326

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408EEE, Relevance: 6.3, APIs: 4, Instructions: 312

APIs

isspace.NTDLL ref: 00408F0B
isspace.NTDLL ref: 00408F77
isspace.NTDLL ref: 00408FC7

Part of subcall function 00408800: lstrlenA.KERNEL32(00000000,00000000,00000000,?,004088B9,623637BD,00000000,00000000,0000000C,623637BD), ref: 00408820

_allmul.NTDLL ref: 004090F3

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040DE3F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 142

APIs

Part of subcall function 0040D837: StrSpnA.SHLWAPI()H@,?), ref: 0040D83F

StrCmpNIA.SHLWAPI(00000000,00000000,00000004), ref: 0040DE95
StrCmpNIA.SHLWAPI(00000000,00000000,00000005), ref: 0040DED1
StrCmpNIA.SHLWAPI(00000000,00000000,00000004), ref: 0040DF0A

Strings

)H@, xrefs: 0040DE62

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004086A8, Relevance: 6.1, APIs: 4, Instructions: 116

APIs

Part of subcall function 0040831C: InterlockedDecrement.KERNEL32(?,0041A348,0000000C), ref: 00408375
Part of subcall function 0040831C: InterlockedIncrement.KERNEL32(0041EAF0,0041A348,0000000C), ref: 004083A0

Part of subcall function 00408447: GetOEMCP.KERNEL32 ref: 00408470
Part of subcall function 00408447: GetACP.KERNEL32 ref: 00408493

Part of subcall function 004088EE: Sleep.KERNEL32(00000000), ref: 0040890F

Part of subcall function 004084C3: IsValidCodePage.KERNEL32(-00000030), ref: 00408536
Part of subcall function 004084C3: GetCPInfo.KERNEL32(00000000,?), ref: 00408549

InterlockedDecrement.KERNEL32(?), ref: 0040871E
InterlockedIncrement.KERNEL32(00000000), ref: 00408743

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

InterlockedDecrement.KERNEL32 ref: 004087D5
InterlockedIncrement.KERNEL32(00000000), ref: 004087F9

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040752F, Relevance: 6.1, APIs: 4, Instructions: 75

APIs

NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,00407619,?,?), ref: 0040755C
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0040758C
NetApiBufferFree.NETAPI32(?), ref: 004075BF
NetApiBufferFree.NETAPI32(?), ref: 004075D3

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A3A6, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

Part of subcall function 0040A1CC: RegOpenKeyExW.ADVAPI32(80000003,0040A480,00000000,00020119,0040A480), ref: 0040A1ED
Part of subcall function 0040A1CC: lstrcpyW.KERNEL32(3151ECF7,00000001), ref: 0040A224
Part of subcall function 0040A1CC: RegEnumValueW.ADVAPI32(0040A480,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A258
Part of subcall function 0040A1CC: RegEnumValueW.ADVAPI32(0040A480,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040A299
Part of subcall function 0040A1CC: lstrcpyW.KERNEL32(3151ECF7,?), ref: 0040A2B0
Part of subcall function 0040A1CC: RegCloseKey.ADVAPI32(0040A480), ref: 0040A2BF

RegCreateKeyExW.ADVAPI32(80000003,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0040A422
RegDeleteValueW.ADVAPI32(?,?), ref: 0040A438
RegFlushKey.ADVAPI32(?), ref: 0040A449
RegCloseKey.ADVAPI32(?), ref: 0040A453

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 0040A163, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

RegQueryValueExW.ADVAPI32(00000104,0040A273,00000000,00000000,00000000,?), ref: 0040A17E
RegQueryValueExW.ADVAPI32(00000104,0040A273,00000000,00000000,00000000,?), ref: 0040A1A1
PathUnquoteSpacesW.SHLWAPI(00000000), ref: 0040A1A8
lstrcmpiW.KERNEL32(00000000,0040A480), ref: 0040A1B2

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D037CE, Relevance: 6.0, APIs: 4, Instructions: 50

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 01D037EB
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000001), ref: 01D03809
WaitForSingleObject.KERNEL32(?,00000000), ref: 01D0382F
SetEvent.KERNEL32(?), ref: 01D03846

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 004070DF, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

EnterCriticalSection.KERNEL32(00000014,00000000,00402BD6,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 004070EF
FlushFileBuffers.KERNEL32(?), ref: 00407104

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 0040E81E: GetLastError.KERNEL32(00000000,00000000,00406F7B,?,00000000,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 0040E829
Part of subcall function 0040E81E: memset.NTDLL(?,00000000), ref: 0040E846
Part of subcall function 0040E81E: SetLastError.KERNEL32(00000000), ref: 0040E855

DeleteCriticalSection.KERNEL32(00000014,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 0040714B

Part of subcall function 0040E7D2: GetLastError.KERNEL32(00000000,00000000,004088D7,00000000,?,?,?,0000000C,623637BD), ref: 0040E7DD
Part of subcall function 0040E7D2: HeapFree.KERNEL32(00000000,?,?,?,?,0000000C,623637BD), ref: 0040E80E
Part of subcall function 0040E7D2: SetLastError.KERNEL32(00000000,?,?,?,0000000C,623637BD), ref: 0040E815

LeaveCriticalSection.KERNEL32(00000014,?,?,?,?,?,00000000,?,?,?,00000000,?,C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Windows\IEUpdate), ref: 00407144

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D017AE, Relevance: 6.0, APIs: 4, Instructions: 43

APIs

memset.NTDLL(?,00000000), ref: 01D017C7
GetCurrentProcess.KERNEL32 ref: 01D017E8
OpenProcessToken.ADVAPI32(00000000), ref: 01D017EF
GetTokenInformation.ADVAPI32(01D0106B,00000014,?,00000004,?), ref: 01D01808

Part of subcall function 01D01962: GetHandleInformation.KERNEL32(01D01095,00000000), ref: 01D01978
Part of subcall function 01D01962: CloseHandle.KERNEL32(01D01095), ref: 01D01989

Part of subcall function 01D01754: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01D0177D
Part of subcall function 01D01754: CheckTokenMembership.ADVAPI32(00000000,?,01D017DD), ref: 01D01792
Part of subcall function 01D01754: FreeSid.ADVAPI32(?), ref: 01D017A2

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408425, Relevance: 6.0, APIs: 4, Instructions: 43

APIs

memset.NTDLL(?,00000000), ref: 0040843E
GetCurrentProcess.KERNEL32 ref: 0040845F
OpenProcessToken.ADVAPI32(00000000), ref: 00408466
GetTokenInformation.ADVAPI32(004054CE,00000014,?,00000004,?), ref: 0040847F

Part of subcall function 00404E5F: GetHandleInformation.KERNEL32(?,00000000), ref: 00404E75
Part of subcall function 00404E5F: CloseHandle.KERNEL32(?), ref: 00404E86

Part of subcall function 004083CB: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004083F4
Part of subcall function 004083CB: CheckTokenMembership.ADVAPI32(00000000,?,00408454), ref: 00408409
Part of subcall function 004083CB: FreeSid.ADVAPI32(?), ref: 00408419

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02BFE, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

GetLastError.KERNEL32(01D05800,00000010,01D01F8D,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C11

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C62

Part of subcall function 01D02BEC: GetCurrentProcessId.KERNEL32 ref: 01D02BEC

InitializeCriticalSection.KERNEL32(?), ref: 01D02C3A
GetCurrentProcessId.KERNEL32 ref: 01D02C40

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408ABA, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

GetLastError.KERNEL32(00412918,00000010,004055EE,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408ACD

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

SetLastError.KERNEL32(?,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B1E

Part of subcall function 00408AA8: GetCurrentProcessId.KERNEL32 ref: 00408AA8

InitializeCriticalSection.KERNEL32(?), ref: 00408AF6
GetCurrentProcessId.KERNEL32 ref: 00408AFC

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02C71, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetLastError.KERNEL32(01D05810,0000000C,01D01FD8,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C7F

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CD3

Part of subcall function 01D02BEC: GetCurrentProcessId.KERNEL32 ref: 01D02BEC

EnterCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CB4
GetCurrentThreadId.KERNEL32 ref: 01D02CBA

Part of subcall function 01D02BFE: GetLastError.KERNEL32(01D05800,00000010,01D01F8D,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C11
Part of subcall function 01D02BFE: InitializeCriticalSection.KERNEL32(?), ref: 01D02C3A
Part of subcall function 01D02BFE: GetCurrentProcessId.KERNEL32 ref: 01D02C40
Part of subcall function 01D02BFE: SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02C62

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00408B2D, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetLastError.KERNEL32(00412928,0000000C,00405636,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B3B

Part of subcall function 00407355: IsBadWritePtr.KERNEL32(0000000C,0000000C), ref: 0040736C

SetLastError.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B8F

Part of subcall function 00408AA8: GetCurrentProcessId.KERNEL32 ref: 00408AA8

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B70
GetCurrentThreadId.KERNEL32 ref: 00408B76

Part of subcall function 00408ABA: GetLastError.KERNEL32(00412918,00000010,004055EE,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408ACD
Part of subcall function 00408ABA: InitializeCriticalSection.KERNEL32(?), ref: 00408AF6
Part of subcall function 00408ABA: GetCurrentProcessId.KERNEL32 ref: 00408AFC
Part of subcall function 00408ABA: SetLastError.KERNEL32(?,?,00405620,?,?,?,?,?,00401434,00411B80,0000000C,623637BD), ref: 00408B1E

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D02CDF, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

GetLastError.KERNEL32(01D057F0,0000000C,01D02072,?,00000000,00000000,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02CED

Part of subcall function 01D02A38: IsBadWritePtr.KERNEL32(00000004,00000004), ref: 01D02A4F

SetLastError.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D3C

Part of subcall function 01D02BEC: GetCurrentProcessId.KERNEL32 ref: 01D02BEC

GetCurrentThreadId.KERNEL32 ref: 01D02D13
LeaveCriticalSection.KERNEL32(?,?,?,01D03A6A,01D056E8,0000003B), ref: 01D02D26

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00409252, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103

APIs

isspace.NTDLL ref: 00409293
isspace.NTDLL ref: 004092A4

Part of subcall function 00408EEE: isspace.NTDLL ref: 00408F0B
Part of subcall function 00408EEE: isspace.NTDLL ref: 00408F77
Part of subcall function 00408EEE: isspace.NTDLL ref: 00408FC7
Part of subcall function 00408EEE: _allmul.NTDLL ref: 004090F3

Strings

@, xrefs: 004092CE

Memory Dump Source

Source File: 00000000.00000002.58311477669046.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00401240, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81

APIs

CloseFigure.GDI32(00000058), ref: 00401365

Strings

A, xrefs: 004012C2
3, xrefs: 0040134F

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 01D04206, Relevance: 5.1, APIs: 4, Instructions: 60

APIs

GetLastError.KERNEL32(00000000,?,01D01890,?,?,00000000,01D015DA,?,01D0192B,?,?,01D05830,00000010,01D01122,?,00000000), ref: 01D0420A

Part of subcall function 01D0407D: GetCurrentProcessId.KERNEL32 ref: 01D0407D

HeapAlloc.KERNEL32(00000008,00000011,?,00000000,00000000,?,01D01890,?,?,00000000,01D015DA,?,01D0192B,?,?,01D05830), ref: 01D04275

Part of subcall function 01D0408F: HeapValidate.KERNEL32(00000000,01D0108D,01D057B0), ref: 01D040B2

HeapReAlloc.KERNEL32(00000008,-00000008,00000011,?,00000000,00000000,?,01D01890,?,?,00000000,01D015DA,?,01D0192B,?,?), ref: 01D04261
SetLastError.KERNEL32(00000000,00000000,?,01D01890,?,?,00000000,01D015DA,?,01D0192B,?,?,01D05830,00000010,01D01122,?), ref: 01D04295

Part of subcall function 01D04136: HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 01D04159
Part of subcall function 01D04136: HeapSetInformation.KERNEL32(00000000,00000000,01D041A6,00000004), ref: 01D04178
Part of subcall function 01D04136: GetCurrentProcessId.KERNEL32 ref: 01D0417E

Memory Dump Source

Source File: 00000000.00000002.58311694098203.01D00000.00000040.sdmp, Offset: 01D00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d00000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Function 00409C4B, Relevance: 5.1, APIs: 4, Instructions: 53

APIs

HeapReAlloc.KERNEL32(00000000,-00000010,7C9200C4,00000000,0040A1AB,7C9200C4,004054DD,00000000,00000001,00000214,?,004054DD), ref: 00409C72
HeapAlloc.KERNEL32(00000008,000041C4,7C9200C4,00000000,0040A1AB,7C9200C4,004054DD,00000000,00000001,00000214,?,004054DD), ref: 00409CA8
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00409CC2
HeapFree.KERNEL32(00000000,?,?,004054DD), ref: 00409CD9

Memory Dump Source

Source File: 00000000.00000001.58275373481171.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.58275370419336.00400000.00000002.sdmp
Associated: 00000000.00000001.58275382512886.0040D000.00000002.sdmp
Associated: 00000000.00000001.58275386868377.0041C000.00000008.sdmp
Associated: 00000000.00000001.58275390025013.00420000.00000004.sdmp
Associated: 00000000.00000001.58275398622672.00441000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027.jbxd

Analysis Process: shadow.exe PID: 3976 Parent PID: 2260

Execution Graph

Execution Coverage:	28.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	1182
Total number of Limit Nodes:	6

Executed Functions

Function 00406B7A, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006B38), ref: 00406B7F

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00401D10, Relevance: 153.5, APIs: 31, Strings: 55, Instructions: 3021

APIs

CancelWaitableTimer.KERNEL32(00000062), ref: 00402452
KiUserApcDispatcher.NTDLL(00000048), ref: 00402556
GetKeyboardType.USER32(0000001A), ref: 00402794
GetNextDlgTabItem.USER32(00000024,0000002E,0000001C), ref: 00402FD1
TextOutA.GDI32(00000045,00000023,0000000D,0000002D,00000049), ref: 0040313D
GetNumaAvailableMemoryNode.KERNEL32(00000041,00000064), ref: 0040321C
GetArcDirection.GDI32(00000047), ref: 004032B8
GetProcessHandleCount.KERNEL32(0000005A,00000046), ref: 00403418
GetProcessAffinityMask.KERNEL32(0000004B,0000002E,00000024), ref: 00403470
VirtualAlloc.KERNEL32(00000000,00002702,00001000,00000040), ref: 004034FD
GetSystemMetrics.USER32(00000000), ref: 00403544
GetUserObjectInformationA.USER32(00000063,00000063,00000068,0000007F,0000002F), ref: 004035AE

Part of subcall function 004013B0: MsgWaitForMultipleObjectsEx.USER32(?,00000013,00000033,0000005E,0000003E), ref: 00401421

GetNumaNodeProcessorMask.KERNEL32(00000023,00000063), ref: 00403675
DPtoLP.GDI32(00000042,0000002D,0000002E), ref: 0040372D
Polygon.GDI32(0000004A,FFFFFFF3,0000003A), ref: 00403964
IsZoomed.USER32(00000023), ref: 00403C14
SetSystemPaletteUse.GDI32(00000037,0000002A), ref: 00403C9F
Escape.GDI32(0000003B,0000001E,FFFFFFEA,00000004,00000041), ref: 00403E89
SetDeviceGammaRamp.GDI32(FFFFFFEA,0000003B), ref: 00403FD8
GlobalCompact.KERNEL32(00000024), ref: 0040402A
EndPage.GDI32(00000004), ref: 0040414A
GetNearestPaletteIndex.GDI32(00000042,0000004E), ref: 00404300
ExcludeClipRect.GDI32(0000002E,00000054,0000001D,0000002A,00000034), ref: 0040470C
LineTo.GDI32(00000067,0000003D,00000067), ref: 00404728
GetTextMetricsW.GDI32(00000031,0000002E), ref: 00404EE1
GetSysColor.USER32(00000054), ref: 004050A0
GdiSetBatchLimit.GDI32(00000019), ref: 004050F1
OpenClipboard.USER32(0000008E), ref: 004051A7
AnyPopup.USER32 ref: 004052F5
ConvertThreadToFiber.KERNEL32(0000003D), ref: 00405317
CreateIconFromResourceEx.USER32(0000003D,00000064,00000052,00000027,0000002F,00000011,0000002F), ref: 0040537A

Part of subcall function 00401530: SetProcessShutdownParameters.KERNEL32(0000001A,00000061), ref: 00401614
Part of subcall function 00401530: CheckRemoteDebuggerPresent.KERNEL32(00000013,00000064), ref: 00401695
Part of subcall function 00401530: GetFileType.KERNEL32(0000001F), ref: 00401710
Part of subcall function 00401530: GlobalUnfix.KERNEL32(0000005B), ref: 004018B1

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Strings

8, xrefs: 0040215C
, xrefs: 0040252C
]r, xrefs: 00403882
Dbncrwiw unhbi rxlzgakc?(!), xrefs: 00401EA9
<, xrefs: 004051C7
P, xrefs: 00404B72
-, xrefs: 00405650
!, xrefs: 004042CE
`, xrefs: 00401D93
Cthumzqxhxlra ntfelcnhwclf qiscjknu tnsjjxhmvbg,(.), xrefs: 00405139
#, xrefs: 0040273D
], xrefs: 0040555B
=, xrefs: 00402A9E
Bcdxqessgcjhj cdurbdno yvyrtxhx stbfqgmqb!(c), xrefs: 00404B97
L, xrefs: 00405419
Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.), xrefs: 004053B7
;, xrefs: 0040384C
], xrefs: 004024AB
Y, xrefs: 00402A37
h, xrefs: 00405565
Bnyhhiovaa alwxaybdf uidfxpy sgcoxv wbnxwuwmpjd.(!), xrefs: 004025C9
Rygtmhk nhuonop gtzjzyjqvjm urrvlvxr szrtck mawaxlhyts?(!), xrefs: 00404A72
_, xrefs: 00402019
Bdwkcdf qvqtcvlqnul wxgmone olivr cdzukqlw!(.), xrefs: 00403997
6, xrefs: 00405509
d, xrefs: 00405420
>, xrefs: 00402460
T, xrefs: 004053C4
a, xrefs: 00402F82
K, xrefs: 00402544
S, xrefs: 004023AB
F, xrefs: 00403234
$, xrefs: 004032E5
Nhmsfh? czkcbvomyvdu? fgjnkncr?(.), xrefs: 004041A8
X, xrefs: 004041F6
3, xrefs: 004040A6
9, xrefs: 00401E93
0, xrefs: 0040259A
p, xrefs: 004053DA
Raegcbtv pvecswlhnby ylgsr mutkwl.(!), xrefs: 004033B8
*, xrefs: 0040458D
', xrefs: 004052BF
], xrefs: 00404583
6, xrefs: 004020DF
Rnjheeon ohqxrzxy dfhslxydku cbqmelxv,(!), xrefs: 00403891
P, xrefs: 00402DC6
W, xrefs: 00404AA3
Brcjzv mrmbmugllhn uaoqizm dwvmqreuh,(c), xrefs: 00402CEA
P, xrefs: 00404931
Y, xrefs: 004055AD
:, xrefs: 00402318
', xrefs: 00402BD8
Excshtjg! eqfdiwxqei! pbfixnmm!(.), xrefs: 00404B0C
T, xrefs: 00405702
, xrefs: 00404A63

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00401530, Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 239

APIs

SetProcessShutdownParameters.KERNEL32(0000001A,00000061), ref: 00401614
CheckRemoteDebuggerPresent.KERNEL32(00000013,00000064), ref: 00401695
GetFileType.KERNEL32(0000001F), ref: 00401710
GlobalUnfix.KERNEL32(0000005B), ref: 004018B1

Strings

,, xrefs: 00401763
Y, xrefs: 00401581
., xrefs: 004016E6
\, xrefs: 004016C0
A, xrefs: 0040167A
1, xrefs: 004016FA
R, xrefs: 00401989
E, xrefs: 00401642
8, xrefs: 004019CC
J, xrefs: 004015C1
Y, xrefs: 00401780

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406839, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 112

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406843
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040686A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00406877
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00406884
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00406891
TlsAlloc.KERNEL32 ref: 004068E1
TlsSetValue.KERNEL32(00000000), ref: 004068FC

Part of subcall function 00406429: TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
Part of subcall function 00406429: TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
Part of subcall function 00406429: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
Part of subcall function 00406429: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483
Part of subcall function 00406429: RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,00427790,00000000,00000314,?,0040702F,00427790,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

Part of subcall function 00406590: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
Part of subcall function 00406590: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
Part of subcall function 00406590: GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6
Part of subcall function 00406590: InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

GetCurrentThreadId.KERNEL32 ref: 004069AB

Part of subcall function 00406553: TlsFree.KERNEL32(FFFFFFFF), ref: 0040657E
Part of subcall function 00406553: DeleteCriticalSection.KERNEL32(00000000,00000000,KERNEL32.DLL,?,004069C1), ref: 00407C8A
Part of subcall function 00406553: DeleteCriticalSection.KERNEL32(FFFFFFFF,KERNEL32.DLL,?,004069C1), ref: 00407CB4

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

Strings

FlsSetValue, xrefs: 00406879
FlsGetValue, xrefs: 0040686C
FlsFree, xrefs: 00406886
KERNEL32.DLL, xrefs: 0040683D, 00406842, 0040684D
FlsAlloc, xrefs: 00406864

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406429, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42

APIs

TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,00427790,00000000,00000314,?,0040702F,00427790,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483

Strings

EncodePointer, xrefs: 0040647D
KERNEL32.DLL, xrefs: 00406462, 00406467, 00406472

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 004064A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42

APIs

TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE

Strings

DecodePointer, xrefs: 004064F8
KERNEL32.DLL, xrefs: 004064DD, 004064E2, 004064ED

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 004062A1, Relevance: 3.1, APIs: 2, Instructions: 100

APIs

GetStartupInfoA.KERNEL32(?), ref: 004062B6

Part of subcall function 0040796E: HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00407983

Part of subcall function 00406839: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406843
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040686A
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00406877
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00406884
Part of subcall function 00406839: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00406891
Part of subcall function 00406839: TlsAlloc.KERNEL32 ref: 004068E1
Part of subcall function 00406839: TlsSetValue.KERNEL32(00000000), ref: 004068FC
Part of subcall function 00406839: GetCurrentThreadId.KERNEL32 ref: 004069AB

Part of subcall function 004076CE: GetStartupInfoA.KERNEL32(?), ref: 004076E3
Part of subcall function 004076CE: GetFileType.KERNEL32(00000040), ref: 0040780D
Part of subcall function 004076CE: GetStdHandle.KERNEL32(-000000F6), ref: 00407897
Part of subcall function 004076CE: GetFileType.KERNEL32(00000000), ref: 004078A9
Part of subcall function 004076CE: SetHandleCount.KERNEL32 ref: 00407901

GetCommandLineA.KERNEL32 ref: 0040634B

Part of subcall function 00407597: GetEnvironmentStringsW.KERNEL32 ref: 004075B5
Part of subcall function 00407597: GetLastError.KERNEL32 ref: 004075C9
Part of subcall function 00407597: GetEnvironmentStringsW.KERNEL32 ref: 004075F0
Part of subcall function 00407597: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040762A
Part of subcall function 00407597: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040764D
Part of subcall function 00407597: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00407663
Part of subcall function 00407597: GetEnvironmentStrings.KERNEL32 ref: 00407676
Part of subcall function 00407597: FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076A8
Part of subcall function 00407597: FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076C1

Part of subcall function 004074DC: GetModuleFileNameA.KERNEL32(00000000,00427AA8,00000104), ref: 00407508

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040796E, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00407983

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040B053, Relevance: 1.3, APIs: 1, Instructions: 93

APIs

HeapAlloc.KERNEL32(00000008,?,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214,?,004054DD), ref: 0040B111

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00408933, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 0040B053: HeapAlloc.KERNEL32(00000008,?,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214,?,004054DD), ref: 0040B111

Sleep.KERNEL32(00000000), ref: 0040895B

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Non-executed Functions

Function 00406218, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58

APIs

IsDebuggerPresent.KERNEL32 ref: 00406A81
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
GetCurrentProcess.KERNEL32 ref: 00406ABD
TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Strings

8tB, xrefs: 00406A9C

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00408A2E, Relevance: 7.6, APIs: 5, Instructions: 67

APIs

IsDebuggerPresent.KERNEL32 ref: 00408B0A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00408B14
UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00408B21
GetCurrentProcess.KERNEL32 ref: 00408B3C
TerminateProcess.KERNEL32(00000000), ref: 00408B43

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00405B40, Relevance: 4.0, Strings: 3, Instructions: 210

Strings

1, xrefs: 00405CEA
Cjkimkwvvun ljjnrwbujaqn gwvnlo jvrqokq nocqv gpisnohoow yisctc.(r), xrefs: 00405F1F
[, xrefs: 00405E3E

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040B38C, Relevance: 3.1, APIs: 2, Instructions: 62

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040B488
UnhandledExceptionFilter.KERNEL32(?), ref: 0040B495

Part of subcall function 00406EC0: GetModuleFileNameA.KERNEL32(00000000,004277A9,00000104), ref: 00406F63
Part of subcall function 00406EC0: GetStdHandle.KERNEL32(000000F4), ref: 00407036
Part of subcall function 00406EC0: WriteFile.KERNEL32(00000000,00000000,00000000,004054DD,00000000), ref: 00407060

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040BD88, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040AB50, Relevance: 16.8, APIs: 11, Instructions: 340

APIs

LCMapStringW.KERNEL32(00000000,00000100,0041A19C,00000001,00000000,00000000), ref: 0040AB82
GetLastError.KERNEL32 ref: 0040AB94
MultiByteToWideChar.KERNEL32(00000100,00000000,?,?,00000000,00000000), ref: 0040AC20
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040AC8C
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040ACA8
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 0040ACE2
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 0040AD46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0040AD69

Part of subcall function 0040BD88: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040ADF9

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

LCMapStringA.KERNEL32(?,?,?,?,00000000,?), ref: 0040AE6B
LCMapStringA.KERNEL32(?,?,?,?,00000000,?), ref: 0040AEB8

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00409153, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 0040917B
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00409197

Part of subcall function 00406429: TlsGetValue.KERNEL32(00000000,?,004064A2), ref: 0040643B
Part of subcall function 00406429: TlsGetValue.KERNEL32(FFFFFFFF,?,004064A2), ref: 00406452
Part of subcall function 00406429: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00406468
Part of subcall function 00406429: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406483
Part of subcall function 00406429: RtlEncodePointer.NTDLL(00000000,?,004064A2,00000000,00409163,00427790,00000000,00000314,?,0040702F,00427790,Microsoft Visual C++ Runtime Library,00012010), ref: 00406490

GetProcAddress.KERNEL32(00000000,00000000), ref: 004091B4
GetProcAddress.KERNEL32(00000000,00000000), ref: 004091C9
GetProcAddress.KERNEL32(00000000,00000000), ref: 004091DE
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004091F6

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Strings

GetProcessWindowStation, xrefs: 004091F0
USER32.DLL, xrefs: 00409176
MessageBoxA, xrefs: 00409191

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00407FA9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(00409541,00000000), ref: 00407FC3
InterlockedDecrement.KERNEL32(03E28302,?,0041E9E8), ref: 00407FD0
InterlockedDecrement.KERNEL32(FFA5F32A,?,0041E9E8), ref: 00407FDD
InterlockedDecrement.KERNEL32(7208F983,?,0041E9E8), ref: 00407FEA
InterlockedDecrement.KERNEL32(8B900040,?,0041E9E8), ref: 00407FF7
InterlockedDecrement.KERNEL32(8B900040), ref: 00408013
InterlockedDecrement.KERNEL32(C35D10C4), ref: 00408023
InterlockedDecrement.KERNEL32(2885244B), ref: 00408039

Strings

A, xrefs: 00408003

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00407F1A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(004054DD,00000001,004054DD), ref: 00407F2C
InterlockedIncrement.KERNEL32(8BFFFFFE,?,0040664C), ref: 00407F39
InterlockedIncrement.KERNEL32(A48589FF,?,0040664C), ref: 00407F46
InterlockedIncrement.KERNEL32(FFFEA485,?,0040664C), ref: 00407F53
InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F60
InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F7C
InterlockedIncrement.KERNEL32(000026CC,?,0040664C), ref: 00407F8C
InterlockedIncrement.KERNEL32(B9FFFF4C,?,0040664C), ref: 00407FA2

Strings

A, xrefs: 00407F6C

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406590, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(004054DD,00000001,004054DD), ref: 00407F2C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(8BFFFFFE,?,0040664C), ref: 00407F39
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(A48589FF,?,0040664C), ref: 00407F46
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FFFEA485,?,0040664C), ref: 00407F53
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F60
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(FDD48DB7,?,0040664C), ref: 00407F7C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(000026CC,?,0040664C), ref: 00407F8C
Part of subcall function 00407F1A: InterlockedIncrement.KERNEL32(B9FFFF4C,?,0040664C), ref: 00407FA2

Part of subcall function 00406B88: Sleep.KERNEL32(000003E8), ref: 00406B94
Part of subcall function 00406B88: GetModuleHandleW.KERNEL32(004054DD), ref: 00406B9D

Strings

DecodePointer, xrefs: 004065DE
A, xrefs: 0040663C
EncodePointer, xrefs: 004065CA
KERNEL32.DLL, xrefs: 0040659C, 004065A1, 004065AC

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00407597, Relevance: 13.6, APIs: 9, Instructions: 132

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004075B5
GetLastError.KERNEL32 ref: 004075C9
GetEnvironmentStringsW.KERNEL32 ref: 004075F0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040762A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040764D

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00407663
GetEnvironmentStrings.KERNEL32 ref: 00407676

Part of subcall function 004088EE: Sleep.KERNEL32(00000000), ref: 0040890F

FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076A8
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004076C1

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406EC0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 161

APIs

GetModuleFileNameA.KERNEL32(00000000,004277A9,00000104), ref: 00406F63

Part of subcall function 00409153: LoadLibraryA.KERNEL32(USER32.DLL), ref: 0040917B
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00409197
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091B4
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091C9
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,00000000), ref: 004091DE
Part of subcall function 00409153: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004091F6

Part of subcall function 00408A2E: IsDebuggerPresent.KERNEL32 ref: 00408B0A
Part of subcall function 00408A2E: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00408B14
Part of subcall function 00408A2E: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00408B21
Part of subcall function 00408A2E: GetCurrentProcess.KERNEL32 ref: 00408B3C
Part of subcall function 00408A2E: TerminateProcess.KERNEL32(00000000), ref: 00408B43

GetStdHandle.KERNEL32(000000F4), ref: 00407036
WriteFile.KERNEL32(00000000,00000000,00000000,004054DD,00000000), ref: 00407060

Strings

<program name unknown>, xrefs: 00406F6D
Microsoft Visual C++ Runtime Library, xrefs: 00407024
..., xrefs: 00406FB2
Runtime Error!Program: , xrefs: 00406F25

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040BDD1, Relevance: 10.7, APIs: 7, Instructions: 175

APIs

GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040A908, Relevance: 9.2, APIs: 6, Instructions: 166

APIs

GetStringTypeW.KERNEL32(00000001,0041A19C,00000001,?), ref: 0040A937
GetLastError.KERNEL32(?,0040AAF2,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A949
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040A9AE

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000), ref: 0040AA18
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0040AA26

Part of subcall function 0040BD88: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 0040BDAC

GetStringTypeA.KERNEL32(?,?,?,?,?), ref: 0040AA9B

Part of subcall function 00406218: IsDebuggerPresent.KERNEL32 ref: 00406A81
Part of subcall function 00406218: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406A96
Part of subcall function 00406218: UnhandledExceptionFilter.KERNEL32(8tB), ref: 00406AA1
Part of subcall function 00406218: GetCurrentProcess.KERNEL32 ref: 00406ABD
Part of subcall function 00406218: TerminateProcess.KERNEL32(00000000), ref: 00406AC4

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,?), ref: 0040BE1C
Part of subcall function 0040BDD1: GetCPInfo.KERNEL32(?,00000001), ref: 0040BE35
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,00000000,00000000), ref: 0040BE93
Part of subcall function 0040BDD1: MultiByteToWideChar.KERNEL32(?,00000001,?,0040AAF2,?,00000000), ref: 0040BEE2
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 0040BEFD
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF23
Part of subcall function 0040BDD1: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BF48

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 004076CE, Relevance: 7.7, APIs: 5, Instructions: 190

APIs

GetStartupInfoA.KERNEL32(?), ref: 004076E3

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

GetFileType.KERNEL32(00000040), ref: 0040780D
GetStdHandle.KERNEL32(-000000F6), ref: 00407897
GetFileType.KERNEL32(00000000), ref: 004078A9

Part of subcall function 004090BC: InitializeCriticalSectionAndSpinCount.KERNEL32(004054DD,?), ref: 004090D2

SetHandleCount.KERNEL32 ref: 00407901

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00407B8C, Relevance: 7.6, APIs: 5, Instructions: 53

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407BC3
GetCurrentProcessId.KERNEL32 ref: 00407BCF
GetCurrentThreadId.KERNEL32 ref: 00407BD7
GetTickCount.KERNEL32 ref: 00407BDF
QueryPerformanceCounter.KERNEL32(?), ref: 00407BEB

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406553, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

TlsFree.KERNEL32(FFFFFFFF), ref: 0040657E
DeleteCriticalSection.KERNEL32(00000000,00000000,KERNEL32.DLL,?,004069C1), ref: 00407C8A

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

DeleteCriticalSection.KERNEL32(FFFFFFFF,KERNEL32.DLL,?,004069C1), ref: 00407CB4

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

Strings

KERNEL32.DLL, xrefs: 00407C76

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406677, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

GetLastError.KERNEL32(?,Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),004066F8,Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),00406210,?,004054DD,00000000), ref: 0040667B

Part of subcall function 0040651F: TlsGetValue.KERNEL32(Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.),0040668E), ref: 00406528
Part of subcall function 0040651F: TlsSetValue.KERNEL32(00000000,004054DD), ref: 00406549

SetLastError.KERNEL32(00000000,?,004054DD,00000000), ref: 004066E5

Part of subcall function 00408933: Sleep.KERNEL32(00000000), ref: 0040895B

Part of subcall function 004064A4: TlsGetValue.KERNEL32(00000000,?,0040653F), ref: 004064B6
Part of subcall function 004064A4: TlsGetValue.KERNEL32(FFFFFFFF,?,0040653F), ref: 004064CD
Part of subcall function 004064A4: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004064E3
Part of subcall function 004064A4: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004064FE
Part of subcall function 004064A4: RtlEncodePointer.NTDLL(004054DD,?,0040653F,?,004054DD,00000000), ref: 0040650B

GetCurrentThreadId.KERNEL32 ref: 004066CD

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Part of subcall function 00406590: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004065A2
Part of subcall function 00406590: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004065D6
Part of subcall function 00406590: GetProcAddress.KERNEL32(?,DecodePointer), ref: 004065E6
Part of subcall function 00406590: InterlockedIncrement.KERNEL32(55891801,?,004054DD), ref: 00406615

Strings

Nhpgvfduhegst ezrfy sfunfsnvtr zvvayipjg.(.), xrefs: 00406679

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00406BE1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll), ref: 00406BEB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00406BFB

Strings

CorExitProcess, xrefs: 00406BF5
mscoree.dll, xrefs: 00406BE6

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 0040B171, Relevance: 6.4, APIs: 5, Instructions: 181

APIs

GetLastError.KERNEL32(?,00408C4D,00000000,00000010,?,?,?,00408CD9,?,0041A3C8,0000000C,00408D05,?,?,00406CC2,00407948), ref: 0040B379

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

HeapAlloc.KERNEL32(00000000,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B24E

Part of subcall function 00409935: VirtualFree.KERNEL32(?,00008000,00004000), ref: 00409B7E
Part of subcall function 00409935: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00409BD9
Part of subcall function 00409935: HeapFree.KERNEL32(00000000,?), ref: 00409BEB

HeapReAlloc.KERNEL32(00000000,?,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B2A5
GetLastError.KERNEL32(?,00408C4D,00000000,00000010,?,?,?,00408CD9,?,0041A3C8,0000000C,00408D05,?,?,00406CC2,00407948), ref: 0040B2EC
HeapReAlloc.KERNEL32(00000000,?,?,0041A488,00000010,00408993,?,?,00000000,00000000,?,00408C4D,00000000,00000010), ref: 0040B326

Part of subcall function 0040AF89: HeapAlloc.KERNEL32(00000000,004054CE,00000001,00000000,00000000,?,004088FF,004054DD,00000001,004054DD,?,00407D28,00000018,0041A308,0000000C,00407DB9), ref: 0040B000

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 004086A8, Relevance: 6.1, APIs: 4, Instructions: 116

APIs

Part of subcall function 0040831C: InterlockedDecrement.KERNEL32(?,0041A348,0000000C), ref: 00408375
Part of subcall function 0040831C: InterlockedIncrement.KERNEL32(0041EAD0,0041A348,0000000C), ref: 004083A0

Part of subcall function 00408447: GetOEMCP.KERNEL32 ref: 00408470
Part of subcall function 00408447: GetACP.KERNEL32 ref: 00408493

Part of subcall function 004088EE: Sleep.KERNEL32(00000000), ref: 0040890F

Part of subcall function 004084C3: IsValidCodePage.KERNEL32(-00000030), ref: 00408536
Part of subcall function 004084C3: GetCPInfo.KERNEL32(00000000,?), ref: 00408549

InterlockedDecrement.KERNEL32(?), ref: 0040871E
InterlockedIncrement.KERNEL32(00000000), ref: 00408743

Part of subcall function 00407D9E: EnterCriticalSection.KERNEL32(?,?,?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001), ref: 00407DC8

InterlockedDecrement.KERNEL32 ref: 004087D5
InterlockedIncrement.KERNEL32(00000000), ref: 004087F9

Part of subcall function 00408860: HeapFree.KERNEL32(00000000,004054DD,0041A388,0000000C,00407D7F,00000000,0041A308,0000000C,00407DB9,004054DD,?,?,0040B0D4,00000004,0041A468,0000000C), ref: 004088C8
Part of subcall function 00408860: GetLastError.KERNEL32(?,0040B0D4,00000004,0041A468,0000000C,00408949,004054DD,?,00000000,00000000,00000000,?,004066A2,00000001,00000214), ref: 004088D9

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00401240, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81

APIs

CloseFigure.GDI32(00000058), ref: 00401365

Strings

A, xrefs: 004012C2
3, xrefs: 0040134F

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Function 00409C4B, Relevance: 5.1, APIs: 4, Instructions: 53

APIs

HeapReAlloc.KERNEL32(00000000,-00000010,7C9200C4,00000000,0040A1AB,7C9200C4,004054DD,00000000,00000001,00000214,?,004054DD), ref: 00409C72
HeapAlloc.KERNEL32(00000008,000041C4,7C9200C4,00000000,0040A1AB,7C9200C4,004054DD,00000000,00000001,00000214,?,004054DD), ref: 00409CA8
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00409CC2
HeapFree.KERNEL32(00000000,?,?,004054DD), ref: 00409CD9

Memory Dump Source

Source File: 00000004.00000001.58312072599200.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.58312059367037.00400000.00000002.sdmp
Associated: 00000004.00000001.58312076437069.0040D000.00000002.sdmp
Associated: 00000004.00000001.58312080332716.0041C000.00000008.sdmp
Associated: 00000004.00000001.58312085631247.00420000.00000004.sdmp
Associated: 00000004.00000001.58312088957017.00428000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_shadow.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

TCP Packets

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe PID: 1560 Parent PID: 552

General

Chronological Activities

Analysis Process: cmd.exe PID: 2260 Parent PID: 1560

General

Chronological Activities

Analysis Process: cmd.exe PID: 2436 Parent PID: 1560

General

Chronological Activities

Analysis Process: shadow.exe PID: 3976 Parent PID: 2260

General

Chronological Activities

Analysis Process: shadow.exe PID: 2988 Parent PID: 3976

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 1b42683bf2c6c0da6f6abd85720b64b387cbad99-9437eabf2fe5d32101e3fbf9f6027880.exe PID: 1560 Parent PID: 552

Executed Functions

Function 00401D10, Relevance: 153.5, APIs: 31, Strings: 55, Instructions: 3021

Function 00401530, Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 239

Function 00402EF3, Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 639

Function 004021F1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75

Function 004054E1, Relevance: 10.6, APIs: 7, Instructions: 91

Function 00405D96, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85

Function 004056E6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

Function 00404E98, Relevance: 7.6, APIs: 5, Instructions: 53