Joe Sandbox - Analysis Report 31962

General Information

Analysis ID:	31962
Start time:	17:23:58
Start date:	05/06/2013
Overall analysis duration:	0h 3m 20s
Sample file name:	gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 98%

Signature Overview

DDOS:

Contains functionality to access network services in a loop (often DDOS functionality)			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00407D68 WSAStartup,htons,inet_addr,socket,connect,send,Sleep,closesocket,WSACleanup,

Networking:

Contains functionality to download additional files from the internet		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00405CB0 DeleteFileA,URLDownloadToFileA,ShellExecuteA,
Urls found in memory or binary data		Show sources
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://er.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://fc-zenit.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://kremlin.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://kvk-business.com/sozdanie-saytov/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://mvd.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://pella.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://premier.gov.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://pvppw.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://vkontakte.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.gofuckbiz.com/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.niagarastar.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.odnoklassniki.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.pfc-cska.com/splash/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.rfs.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://zhyk.ru/
Contains functionality to download and execute PE files		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00405CB0 DeleteFileA,URLDownloadToFileA,ShellExecuteA,
Found strings which match to known social media urls		Show sources
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://vkontakte.ru/ equals www.vkontakte.ru (VKontakte)
Performs DNS lookups		Show sources
Source: unknown	DNS traffic detected: queries for: ddos.prv
Tries to resolve domain names, but no domain seems valid (experied dropper behavior)		Show sources
Source: unknown	DNS traffic detected:

Boot Survival:

Creates or modifies windows services			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Persistence and Installation Behavior:

Drops PE files			Show sources
Source: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	File created: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe

Data Obfuscation:

Binary may include packed or crypted data		Show sources
Source: initial sample	Static PE information: section name: CODE entropy: 6.51744412832
Entrypoint lies outside standard sections		Show sources
Source: initial sample	Static PE information: section where entrypoint is pointing to: CODE
PE file contains sections with non-standard names		Show sources
Source: initial sample	Static PE information: section name: CODE
PE sections with suspicious entropy found		Show sources
Source: initial sample	Static PE information: section name: BSS entropy: 0.0 raw section size: 0x0

System Summary:

Creates files inside the user directory		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	File created: C:\Documents and Settings\Administrator\Application Data\nightupdate\
Reads ini files		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	File read: C:\Documents and Settings\Administrator\My Documents\desktop.ini
Spawns processes		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Process created: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe
Enables driver privileges		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Process token adjusted: Load Driver

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_004050A0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,
Benign windows process drops PE files		Show sources
Source: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	File created: svchost.exe.dr

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Memory protected: page read and write and page guard

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List UpdateSvchost

Language, Device and Operating System Detection:

Contains functionality to query windows version			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_1_00403B5D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

Startup

system is xp gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe (PID: 1604 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23) svchost.exe (PID: 336 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23) cleanup

system is xp

gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe (PID: 1604 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23)

svchost.exe (PID: 336 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23)

cleanup

Created / dropped Files

File Path	Hashes
C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23 SHA: 9BE566E5CB43B09E62B90013079CAF1EEC3544CE SHA-256: 0016C910AE1F81A16EC1A1ED5D1344C798073D92BDFCF3D1CA0EBA2C43E689E7 SHA-512: 99A3BC7DA03F96AB27E06E590C33FF70E49907B554A142176AAEA119B2B9B8156758C0273C5749A36B8CB644A3C7148761383B9349A14A7D00265AFA3BEADA9F

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
ddos.prv	unknown	unknown	false	unknown	unknown

Contacted IPs

IP	Country	Pingable	Open Ports
195.186.1.121	SWITZERLAND	false

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File name:	gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
File size:	41472
MD5:	3eebf8a3de8fbb1a92aeae7b22f81e23
SHA1:	9be566e5cb43b09e62b90013079caf1eec3544ce
SHA256:	0016c910ae1f81a16ec1a1ed5d1344c798073d92bdfcf3d1ca0eba2c43e689e7
SHA512:	99a3bc7da03f96ab27e06e590c33ff70e49907b554a142176aaea119b2b9b8156758c0273c5749a36b8cb644a3c7148761383b9349a14a7d00265afa3beada9f

Static PE Info

General
Entrypoint:	0x4092e0
Entrypoint Section:	CODE
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x100b0	0x10	Sendmail frozen configuration
RT_RCDATA	0x100c0	0x98	data

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	Sleep, SetFileAttributesA, GetVolumeInformationA, GetLastError, GetEnvironmentVariableA, GetCurrentThread, GetCurrentProcess, CreateDirectoryA, CloseHandle
shell32.dll	ShellExecuteA
URLMON.DLL	URLDownloadToFileA
kernel32.dll	Sleep, DeleteFileA, CopyFileA
wsock32.dll	WSACleanup, WSAStartup, gethostbyname, socket, sendto, send, recv, inet_ntoa, inet_addr, htons, connect, closesocket
ICMP.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
CODE	0x1000	0x84d4	0x8600	6.51744412832
DATA	0xa000	0x1bc	0x200	4.23962661432
BSS	0xb000	0x6c5	0x0	0.0
.idata	0xc000	0x7bc	0x800	4.38317373245
.tls	0xd000	0x8	0x0	0.0
.rdata	0xe000	0x18	0x200	0.20448815744
.reloc	0xf000	0x858	0xa00	6.08576418932
.rsrc	0x10000	0x200	0x200	3.19612927808

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2013 17:25:42.373361111 CEST	55597	53	192.168.0.10	195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST	53	55597	195.186.1.121	192.168.0.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2013 17:25:42.373361111 CEST	55597	53	192.168.0.10	195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST	53	55597	195.186.1.121	192.168.0.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 5, 2013 17:25:42.373361111 CEST	192.168.0.10	195.186.1.121	0x79bf	Standard query (0)	ddos.prv	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Jun 5, 2013 17:25:42.791187048 CEST	195.186.1.121	192.168.0.10	0x79bf	Name error (3)	ddos.prv	none	none	A (IP address)	IN (0x0001)

Code Manipulation Behavior

System Behavior

Analysis Process: gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe PID: 1604 Parent PID: 1632

General

Start time:	09:50:00
Start date:	24/01/2012
Path:	C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	41472 bytes
MD5 hash:	3EEBF8A3DE8FBB1A92AEAE7B22F81E23

Chronological Activities

Analysis Process: svchost.exe PID: 336 Parent PID: 1604

General

Start time:	09:50:27
Start date:	24/01/2012
Path:	C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe
Imagebase:	0x400000
File size:	41472 bytes
MD5 hash:	3EEBF8A3DE8FBB1A92AEAE7B22F81E23

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe PID: 1604 Parent PID: 1632

Executed Functions

Function 00405188, Relevance: 24.4, APIs: 3, Strings: 9, Instructions: 196

APIs

Part of subcall function 004050A0: GetCurrentThread.KERNEL32 ref: 004050B3
Part of subcall function 004050A0: OpenThreadToken.ADVAPI32(?,00000008,000000FF,?), ref: 004050B9
Part of subcall function 004050A0: RtlGetLastWin32Error.KERNEL32 ref: 004050C4
Part of subcall function 004050A0: GetCurrentProcess.KERNEL32 ref: 004050D7
Part of subcall function 004050A0: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004050DD
Part of subcall function 004050A0: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 0040510A
Part of subcall function 004050A0: CloseHandle.KERNEL32(00000000), ref: 00405116
Part of subcall function 004050A0: AllocateAndInitializeSid.ADVAPI32(0040A0A8,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040513E
Part of subcall function 004050A0: EqualSid.ADVAPI32(?), ref: 00405157
Part of subcall function 004050A0: FreeSid.ADVAPI32(?), ref: 0040516F

Part of subcall function 004026A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026C8
Part of subcall function 004026A4: GetCommandLineA.KERNEL32 ref: 004026DA

DeleteFileA.KERNEL32 ref: 0040539B
CopyFileA.KERNEL32(?,?,000000FF), ref: 004053B6

Part of subcall function 00405078: SetFileAttributesA.KERNEL32(?,00000006), ref: 0040508A
Part of subcall function 00405078: RtlGetLastWin32Error.KERNEL32(?,?,?,004053C8,00000000,004053E7,?,00000000,0040540C,?,?,?,003BB4D0,0000000B,00000000,00000000), ref: 00405093

ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 004053D3

Part of subcall function 00403108: FreeLibrary.KERNEL32(0040B634), ref: 0040318D
Part of subcall function 00403108: ExitProcess.KERNEL32(?,?,?,?,?,004031EA,0040250F,00402557,?,?,004024AC,?,00000000,0040947A), ref: 004031C2

Part of subcall function 00405030: GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 0040504D
Part of subcall function 00405030: GetEnvironmentVariableA.KERNEL32 ref: 0040506C

Part of subcall function 00405014: CreateDirectoryA.KERNEL32(?,00000000), ref: 00405021

Strings

APPDATA, xrefs: 004051CC 0040521B
XG5pZ2h0dXBkYXRlXA==, xrefs: 004051DC 0040522C
c3ZjaG9zdC5leGU=, xrefs: 004051EC
VXBkYXRlU3ZjaG9zdA==, xrefs: 0040525C 00405290 004052D7 0040531E
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==, xrefs: 0040526D
Oio6RW5hYmxlZDpzdmNob3N0, xrefs: 004052A4 004052EB 00405332
U1lTVEVNXENvbnRyb2xTZXQwMDFcU2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdFw=, xrefs: 004052C3
U1lTVEVNXENvbnRyb2xTZXQwMDJcU2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdFw=, xrefs: 0040530A
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0YW5kYXJkUHJvZmlsZVxBdXRob3JpemVkQXBwbGljYXRpb25zXExpc3Rc, xrefs: 00405351

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 004092E0, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 100

APIs

Part of subcall function 00403CF4: GetModuleHandleA.KERNEL32(00000000), ref: 00403D00

Sleep.KERNEL32(00000000), ref: 0040931F
Sleep.KERNEL32(00000000), ref: 0040932E
Sleep.KERNEL32(00000000), ref: 0040933D
Sleep.KERNEL32(000005DC), ref: 0040934A

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

Part of subcall function 00404248: GetVolumeInformationA.KERNEL32(00000000,?,00000100,?,?,?,00000000,00000000), ref: 0040426D

Part of subcall function 00405188: DeleteFileA.KERNEL32 ref: 0040539B
Part of subcall function 00405188: CopyFileA.KERNEL32(?,?,000000FF), ref: 004053B6
Part of subcall function 00405188: ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 004053D3

Part of subcall function 00403230: CreateThread.KERNEL32(00000000,00000000,004031F8), ref: 00403266

Sleep.KERNEL32(00001388), ref: 00409446

Strings

2.2+, xrefs: 00409375
7BCD120D0ACA8AAA, xrefs: 00409391 004093C5 004093F9
0FCA0A7419, xrefs: 004093AB 004093DF 00409413

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 004017B4, Relevance: 7.6, APIs: 4, Instructions: 48

APIs

InitializeCriticalSection.KERNEL32(0040B5B4), ref: 004017CA
RtlEnterCriticalSection.KERNEL32(0040B5B4,00000000,0040186A,?,?,0040204E,?,?,?,?,?,00401A3D,00401C83,00401CA8), ref: 004017DD
LocalAlloc.KERNEL32(00000000,00000FF8), ref: 00401807
RtlLeaveCriticalSection.KERNEL32(0040B5B4,00401871,0040186A,?,?,0040204E,?,?,?,?,?,00401A3D,00401C83,00401CA8), ref: 00401864

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00403E90, Relevance: 5.7, APIs: 3, Instructions: 67

APIs

RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403EE5
RegSetValueExA.ADVAPI32(?,?,00000000,00000001), ref: 00403F12
RegCloseKey.ADVAPI32(?), ref: 00403F20

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00403108, Relevance: 3.9, APIs: 2, Instructions: 71

APIs

ExitProcess.KERNEL32(?,?,?,?,?,004031EA,0040250F,00402557,?,?,004024AC,?,00000000,0040947A), ref: 004031C2

Part of subcall function 0040307C: GetStdHandle.KERNEL32(000000F5), ref: 004030B5
Part of subcall function 0040307C: WriteFile.KERNEL32(?,Runtime error at 00000000,0000001E,?,00000000), ref: 004030BB
Part of subcall function 0040307C: GetStdHandle.KERNEL32(000000F5), ref: 004030D0
Part of subcall function 0040307C: WriteFile.KERNEL32(?,000000F5,00403104,00000002,?), ref: 004030D6
Part of subcall function 0040307C: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004030F4

FreeLibrary.KERNEL32(0040B634), ref: 0040318D

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00405078, Relevance: 3.7, APIs: 2, Instructions: 20

APIs

SetFileAttributesA.KERNEL32(?,00000006), ref: 0040508A
RtlGetLastWin32Error.KERNEL32(?,?,?,004053C8,00000000,004053E7,?,00000000,0040540C,?,?,?,003BB4D0,0000000B,00000000,00000000), ref: 00405093

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 004012CC, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 004012FB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401322

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00405014, Relevance: 1.9, APIs: 1, Instructions: 12

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 00405021

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00401460, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004014CD

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Non-executed Functions

Function 004050A0, Relevance: 17.8, APIs: 10, Instructions: 86

APIs

GetCurrentThread.KERNEL32 ref: 004050B3
OpenThreadToken.ADVAPI32(?,00000008,000000FF,?), ref: 004050B9
GetLastError.KERNEL32 ref: 004050C4
GetCurrentProcess.KERNEL32 ref: 004050D7
OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004050DD
GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 0040510A
CloseHandle.KERNEL32(00000000), ref: 00405116
AllocateAndInitializeSid.ADVAPI32(0040A0A8,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040513E
EqualSid.ADVAPI32(?), ref: 00405157
FreeSid.ADVAPI32(?), ref: 0040516F

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00407D68, Relevance: 13.6, APIs: 9, Instructions: 76

APIs

WSAStartup.WSOCK32(00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DB4
htons.WSOCK32(?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DC3
inet_addr.WSOCK32(?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DD8
socket.WSOCK32(00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DE9
connect.WSOCK32(?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DFA
send.WSOCK32(?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35), ref: 00407E14
Sleep.KERNEL32(00000032), ref: 00407E1B
closesocket.WSOCK32(?,00000032,?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?), ref: 00407E21
WSACleanup.WSOCK32(?,00000032,?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?), ref: 00407E26

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00403B5D, Relevance: 9.0, APIs: 6, Instructions: 41

APIs

Part of subcall function 0040296C: GetKeyboardType.USER32(00000000), ref: 00402971
Part of subcall function 0040296C: GetKeyboardType.USER32(00000001), ref: 0040297D

GetCommandLineA.KERNEL32 ref: 00403BC3

Part of subcall function 004010C4: GetStartupInfoA.KERNEL32 ref: 004010CE

GetVersion.KERNEL32 ref: 00403BD7
GetVersion.KERNEL32 ref: 00403BE8
GetThreadLocale.KERNEL32 ref: 00403C04
GetThreadLocale.KERNEL32 ref: 00403C15

Part of subcall function 00403A94: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007), ref: 00403ABA

GetCurrentThreadId.KERNEL32 ref: 00403C24

Part of subcall function 0040299C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004029BE
Part of subcall function 0040299C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,?), ref: 004029F1
Part of subcall function 0040299C: RegCloseKey.ADVAPI32(?), ref: 00402A07

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00405CB0, Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 50

APIs

DeleteFileA.KERNEL32 ref: 00405CF6
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00405D0B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405D1E

Strings

open, xrefs: 00405D17

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00406FB8, Relevance: 46.8, APIs: 9, Strings: 14, Instructions: 181

APIs

WSAStartup.WSOCK32(00000202,?,00000000,0040721F,?,00000000,00407261,?,?,?,?,?,00406E66,00000000,00406E90), ref: 0040701F
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261,?,?,?,?,?,00406E66), ref: 0040702A
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 0040703D

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 00407063
connect.WSOCK32(00000000,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 0040707B
send.WSOCK32(00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ,00406E66,0040729C,Referer: ,00406E66,0040729C), ref: 00407195
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ,00406E66), ref: 004071C6
closesocket.WSOCK32(00000000,00000000,?,00000400,00000000,00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ), ref: 0040720B
WSACleanup.WSOCK32(00000000,00000000,?,00000400,00000000,00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ), ref: 00407210

Strings

GET /, xrefs: 00407080
HTTP/1.1, xrefs: 00407088
fn@, xrefs: 00407092
Host: , xrefs: 004070A2
fn@, xrefs: 004070AF
User-Agent: , xrefs: 004070BF
fn@, xrefs: 004070DB
Referer: , xrefs: 004070EB
fn@, xrefs: 00407107
Keep-Alive: , xrefs: 00407117
fn@, xrefs: 0040713F
Connection: , xrefs: 0040714F
fn@, xrefs: 00407170
fn@, xrefs: 00407188

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 0040772C, Relevance: 40.3, APIs: 8, Strings: 12, Instructions: 140

APIs

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

WSAStartup.WSOCK32(00000202,?,00000000,0040796B), ref: 0040778D
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 00407798
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077AA

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077D0
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077E5
send.WSOCK32(?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4,Content-Type: application/x-www-form-urlencoded), ref: 00407930
closesocket.WSOCK32(?,?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4), ref: 00407936
WSACleanup.WSOCK32(?,?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4), ref: 0040793B

Strings

POST /, xrefs: 004077EA
HTTP/1.1, xrefs: 004077F2
Host: , xrefs: 004077FC
User-Agent: , xrefs: 00407809
Referer: , xrefs: 00407825
Accept: , xrefs: 00407841
Accept-Language: , xrefs: 0040785D
Accept-Encoding: , xrefs: 00407879
Content-Type: application/x-www-form-urlencoded, xrefs: 00407895
Content-Length: , xrefs: 0040789F
Keep-Alive: , xrefs: 004078C2
Connection: , xrefs: 004078EA

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 0040730C, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 222

APIs

WSAStartup.WSOCK32(?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 0040735B
socket.WSOCK32(00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 00407366
htons.WSOCK32(00000050,00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 00407378

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 004073B6
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000000,?,?,00000000,00407641), ref: 004073CB

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

send.WSOCK32(?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?,Host: ,0040769C,User-Agent: ,0040769C, HTTP/1.1), ref: 004074E6
Sleep.KERNEL32(00000200), ref: 00407515
send.WSOCK32(?,?,?,00000000,?,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 00407554
recv.WSOCK32(?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?,Host: ), ref: 00407573
closesocket.WSOCK32(?,?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 004075AE
WSACleanup.WSOCK32(?,?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 004075B3

Strings

POST /, xrefs: 00407463
HTTP/1.1, xrefs: 0040746B
User-Agent: , xrefs: 00407475
Host: , xrefs: 00407490
Content-Length: , xrefs: 0040749D
Content-Type: application/x-www-form-urlencoded, xrefs: 004074BA
, xrefs: 004074BF 004075BF 004075D9

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00406A98, Relevance: 15.3, Strings: 10, Instructions: 119

Strings

GET /, xrefs: 00406ACD
HTTP/1.1, xrefs: 00406AD5
Host: , xrefs: 00406AEF
Accept: , xrefs: 00406B0C
Accept-Language: , xrefs: 00406B38
Accept-Encoding: , xrefs: 00406B64
User-Agent: , xrefs: 00406B90
Referer: , xrefs: 00406BBC
Keep-Alive: , xrefs: 00406BE8
Connection: , xrefs: 00406C1A

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00407AB4, Relevance: 14.6, APIs: 8, Instructions: 73

APIs

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

WSAStartup.WSOCK32(00000202,?,00000000,00407BB4), ref: 00407AFE
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B09
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B1B

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B41
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B56
send.WSOCK32(?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B7E
closesocket.WSOCK32(?,?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000), ref: 00407B84
WSACleanup.WSOCK32(?,?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000), ref: 00407B89

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00406EB4, Relevance: 14.3, APIs: 8, Instructions: 77

APIs

IcmpCreateFile.ICMP(00000000,00406F85,?,00000000,00406FA7), ref: 00406EE7
WSAStartup.WSOCK32(?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F1A
gethostbyname.WSOCK32(?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F28
GetLastError.KERNEL32(?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F2F
IcmpSendEcho.ICMP(?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F5C
GetLastError.KERNEL32(?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F61
IcmpCloseHandle.ICMP(?,?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000), ref: 00406F6A
WSACleanup.WSOCK32(?,?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000), ref: 00406F6F

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 0040307C, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5), ref: 004030B5
WriteFile.KERNEL32(?,Runtime error at 00000000,0000001E,?,00000000), ref: 004030BB
GetStdHandle.KERNEL32(000000F5), ref: 004030D0
WriteFile.KERNEL32(?,000000F5,00403104,00000002,?), ref: 004030D6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004030F4

Strings

Runtime error at 00000000, xrefs: 004030AE 004030ED
Error, xrefs: 004030E8

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 004025B8, Relevance: 13.8, APIs: 9, Instructions: 109

APIs

CharNextA.USER32 ref: 004025C3
CharNextA.USER32 ref: 004025EF
CharNextA.USER32 ref: 004025F9
CharNextA.USER32 ref: 00402616
CharNextA.USER32 ref: 00402620
CharNextA.USER32 ref: 00402649
CharNextA.USER32 ref: 00402653
CharNextA.USER32 ref: 00402677
CharNextA.USER32 ref: 00402681

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00407C98, Relevance: 12.5, APIs: 7, Instructions: 62

APIs

WSAStartup.WSOCK32(?,?,00000000,00407D5A), ref: 00407CD4
socket.WSOCK32(00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407CDF
inet_addr.WSOCK32(?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407CF8
htons.WSOCK32(?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D04
sendto.WSOCK32(?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D2F
closesocket.WSOCK32(?,?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D35
WSACleanup.WSOCK32(?,?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D3A

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00407BC0, Relevance: 12.1, APIs: 8, Instructions: 63

APIs

WSAStartup.WSOCK32(00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C01
htons.WSOCK32(?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C10
inet_addr.WSOCK32(?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C25
socket.WSOCK32(00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C36
connect.WSOCK32(?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C47
Sleep.KERNEL32(00000032), ref: 00407C4E
closesocket.WSOCK32(?,00000032,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000), ref: 00407C54
WSACleanup.WSOCK32(?,00000032,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000), ref: 00407C59

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 0040299C, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004029BE
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,?), ref: 004029F1
RegCloseKey.ADVAPI32(?), ref: 00402A07

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 004029B4
FPUMaskValue, xrefs: 004029E8

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00401878, Relevance: 9.1, APIs: 6, Instructions: 62

APIs

EnterCriticalSection.KERNEL32(0040B5B4,00000000,0040194E), ref: 004018A5
LocalFree.KERNEL32(00000000), ref: 004018B7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004018D6
LocalFree.KERNEL32(00000000), ref: 00401915
LeaveCriticalSection.KERNEL32(0040B5B4,00401955,00000000,0040194E), ref: 0040193E
DeleteCriticalSection.KERNEL32(0040B5B4,00401955,00000000,0040194E), ref: 00401948

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 0040451C, Relevance: 9.0, Strings: 5, Instructions: 277

Strings

://, xrefs: 00404574 00404705
<<<STR(, xrefs: 004045B9 004045D3 004045F9 0040474A 00404764 0040478A
)STR>>>, xrefs: 004045CB 0040460B 0040475C 0040479C
<<<INT(, xrefs: 00404637 00404655 004046A2 004047C8 004047E6 00404833
)INT>>>, xrefs: 0040466D 004046C6 004047FE 00404857

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Function 00404944, Relevance: 6.3, Strings: 4, Instructions: 142

Strings

<<<STR(, xrefs: 004049A3 004049BD 004049E3
)STR>>>, xrefs: 004049B5 004049F5
<<<INT(, xrefs: 00404A21 00404A3F 00404A8C
)INT>>>, xrefs: 00404A57 00404AB0

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00405720, Relevance: 5.5, Strings: 3, Instructions: 51

Strings

cmFtcmVc, xrefs: 00405763
255, xrefs: 00405766
cmVc, xrefs: 00405773

Memory Dump Source

Source File: 00000000.00000001.659732789.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.659696277.00400000.00000002.sdmp
Associated: 00000000.00000001.659794929.0040A000.00000008.sdmp
Associated: 00000000.00000001.659830724.0040B000.00000004.sdmp
Associated: 00000000.00000001.659879419.0040E000.00000002.sdmp

Function 00407E68, Relevance: 5.0, Strings: 4, Instructions: 40

Strings

|j@, xrefs: 00407E81
<i@, xrefs: 00407E96
8h@, xrefs: 00407EAB
,^@, xrefs: 00407EEA

Memory Dump Source

Source File: 00000000.00000000.659097025.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.659055278.00400000.00000002.sdmp
Associated: 00000000.00000000.659170032.0040A000.00000008.sdmp
Associated: 00000000.00000000.659221616.0040E000.00000002.sdmp

Analysis Process: svchost.exe PID: 336 Parent PID: 1604

Executed Functions

Function 00406FB8, Relevance: 44.8, APIs: 8, Strings: 14, Instructions: 181

APIs

WSAStartup.WSOCK32(00000202,?,00000000,0040721F,?,00000000,00407261,?,?,?,?,?,00406E66,00000000,00406E90), ref: 0040701F
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261,?,?,?,?,?,00406E66), ref: 0040702A
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 0040703D

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 00407063
connect.WSOCK32(00000000,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040721F,?,00000000,00407261), ref: 0040707B
send.WSOCK32(00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ,00406E66,0040729C,Referer: ,00406E66,0040729C), ref: 00407195
71AD2E70.WSOCK32(00000000,?,00000400,00000000,00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ,00406E66), ref: 004071C6
closesocket.WSOCK32(00000000,00000000,?,00000400,00000000,00000000,?,?,00000000,0040729C,0040729C,Connection: ,00406E66,0040729C,?,Keep-Alive: ), ref: 0040720B

Strings

GET /, xrefs: 00407080
HTTP/1.1, xrefs: 00407088
fn@, xrefs: 00407092
Host: , xrefs: 004070A2
fn@, xrefs: 004070AF
User-Agent: , xrefs: 004070BF
fn@, xrefs: 004070DB
Referer: , xrefs: 004070EB
fn@, xrefs: 00407107
Keep-Alive: , xrefs: 00407117
fn@, xrefs: 0040713F
Connection: , xrefs: 0040714F
fn@, xrefs: 00407170
fn@, xrefs: 00407188

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 004017B4, Relevance: 7.6, APIs: 4, Instructions: 48

APIs

InitializeCriticalSection.KERNEL32(0040B5B4), ref: 004017CA
RtlEnterCriticalSection.KERNEL32(0040B5B4,00000000,0040186A,?,?,0040204E,?,?,?,?,?,00401A3D,00401C83,00401CA8), ref: 004017DD
LocalAlloc.KERNEL32(00000000,00000FF8), ref: 00401807
RtlLeaveCriticalSection.KERNEL32(0040B5B4,00401871,0040186A,?,?,0040204E,?,?,?,?,?,00401A3D,00401C83,00401CA8), ref: 00401864

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00403E90, Relevance: 5.7, APIs: 3, Instructions: 67

APIs

RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403EE5
RegSetValueExA.ADVAPI32(?,?,00000000,00000001), ref: 00403F12
RegCloseKey.ADVAPI32(?), ref: 00403F20

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00406D7C, Relevance: 4.3, APIs: 2, Instructions: 52

APIs

gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Function 00403230, Relevance: 3.5, APIs: 1, Instructions: 29

APIs

CreateThread.KERNEL32(00000000,00000000,004031F8), ref: 00403266

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 004012CC, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 004012FB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401322

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00405014, Relevance: 1.9, APIs: 1, Instructions: 12

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 00405021

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00401460, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004014CD

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00401128, Relevance: 1.3, APIs: 1, Instructions: 34

APIs

LocalAlloc.KERNEL32(00000000,00000644), ref: 0040113B

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Non-executed Functions

Function 0040772C, Relevance: 40.3, APIs: 8, Strings: 12, Instructions: 140

APIs

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

WSAStartup.WSOCK32(00000202,?,00000000,0040796B), ref: 0040778D
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 00407798
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077AA

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077D0
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,0040796B), ref: 004077E5
send.WSOCK32(?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4,Content-Type: application/x-www-form-urlencoded), ref: 00407930
closesocket.WSOCK32(?,?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4), ref: 00407936
WSACleanup.WSOCK32(?,?,?,?,00000000,?,004079A4,004079A4,Connection: ,004079A4,?,Keep-Alive: ,004079A4,?,Content-Length: ,004079A4), ref: 0040793B

Strings

POST /, xrefs: 004077EA
HTTP/1.1, xrefs: 004077F2
Host: , xrefs: 004077FC
User-Agent: , xrefs: 00407809
Referer: , xrefs: 00407825
Accept: , xrefs: 00407841
Accept-Language: , xrefs: 0040785D
Accept-Encoding: , xrefs: 00407879
Content-Type: application/x-www-form-urlencoded, xrefs: 00407895
Content-Length: , xrefs: 0040789F
Keep-Alive: , xrefs: 004078C2
Connection: , xrefs: 004078EA

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Function 0040730C, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 222

APIs

WSAStartup.WSOCK32(?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 0040735B
socket.WSOCK32(00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 00407366
htons.WSOCK32(00000050,00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 00407378

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000000,?,?,00000000,00407641,?,?,?,?,000000BA,00000000,00000000), ref: 004073B6
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000000,?,?,00000000,00407641), ref: 004073CB

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

send.WSOCK32(?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?,Host: ,0040769C,User-Agent: ,0040769C, HTTP/1.1), ref: 004074E6
Sleep.KERNEL32(00000200), ref: 00407515
send.WSOCK32(?,?,?,00000000,?,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 00407554
71AD2E70.WSOCK32(?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?,Host: ), ref: 00407573
closesocket.WSOCK32(?,?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 004075AE
WSACleanup.WSOCK32(?,?,?,00000400,00000000,?,?,?,00000000,,Content-Type: application/x-www-form-urlencoded,0040769C,?,Content-Length: ,0040769C,?), ref: 004075B3

Strings

POST /, xrefs: 00407463
HTTP/1.1, xrefs: 0040746B
User-Agent: , xrefs: 00407475
Host: , xrefs: 00407490
Content-Length: , xrefs: 0040749D
Content-Type: application/x-www-form-urlencoded, xrefs: 004074BA
, xrefs: 004074BF 004075BF 004075D9

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00405188, Relevance: 24.4, APIs: 3, Strings: 9, Instructions: 196

APIs

Part of subcall function 004050A0: GetCurrentThread.KERNEL32 ref: 004050B3
Part of subcall function 004050A0: OpenThreadToken.ADVAPI32(?,00000008,000000FF,?), ref: 004050B9
Part of subcall function 004050A0: RtlGetLastWin32Error.KERNEL32 ref: 004050C4
Part of subcall function 004050A0: GetCurrentProcess.KERNEL32 ref: 004050D7
Part of subcall function 004050A0: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004050DD
Part of subcall function 004050A0: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 0040510A
Part of subcall function 004050A0: CloseHandle.KERNEL32(00000000), ref: 00405116
Part of subcall function 004050A0: AllocateAndInitializeSid.ADVAPI32(0040A0A8,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040513E
Part of subcall function 004050A0: EqualSid.ADVAPI32(?), ref: 00405157
Part of subcall function 004050A0: FreeSid.ADVAPI32(?), ref: 0040516F

Part of subcall function 004026A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026C8
Part of subcall function 004026A4: GetCommandLineA.KERNEL32 ref: 004026DA

DeleteFileA.KERNEL32 ref: 0040539B
CopyFileA.KERNEL32(?,?,000000FF), ref: 004053B6

Part of subcall function 00405078: SetFileAttributesA.KERNEL32(?,00000006), ref: 0040508A
Part of subcall function 00405078: RtlGetLastWin32Error.KERNEL32(?,?,?,004053C8,00000000,004053E7,?,00000000,0040540C,?,?,?,003BB4D0,0000000B,00000000,00000000), ref: 00405093

ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 004053D3

Part of subcall function 00403108: FreeLibrary.KERNEL32(0040B634), ref: 0040318D
Part of subcall function 00403108: ExitProcess.KERNEL32(?,?,?,?,?,004031EA,0040250F,00402557,?,?,004024AC,?,00000000,0040947A), ref: 004031C2

Part of subcall function 00405030: GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 0040504D
Part of subcall function 00405030: GetEnvironmentVariableA.KERNEL32 ref: 0040506C

Part of subcall function 00405014: CreateDirectoryA.KERNEL32(?,00000000), ref: 00405021

Strings

APPDATA, xrefs: 004051CC 0040521B
XG5pZ2h0dXBkYXRlXA==, xrefs: 004051DC 0040522C
c3ZjaG9zdC5leGU=, xrefs: 004051EC
VXBkYXRlU3ZjaG9zdA==, xrefs: 0040525C 00405290 004052D7 0040531E
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==, xrefs: 0040526D
Oio6RW5hYmxlZDpzdmNob3N0, xrefs: 004052A4 004052EB 00405332
U1lTVEVNXENvbnRyb2xTZXQwMDFcU2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdFw=, xrefs: 004052C3
U1lTVEVNXENvbnRyb2xTZXQwMDJcU2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdFw=, xrefs: 0040530A
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0YW5kYXJkUHJvZmlsZVxBdXRob3JpemVkQXBwbGljYXRpb25zXExpc3Rc, xrefs: 00405351

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 004050A0, Relevance: 17.8, APIs: 10, Instructions: 86

APIs

GetCurrentThread.KERNEL32 ref: 004050B3
OpenThreadToken.ADVAPI32(?,00000008,000000FF,?), ref: 004050B9
RtlGetLastWin32Error.KERNEL32 ref: 004050C4
GetCurrentProcess.KERNEL32 ref: 004050D7
OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004050DD
GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 0040510A
CloseHandle.KERNEL32(00000000), ref: 00405116
AllocateAndInitializeSid.ADVAPI32(0040A0A8,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040513E
EqualSid.ADVAPI32(?), ref: 00405157
FreeSid.ADVAPI32(?), ref: 0040516F

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00406A98, Relevance: 15.3, Strings: 10, Instructions: 119

Strings

GET /, xrefs: 00406ACD
HTTP/1.1, xrefs: 00406AD5
Host: , xrefs: 00406AEF
Accept: , xrefs: 00406B0C
Accept-Language: , xrefs: 00406B38
Accept-Encoding: , xrefs: 00406B64
User-Agent: , xrefs: 00406B90
Referer: , xrefs: 00406BBC
Keep-Alive: , xrefs: 00406BE8
Connection: , xrefs: 00406C1A

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00407AB4, Relevance: 14.6, APIs: 8, Instructions: 73

APIs

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

WSAStartup.WSOCK32(00000202,?,00000000,00407BB4), ref: 00407AFE
socket.WSOCK32(00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B09
htons.WSOCK32(00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B1B

Part of subcall function 00406D7C: gethostbyname.WSOCK32(?,00000000,00406DED,?,00000000,00406E18), ref: 00406DB8
Part of subcall function 00406D7C: inet_ntoa.WSOCK32(?,?,00000000,00406DED,?,00000000,00406E18), ref: 00406DD4

inet_addr.WSOCK32(?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B41
connect.WSOCK32(?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B56
send.WSOCK32(?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000,00407BB4), ref: 00407B7E
closesocket.WSOCK32(?,?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000), ref: 00407B84
WSACleanup.WSOCK32(?,?,?,?,00000000,?,?,00000010,?,00000050,00000002,00000001,00000006,00000202,?,00000000), ref: 00407B89

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Function 00406EB4, Relevance: 14.3, APIs: 8, Instructions: 77

APIs

76D64D5E.ICMP(00000000,00406F85,?,00000000,00406FA7), ref: 00406EE7
WSAStartup.WSOCK32(?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F1A
gethostbyname.WSOCK32(?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F28
RtlGetLastWin32Error.KERNEL32(?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F2F
76D64B79.ICMP(?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F5C
RtlGetLastWin32Error.KERNEL32(?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000,00406FA7), ref: 00406F61
76D64D33.ICMP(?,?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000), ref: 00406F6A
WSACleanup.WSOCK32(?,?,?,?,00000400,00000000,?,0000041C,00001388,?,?,?,00000000,00406F85,?,00000000), ref: 00406F6F

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 0040307C, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5), ref: 004030B5
WriteFile.KERNEL32(?,Runtime error at 00000000,0000001E,?,00000000), ref: 004030BB
GetStdHandle.KERNEL32(000000F5), ref: 004030D0
WriteFile.KERNEL32(?,000000F5,00403104,00000002,?), ref: 004030D6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004030F4

Strings

Runtime error at 00000000, xrefs: 004030AE 004030ED
Error, xrefs: 004030E8

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 004025B8, Relevance: 13.8, APIs: 9, Instructions: 109

APIs

CharNextA.USER32 ref: 004025C3
CharNextA.USER32 ref: 004025EF
CharNextA.USER32 ref: 004025F9
CharNextA.USER32 ref: 00402616
CharNextA.USER32 ref: 00402620
CharNextA.USER32 ref: 00402649
CharNextA.USER32 ref: 00402653
CharNextA.USER32 ref: 00402677
CharNextA.USER32 ref: 00402681

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Function 00407D68, Relevance: 13.6, APIs: 9, Instructions: 76

APIs

WSAStartup.WSOCK32(00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DB4
htons.WSOCK32(?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DC3
inet_addr.WSOCK32(?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DD8
socket.WSOCK32(00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DE9
connect.WSOCK32(?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35,?,00000000,00407E5A), ref: 00407DFA
send.WSOCK32(?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407E35), ref: 00407E14
Sleep.KERNEL32(00000032), ref: 00407E1B
closesocket.WSOCK32(?,00000032,?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?), ref: 00407E21
WSACleanup.WSOCK32(?,00000032,?,?,?,00000000,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?), ref: 00407E26

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00407C98, Relevance: 12.5, APIs: 7, Instructions: 62

APIs

WSAStartup.WSOCK32(?,?,00000000,00407D5A), ref: 00407CD4
socket.WSOCK32(00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407CDF
inet_addr.WSOCK32(?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407CF8
htons.WSOCK32(?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D04
sendto.WSOCK32(?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D2F
closesocket.WSOCK32(?,?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D35
WSACleanup.WSOCK32(?,?,?,00000004,00000000,?,00000010,?,?,00000002,00000002,00000011,?,?,00000000,00407D5A), ref: 00407D3A

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 004092E0, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 100

APIs

Part of subcall function 00403CF4: GetModuleHandleA.KERNEL32(00000000), ref: 00403D00

Sleep.KERNEL32(00000000), ref: 0040931F
Sleep.KERNEL32(00000000), ref: 0040932E
Sleep.KERNEL32(00000000), ref: 0040933D
Sleep.KERNEL32(000005DC), ref: 0040934A

Part of subcall function 00402704: QueryPerformanceCounter.KERNEL32 ref: 00402708
Part of subcall function 00402704: GetTickCount.KERNEL32 ref: 0040271C

Part of subcall function 00404248: GetVolumeInformationA.KERNEL32(00000000,?,00000100,?,?,?,00000000,00000000), ref: 0040426D

Part of subcall function 00405188: DeleteFileA.KERNEL32 ref: 0040539B
Part of subcall function 00405188: CopyFileA.KERNEL32(?,?,000000FF), ref: 004053B6
Part of subcall function 00405188: ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 004053D3

Part of subcall function 00403230: CreateThread.KERNEL32(00000000,00000000,004031F8), ref: 00403266

Sleep.KERNEL32(00001388), ref: 00409446

Strings

2.2+, xrefs: 00409375
7BCD120D0ACA8AAA, xrefs: 00409391 004093C5 004093F9
0FCA0A7419, xrefs: 004093AB 004093DF 00409413

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00407BC0, Relevance: 12.1, APIs: 8, Instructions: 63

APIs

WSAStartup.WSOCK32(00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C01
htons.WSOCK32(?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C10
inet_addr.WSOCK32(?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C25
socket.WSOCK32(00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C36
connect.WSOCK32(?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000,00407C88), ref: 00407C47
Sleep.KERNEL32(00000032), ref: 00407C4E
closesocket.WSOCK32(?,00000032,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000), ref: 00407C54
WSACleanup.WSOCK32(?,00000032,?,?,00000010,00000002,00000001,00000000,?,?,00000202,?,00000000,00407C68,?,00000000), ref: 00407C59

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 0040299C, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004029BE
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,?), ref: 004029F1
RegCloseKey.ADVAPI32(?), ref: 00402A07

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 004029B4
FPUMaskValue, xrefs: 004029E8

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00401878, Relevance: 9.1, APIs: 6, Instructions: 62

APIs

RtlEnterCriticalSection.KERNEL32(0040B5B4,00000000,0040194E), ref: 004018A5
LocalFree.KERNEL32(00147AC0), ref: 004018B7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004018D6
LocalFree.KERNEL32(00148AC0), ref: 00401915
RtlLeaveCriticalSection.KERNEL32(0040B5B4,00401955,00000000,0040194E), ref: 0040193E
RtlDeleteCriticalSection.KERNEL32(0040B5B4,00401955,00000000,0040194E), ref: 00401948

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00403B5D, Relevance: 9.0, APIs: 6, Instructions: 41

APIs

Part of subcall function 0040296C: GetKeyboardType.USER32(00000000), ref: 00402971
Part of subcall function 0040296C: GetKeyboardType.USER32(00000001), ref: 0040297D

GetCommandLineA.KERNEL32 ref: 00403BC3

Part of subcall function 004010C4: GetStartupInfoA.KERNEL32 ref: 004010CE

GetVersion.KERNEL32 ref: 00403BD7
GetVersion.KERNEL32 ref: 00403BE8
GetThreadLocale.KERNEL32 ref: 00403C04
GetThreadLocale.KERNEL32 ref: 00403C15

Part of subcall function 00403A94: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007), ref: 00403ABA

GetCurrentThreadId.KERNEL32 ref: 00403C24

Part of subcall function 0040299C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004029BE
Part of subcall function 0040299C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,?), ref: 004029F1
Part of subcall function 0040299C: RegCloseKey.ADVAPI32(?), ref: 00402A07

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 0040451C, Relevance: 9.0, Strings: 5, Instructions: 277

Strings

://, xrefs: 00404574 00404705
<<<STR(, xrefs: 004045B9 004045D3 004045F9 0040474A 00404764 0040478A
)STR>>>, xrefs: 004045CB 0040460B 0040475C 0040479C
<<<INT(, xrefs: 00404637 00404655 004046A2 004047C8 004047E6 00404833
)INT>>>, xrefs: 0040466D 004046C6 004047FE 00404857

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00405CB0, Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 50

APIs

DeleteFileA.KERNEL32 ref: 00405CF6
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00405D0B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405D1E

Strings

open, xrefs: 00405D17

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00404944, Relevance: 6.3, Strings: 4, Instructions: 142

Strings

<<<STR(, xrefs: 004049A3 004049BD 004049E3
)STR>>>, xrefs: 004049B5 004049F5
<<<INT(, xrefs: 00404A21 00404A3F 00404A8C
)INT>>>, xrefs: 00404A57 00404AB0

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Function 00405720, Relevance: 5.5, Strings: 3, Instructions: 51

Strings

cmFtcmVc, xrefs: 00405763
255, xrefs: 00405766
cmVc, xrefs: 00405773

Memory Dump Source

Source File: 00000001.00000001.757878991.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.757850477.00400000.00000002.sdmp
Associated: 00000001.00000001.757958997.0040A000.00000008.sdmp
Associated: 00000001.00000001.757993107.0040B000.00000004.sdmp
Associated: 00000001.00000001.758043636.0040E000.00000002.sdmp

Function 00407E68, Relevance: 5.0, Strings: 4, Instructions: 40

Strings

|j@, xrefs: 00407E81
<i@, xrefs: 00407E96
8h@, xrefs: 00407EAB
,^@, xrefs: 00407EEA

Memory Dump Source

Source File: 00000001.00000002.1117733820.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1117710516.00400000.00000002.sdmp
Associated: 00000001.00000002.1117777319.0040A000.00000004.sdmp
Associated: 00000001.00000002.1117810551.0040E000.00000002.sdmp

Loading ...

Warning!

Error!

General Information

Signature Overview

DDOS:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis Process: gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe PID: 1604 Parent PID: 1632

Chronological Activities

Analysis Process: svchost.exe PID: 336 Parent PID: 1604

Chronological Activities

Disassembly

Code Analysis

Analysis Process: gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe PID: 1604 Parent PID: 1632

Analysis Process: svchost.exe PID: 336 Parent PID: 1604