Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	343043
Start time:	19:22:38
Joe Sandbox Product:	Cloud
Start date:	18.08.2017
Overall analysis duration:	0h 22m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	y872ff2.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled JavaScript Instrumentation enabled
Detection:	MAL
Classification:	mal72.rans.winEXE@7/157@0/5
HCA Information:	Successful, ratio: 54% Number of executed functions: 198 Number of non-executed functions: 47
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Sleeps bigger than 20000ms are automatically reduced to 500ms Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): mscorsvw.exe, svchost.exe, VSSVC.exe, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	72	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: y872ff2.exe

virustotal: 53/62 detections Avast: Win32:Malware-gen, AVG: Win32:Malware-gen, Avira: TR/Kryptik.vhszc, AegisLab: Ml.Attribute.Gen!c, Paloalto: generic.ml, WhiteArmor: Malware.HighConfidence, Webroot: W32.Trojan.Gen, Qihoo-360: HEUR/QVM19.1.0CCA.Malware.Gen, BitDefender: Trojan.GenericKD.5795255, Emsisoft: Trojan.GenericKD.5795255 (B), MicroWorld-eScan: Trojan.GenericKD.5795255, McAfee-GW-Edition: BehavesLike.Win32.Upatre.jc, Fortinet: W32/Locky.KAD!tr, GData: Trojan.GenericKD.5795255, Sophos: Troj/Locky-XT, ESET-NOD32: a variant of Win32/Kryptik.FVLR, McAfee: RDN/Generic.grp, TrendMicro: Ransom_LOCKY.DLDTATI, SentinelOne: static engine - malicious, Cyren: W32/Trojan.COXI-7304, Symantec: Ransom.TeslaCrypt, CrowdStrike: malicious_confidence_100% (W), ALYac: Trojan.Ransom.LockyCrypt, NANO-Antivirus: Trojan.Win32.Locky.erxitp, Ad-Aware: Trojan.GenericKD.5795255, K7AntiVirus: Trojan ( 005142101 ), AhnLab-V3: Trojan/Win32.Locky.R206757, SUPERAntiSpyware: Ransom.Cerber/Variant, TrendMicro-HouseCall: Ransom_LOCKY.DLDTATI, Micros

Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00415270 GetLastError,CryptAcquireContextA,	0_2_00415270
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_004152E6 GetLastError,CryptAcquireContextA,	0_2_004152E6
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040F8A0 CryptReleaseContext,	0_2_0040F8A0
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040FB00 CryptDestroyKey,	0_2_0040FB00
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040F9B0 CryptGenRandom,GetLastError,	0_2_0040F9B0
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00415390 GetLastError,CryptImportKey,CryptDestroyKey,	0_2_00415390
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00419379 CryptReleaseContext,	0_2_00419379
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040FB13 CryptDestroyKey,	0_2_0040FB13
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00416140 CryptDestroyKey,CryptReleaseContext,	0_2_00416140
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040FB40 CryptDestroyKey,	0_2_0040FB40
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040F91B CryptReleaseContext,	0_2_0040F91B
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040F8E0 CryptReleaseContext,	0_2_0040F8E0
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_0040FBE0 CryptEncrypt,GetLastError,	0_2_0040FBE0

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_00415390 GetLastError,CryptImportKey,CryptDestroyKey,

0_2_00415390

Changes the wallpaper picture

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

SystemParametersInfo: C:\Users\user\Desktop\diablo6.bmp

Modifies existing user documents (likey ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	File moved: C:\Users\user\Desktop\8886835349.doc
Source: C:\Users\user\Desktop\y872ff2.exe	File moved: C:\Users\user\Desktop\6422942404.doc
Source: C:\Users\user\Desktop\y872ff2.exe	File moved: C:\Users\user\Desktop\8182259827.doc
Source: C:\Users\user\Desktop\y872ff2.exe	File moved: C:\Users\user\Desktop\7245361316.doc

Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-6B211009-EE74B58D24B4.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-9C0BC7B8-77B121E762C4.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\DX1KWDRT-SWHS-3N44-D4C9A525-FE9FDB842CEE.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\DX1KWDRT-SWHS-3N44-FB77D1FC-A0BBFE41800B.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\DX1KWDRT-SWHS-3N44-05FDA6DD-E2799F720F12.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\DX1KWDRT-SWHS-3N44-D3A01F0F-399CD79F7BFC.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\DX1KWDRT-SWHS-3N44-1C882090-6083E68A29BB.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Windows NT\MSScan\DX1KWDRT-SWHS-3N44-372C1AF2-D4441AEE070F.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\DX1KWDRT-SWHS-3N44-6AC76FD6-BBB08AE940F9.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B83DB32C-1C0DFE7A9282.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-C371AFA4-51C4B3DA2F72.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B87CE978-D194B11C30AE.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9151A83B-0185E7CD71CB.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-16B3046D-0389FA1ED436.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B04A7CB2-D59B70D333C0.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-93667567-48393B93CAC0.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-46E02FDD-46B5BC12EB5E.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-09F35816-50333C6ED5BD.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-C74F384F-830830A8882C.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-09F1FE9E-F31C44B9C3F7.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-CE32DE59-DC2FCFF73B7F.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9B88FE27-47E8197ADD5D.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-18C21800-53B6850C9144.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-DAA6DAA0-D9831C6EB3CE.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-A56D1C4B-0378A2894EB3.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-ECE40EFA-98EA844AC354.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9487B013-238CEBB7915A.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-76FD415A-FA3FB51B63C9.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-D19CD156-5CE15E2B8986.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-D5565821-5F42AF8D3FD1.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-77D219A4-9B73FF318262.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-AACAC23A-73246FBF1098.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-2C526F95-7EBB5D7864B7.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-4D1DE250-8C7F87BE0680.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-92E2E88E-4E4E61214CB4.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-E558E0F7-647595672535.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B5643B6D-9AB60CC7EA87.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-FF67C6F7-A0A40862C1C9.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-0CE45665-F3BC0D684DC8.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-0FAFECF6-9C9177C7B021.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-CE9735D5-714DBCBF6F5D.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-3E2D5E51-BFBE603A9CF8.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-5F583363-28F534B37723.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-A7CA5F86-FE80D29F2EC8.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-4E518D26-7A155DC82EBB.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-86F2C715-9B4E66465305.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-1F0721B1-AB42ECBD9D9E.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-48BF6EC1-442DB5B8A4A0.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-78566B2F-AC2DA5A60F2A.diablo6
Source: C:\Users\user\Desktop\y872ff2.exe	File created: c:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-49DF324C-13BF105BA10F.diablo6

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\Users\user\Desktop\diablo6-19ec.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<span class='nwuanfwnoi'>b</span><font><div
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\diablo6-db6f.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<span class='nwuanfwnoi'>b</span><font><div class=rikjjikvuzl>e
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\diablo6-3952.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<sp
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\diablo6-6706.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<sp
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\diablo6-83a4.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<sp
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\Users\Default\diablo6-1193.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<span class='nwuanfwnoi'>b</span><font><div class
Source: C:\Users\user\Desktop\y872ff2.exe	File dropped: C:\Users\user\Desktop\diablo6.htm -> decrypting<span class='nwuanfwnoi'>e</span>of<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>mferbcab</div>your<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>alhdhlr</div>files<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>chaqugrg</div>is<span class='nwuanfwnoi'> </span><font id='dmprfrgn'>only<span class='nwuanfwnoi'> </span>possible<span class='nwuanfwnoi'>d</span>with<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>vjgokvjatm</div>the<span class='nwuanfwnoi'>d</span>private<span class='nwuanfwnoi'>a</span><div class=rikjjikvuzl>nulzeryuk</div>key<span class='nwuanfwnoi'>e</span>and<span class='nwuanfwnoi'>e</span>decrypt<span class='nwuanfwnoi'> </span><div class=rikjjikvuzl>ffcjflicw</div>program,<span class='nwuanfwnoi'> </span>which<span class='nwuanfwnoi'>d</span>is<span class='nwuanfwnoi'>e</span><div class=rikjjikvuzl>uuockchktirn</div>on<span class='nwuanfwnoi'> </span>our<span class='nwuanfwnoi'>b</span><font><div class

Networking:

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNNUVO51\favicon[1].ico

Found strings which match to known social media urls

Show sources

Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</F equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.fr.search.yahoo.com/os?market=fr&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.id.search.yahoo.com/os?market=id&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.my.search.yahoo.com/os?market=my&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.sg.search.yahoo.c0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.tw.search.yahoo.com/os?market=tw&^ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://hk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://hk.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://hk.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://id.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://id.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://id.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.searchcenter.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://malaysia.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://malaysia.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?p={sea equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?p={seac equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://mx.search.yahoo.com/search?p={seax equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://nz.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://nz.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://nz.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?p={ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?p={searchTerm equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ph.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sg.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sg.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://th.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://th.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/se equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searct equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&pk equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://vn.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://vn.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: .th.search.yahoo.com/os?market=th&appid=ie8&command={searchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: .yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: /search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: 3http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command={searchTerms}ght={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market=zh-cnENTSS&pc=MICB39V&U equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: </SearchProviderUpgradeList>.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: iexplore.exe	String found in binary or memory: L>http://sugg-ie.ph.search.yahoo.com/os?market equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://cf.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://cl.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://cl.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://cl.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://co.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://co.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://co.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://id.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://id.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://id.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ie.search.yahoo.com/os?appid=ie8&command={SearchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://kr.searchcenter.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://nz.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://nz.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://nz.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://pe.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://pe.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://pe.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://qc.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://qc.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://qc.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ru.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.cn.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/favicon.ico equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=yie7 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=yie7c equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=yie8ms equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms}</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ar.search.yahoo.com/os?market=ar&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.au.search.yahoo.com/os?market=au&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ca.search.yahoo.com/os?market=ca&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.de.search.yahoo.com/os?market=de&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.e1.search.yahoo.com/os?market=e1&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.es.search.yahoo.com/os?market=es&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.fr.search.yahoo.com/os?market=fr&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.id.search.yahoo.com/os?market=id&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.my.search.yahoo.com/os?market=my&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.qc.search.yahoo.com/os?market=qc&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://th.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://th.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p={searchTerms} equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ve.search.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ve.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://ve.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://vn.search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://vn.search.yahoo.com/search?p={searchTerms}&type= equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: search.yahoo equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: th.search.yahoo.com/search?p={searchTerms}&type=</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: yahoo.com/search?p={searchTerms}&fr=chr-ty equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: {0633EE93-D776-472f-A0FF-E1416B8B2E3A}ms}&src=IE-SearchBox&FORM=IENTTRsearch.yahoo equals www.yahoo.com (Yahoo)

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /checkupdate HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://83.217.8.61/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 83.217.8.61Content-Length: 602Connection: Keep-Alive

Urls found in memory or binary data

Show sources

Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/appdata/local/microsoft/windows/temporary%20internet%20files/content.ie5
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/6422942404.doc
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/7245361316.doc
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/8182259827.doc
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/8182259827.doc8
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/8886835349.doc
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/8886835349.docd
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/8886835349.doclmem
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.bmp
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm%20-%20internet%20explorermf
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm&
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm6
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm6.htm
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htm7
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmad
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmb
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htme
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htme-topresult&form=ie11tr
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmet
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmg
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmgd
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmld
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmo
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmows
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmp
Source: y872ff2.exe, iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htms
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmy
Source: iexplore.exe	String found in binary or memory: file:///c:/users/user/desktop/diablo6.htmz
Source: iexplore.exe	String found in binary or memory: http://
Source: iexplore.exe	String found in binary or memory: http://%s.com
Source: iexplore.exe	String found in binary or memory: http://amazon.fr/
Source: iexplore.exe	String found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://ar.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://au.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://auto.search.msn.com/response.asp?mt=
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://ca.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://cdp1.public-trust.com/crl/omniroot2025.crl0
Source: iexplore.exe	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe	String found in binary or memory: http://cf.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://cl.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://cl.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe	String found in binary or memory: http://cn.bing.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://cn.bing.com/search?q=
Source: iexplore.exe	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://co.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://co.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: iexplore.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: iexplore.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.microsoft
Source: iexplore.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: iexplore.exe	String found in binary or memory: http://crl3.digicert.com/omniroot2025.crl0=
Source: iexplore.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: iexplore.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/advanced_encrypt:
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/advanced_encryption_standard
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(crypto
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)5
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)gk
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)zk
Source: iexplore.exe	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe	String found in binary or memory: http://fontfabrik.comq
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://hk.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://id.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://id.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://ie.search.yahoo.com/os?appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe	String found in binary or memory: http://in.search
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://in.searchsnie8&pc=msnie8&s
Source: iexplore.exe	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://kr.searchcenter.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe	String found in binary or memory: http://livesearch.msn.co.kr/
Source: iexplore.exe	String found in binary or memory: http://livesearch.msn.co.kr/my
Source: iexplore.exe	String found in binary or memory: http://livesearch.msn.co.kr/u
Source: iexplore.exe	String found in binary or memory: http://mail.live.com/
Source: iexplore.exe	String found in binary or memory: http://mail.live.com/?rru=compose%3fsubject%3d
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://malaysia.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://mx.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://nz.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://nz.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/omniroot2025.crls
Source: iexplore.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: iexplore.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: iexplore.exe	String found in binary or memory: http://ocsp.msocsp.com0
Source: iexplore.exe	String found in binary or memory: http://ocsp.msocsp.com0=
Source: iexplore.exe	String found in binary or memory: http://ocsp.omniroot.com/baltimoreroot0
Source: iexplore.exe	String found in binary or memory: http://ocsp.omniroot.com/baltimoreroothttp://cdp1.public-trust.com/crl/omniroot2025.crl
Source: iexplore.exe	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pe.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://pe.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://ph.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://price.ru/
Source: iexplore.exe	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://qc.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://qc.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe	String found in binary or memory: http://search.about.com/
Source: iexplore.exe	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=iefm1&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=iefm1&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=so2tdf&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=so2tdf&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=soltdf&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?form=soltdf&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=as5er
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=as6hd
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=cbpwhd
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=ie7box&src=%7breferrer:source?%7dn
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=ie7re&src=%7breferrer:source?%7dw
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=ie8src&src=%7breferrer:source%7d
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&form=msnie7&src=%7breferrer:source?%7di
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&mkt=%7blanguage%7d&form=ie8src&src=%7breferr
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&src=%7breferrer:source?%7d
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&src=%7breferrer:source?%7d&form=ie8src
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=%7bsearchterms%7d&src=ie-searchbox&form=ie8srcu
Source: iexplore.exe	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7bsearchterms%7d&form=as5hd
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7bsearchterms%7d&form=as6hd
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7bsearchterms%7d&form=cbpw
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7bsearchterms%7d&form=as5hd
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7bsearchterms%7d&form=as6hd
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7bsearchterms%7d&form=cbpw
Source: iexplore.exe	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=%7bsearchterms%7d&form=as5l
Source: iexplore.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=%7bsearchterms%7d&form=as6
Source: iexplore.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=%7bsearchterms%7d&form=cbpw
Source: iexplore.exe	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://search.yahooapis.jp/assistsearchservice/v2/webassistsearch?output=iejson&p=
Source: iexplore.exe	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe	String found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe	String found in binary or memory: http://searcp
Source: iexplore.exe	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe	String found in binary or memory: http://sg.search.yaho
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://sg.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe	String found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://sug
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ar.search.yahoo.com/os?market=ar&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.au.search.yahoo.com/os?market=au&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ca.search.yahoo.com/os?market=ca&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.de.search.yahoo.com/os?market=de&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.e1.search.yahoo.com/os?market=e1&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.es.search.yahoo.com/os?market=es&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.fr.search.yahoo.com/os?market=fr&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.fr.search.yahoo.com/os?market=fr&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.id.search.yahoo.com/os?market=id&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.id.search.yahoo.com/os?market=id&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.my.search.yahoo.com/os?market=my&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.my.search.yahoo.com/os?market=my&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ph.search.yahoo.com/os?market
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.qc.search.yahoo.com/os?market=qc&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.sg.search.yahoo.c0
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.tw.search.yahoo.com/os?market=tw&
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command=
Source: iexplore.exe	String found in binary or memory: http://th.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://treyresearch.net
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/se
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=utf-8&fr=yie8ms&pk
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://udn.com/
Source: iexplore.exe	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=utf-8&fr=yie7c&p=
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?ei=utf-8&fr=yie8ms&p=
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe	String found in binary or memory: http://ve.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://ve.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe	String found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://vn.search.yahoo.com/search?p=
Source: iexplore.exe	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe	String found in binary or memory: http://ww
Source: iexplore.exe	String found in binary or memory: http://www.%s.com
Source: iexplore.exe	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.afisha.ru/app_themes/default/images/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/gp/search?ie=utf8&tag=ie8search-20&index=blended&linkcode=qs&c
Source: iexplore.exe	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ascendercorp.com/
Source: iexplore.exe	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: iexplore.exe	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.bethmardutho.org.p
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoarchterms
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoh1
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoorer
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/default.aspx
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/safety/warning
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=%7bsearchterms%7d&form=ie8src
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=%7bsearchterms%7d&src=ie-searchbox&form=ie11sr
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=%7bsearchterms%7d&src=ie-searchbox&form=ie8src
Source: iexplore.exe	String found in binary or memory: http://www.c-and-g.co.jp
Source: iexplore.exe	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exe	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.fontbureau.com
Source: iexplore.exe	String found in binary or memory: http://www.fontbureau.com/designers
Source: iexplore.exe	String found in binary or memory: http://www.fontbureau.com/designers/
Source: iexplore.exe	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln
Source: iexplore.exe	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: iexplore.exe	String found in binary or memory: http://www.fonts.com
Source: iexplore.exe	String found in binary or memory: http://www.founder.com.cn/cn
Source: iexplore.exe	String found in binary or memory: http://www.founder.com.cn/cn/
Source: iexplore.exe	String found in binary or memory: http://www.galapagosdesign.com/
Source: iexplore.exe	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iexplore.exe	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.google.com/
Source: iexplore.exe	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe	String found in binary or memory: http://www.google.de/
Source: iexplore.exe	String found in binary or memory: http://www.google.es/
Source: iexplore.exe	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe	String found in binary or memory: http://www.google.it/
Source: iexplore.exe	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe	String found in binary or memory: http://www.google.si/
Source: iexplore.exe	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/?ref=ie8activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/bv.aspx?ref=ie8activity&a=
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/bvprev.aspx?ref=ie8activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/default.aspx?ref=ie8activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/defaultprev.aspx?ref=ie8activity
Source: iexplore.exe	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: iexplore.exe	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: iexplore.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: iexplore.exe	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.sakkal.com
Source: iexplore.exe	String found in binary or memory: http://www.sandoll.co.kr
Source: iexplore.exe	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.target.com/
Source: iexplore.exe	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tiro.com;copyright
Source: iexplore.exe	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.typography.netd
Source: iexplore.exe	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.urwpp.de
Source: iexplore.exe	String found in binary or memory: http://www.usertrust.com1
Source: iexplore.exe	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.weather.com/
Source: iexplore.exe	String found in binary or memory: http://www.weather.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.yandex.ru/
Source: iexplore.exe	String found in binary or memory: http://www.yandex.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.zhongyicts.com.cn
Source: iexplore.exe	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?service=awsecommerceservice&version=2008-06-26&operation
Source: iexplore.exe	String found in binary or memory: http://yellowpages.superpages.com/
Source: iexplore.exe	String found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe	String found in binary or memory: https://
Source: iexplore.exe	String found in binary or memory: https://en.wikipedia.org/wiki/xslt/muenchian_grouping
Source: iexplore.exe	String found in binary or memory: https://example.com
Source: iexplore.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: iexplore.exe	String found in binary or memory: https://support.google.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: https://www.digicert.com/cps0
Source: iexplore.exe	String found in binary or memory: https://www.example.com.
Source: iexplore.exe	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Social media urls found in memory data

Show sources

Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/favicon.ico

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49191 -> 83.217.8.61:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49191 -> 83.217.8.61:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49192 -> 31.202.130.9:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49192 -> 31.202.130.9:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49193 -> 91.234.35.106:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49193 -> 91.234.35.106:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49194 -> 83.217.8.61:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49194 -> 83.217.8.61:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49195 -> 31.202.130.9:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49195 -> 31.202.130.9:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49196 -> 91.234.35.106:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49196 -> 91.234.35.106:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.1.16:49197 -> 83.217.8.61:80
Source: Traffic	Snort IDS: 2023576 ET TROJAN Locky CnC Checkin Dec 5 M1 192.168.1.16:49197 -> 83.217.8.61:80

Stealing of Sensitive Information:

Searches for user specific document files

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\y872ff2.exe	Key value created or modified: C:\Users\Public\Documents

Data Obfuscation:

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: .rdata entropy: 7.90630231924

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

PE file contains sections with non-standard names

Show sources

Source: y872ff2.exe

Static PE information: section name: .dec

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_004029AB push ecx; ret	0_2_004029BB
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00404705 push ecx; ret	0_2_00404718
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00401408 push eax; ret	0_2_00401426
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_1_00405CA2 push eax; mov dword ptr [esp], ebp	0_1_00405CA3

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_0042D950 FindFirstFileW,FindClose,

0_2_0042D950

System Summary:

Reads internet explorer settings

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Key opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file contains a debug data directory

Show sources

Source: y872ff2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:

Binary string: gefas.pdb source: y872ff2.exe

Classification label

Show sources

Source: classification engine

Classification label: mal72.rans.winEXE@7/157@0/5

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_0040C879 CoCreateInstance,

0_2_0040C879

Creates files inside the program directory

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

File created: c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-6B211009-EE74B58D24B4.diablo6

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

File created: c:\Users\user\Desktop\diablo6-19ec.htm

Creates temporary files

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

File created: C:\Users\LUKETA~1\AppData\Local\Temp\sys3FA5.tmp

Reads ini files

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

File read: C:\Users\user\Desktop\desktop.ini

Reads software policies

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: y872ff2.exe

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\y872ff2.exe 'C:\Users\user\Desktop\y872ff2.exe'
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\diablo6.htm
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C del /Q /F 'C:\Users\LUKETA~1\AppData\Local\Temp\sys3FA5.tmp'
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1836 CREDAT:275457 /prefetch:2
Source: C:\Users\user\Desktop\y872ff2.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\diablo6.htm
Source: C:\Users\user\Desktop\y872ff2.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C del /Q /F 'C:\Users\LUKETA~1\AppData\Local\Temp\sys3FA5.tmp'
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1836 CREDAT:275457 /prefetch:2

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{573bdf38-df23-427f-acb8-a67abd702698}\InprocServer32

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Code function: String function: 00407982 appears 1074 times
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: String function: 00476210 appears 34 times
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: String function: 0040B955 appears 170 times
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: String function: 004182F0 appears 42 times

Reads the hosts file

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: y872ff2.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenameodbcint.dll.muij% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamePhotoVieP vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamempr.dll.muij% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: originalfilename vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: OriginalFilenameKernelbasej% vs y872ff2.exe
Source: y872ff2.exe	Binary or memory string: System.OriginalFileName vs y872ff2.exe

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Section loaded: gfcms.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_0041968E SetSecurityDescriptorDacl,

0_2_0041968E

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_00419762 AllocateAndInitializeSid,

0_2_00419762

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: iexplore.exe	Binary or memory string: Progman
Source: iexplore.exe	Binary or memory string: Program Manager
Source: iexplore.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00405F08 SetUnhandledExceptionFilter,	0_2_00405F08
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00403A6C
Source: C:\Users\user\Desktop\y872ff2.exe	Code function: 0_2_00405393 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00405393

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00403A6C

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_0042D950 FindFirstFileW,FindClose,

0_2_0042D950

Program exit points

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30023
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30208
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30024
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30221
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30229
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30236
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30220
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30218
Source: C:\Users\user\Desktop\y872ff2.exe	API call chain: ExitProcess graph end node	graph_0-30219

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Thread delayed: delay time: 36000

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe TID: 3540	Thread sleep time: -36000s >= -60s
Source: C:\Users\user\Desktop\y872ff2.exe TID: 2228	Thread sleep time: -240000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y872ff2.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_00413B0B GetSystemTimeAsFileTime,

0_2_00413B0B

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: 0_2_00421A68 GetVersionExA,

0_2_00421A68

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\y872ff2.exe

Code function: GetUserDefaultUILanguage,GetLocaleInfoA,

0_2_0042EB20

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Antivirus Detection

Initial Sample

Source	Ratio	Cloud	Link
y872ff2.exe	53/62	virustotal	Browse

Dropped Files

Source	Ratio	Cloud	Link
21253908F3CB05D51B1C2DA8B681A7850	0/58	virustotal	Browse
37C951188967C8EB88D99893D9D191FE0	0/58	virustotal	Browse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
StekKazanLLC	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130
	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130
	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130
	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130
	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130
	BN8B1.exe	8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905	malicious	Browse	83.217.11.130

Dropped Files

No context

Screenshot

Startup

system is w7_1

y872ff2.exe (PID: 3536 cmdline: 'C:\Users\user\Desktop\y872ff2.exe' MD5: 544BC1C6ECD95D89D96B5E75C3121FEA)

iexplore.exe (PID: 1836 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\diablo6.htm MD5: EE79D654A04333F566DF07EBDE217928)

iexplore.exe (PID: 2428 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1836 CREDAT:275457 /prefetch:2 MD5: EE79D654A04333F566DF07EBDE217928)

cmd.exe (PID: 2436 cmdline: cmd.exe /C del /Q /F 'C:\Users\LUKETA~1\AppData\Local\Temp\sys3FA5.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

Download Dropped Binaries:	Dropped Binaries

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
File Type:	data
MD5:	BA89B186C0ECD494CFD1EB60CB511C51
SHA1:	7807D906D4F4AE7BAD96EC21B831E9E7D1E6AE79
SHA-256:	31FC8153A535AF607FAD5DAAD18C5E0ADA2FAF6E260BF579ED5D7BFE9A27B46E
SHA-512:	A1BF074ACEDC2F15392E31126DE1BEBB3B613B18B148FD562AD04A67892105B187CFE6A3D8DB7772EC34A3D1DFB92577D3602D4BB9EB75794BF9D388E9695CEB
Malicious:	false

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	E7BC172073A171041925EC5D68B444E1
SHA1:	B4F262040BAA45787C0AD8A4B6A70BD11D4487DB
SHA-256:	C19E4DBB25D537149642347BA9B2729FF99BF8257C8825518F24E01105758097
SHA-512:	7B93DB4DD0CE87259BEECBC9925629DE0830ECE46D7EEB374EDBE2809A730DCF633207791A19D7E0CE688165E1CE2384E9320AA475E7DAB930F1086C8F7AB2BA
Malicious:	false

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
File Type:	data
MD5:	47D5C976686C3DDD1877615C61997269
SHA1:	733C30A50C9B5DD363EEA0201C0D2D603A8383E0
SHA-256:	1E392D3B3C281C783B9066D05430083D227620419B00B06C9AFC4AE21ECC7A97
SHA-512:	37702ABFA13D45A9160177A516C225FF764DCBA5A3D2CFB20728672097DACDAE20CE11C7DFFE3872B5B9E9267CE138568B3576E361B6697D29E6B835748BD3B2
Malicious:	false

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	0A6FFAD17105740E803BE443270E6FAF
SHA1:	7B778A23FF9ACB966B3DDD133CD68C555F8868E7
SHA-256:	33AA6207B2847F34E2744176BF1C8EED00349B380CCB0FFD28921A9A7CD86370
SHA-512:	7379054F3E9E33D2CCD862207F841E0E044888187783257386BAAA540B5DB6B80EF104BE19036B3D1B0FBB02BF5F6E8BC669D60F1D0BCA9AA8C5AC2A889AF4A6
Malicious:	false

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\diablo6-3952.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
File Type:	data
MD5:	F1238B5CE9880A7165DF185A9C363B93
SHA1:	99E8FF99EDE8C4C9D7060E62548B1F9A1FB8C5D2
SHA-256:	87216075331096BE225AB0054F1CA0EBD05022739C2BE18F216B1CE2F986CEA6
SHA-512:	CC5A1FA5B03C42C0705FCB48E3930FEADD0D9B482F7339A2C5402ED66FBA954B038BE96548DA724C2DA57EA9A88D6044F5AE42B660F3C93BEB3B8AF7420C0708
Malicious:	false

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	722DDFEC94DE010A856C21EDAEEDB0BF
SHA1:	B96CF0B82DEA525F9D2672417DE4A20D6DB1CFB5
SHA-256:	A5EA5DE821E6F1769FE30BD8223184B86BD2FDC7D65BFAA6C1FD095265556BFD
SHA-512:	8FF1B2D8B10EC3F321D5B5E9AE0B0616B00E9C1A4490FDE11BEC36589194B2CD35FA6FB1634F4F05F579079B3897CF21D8C60E31EF2C078FBD59993F6F06D97C
Malicious:	false

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\diablo6-6706.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
File Type:	data
MD5:	CB734B37F2665E73DDFFA712EAEF93F9
SHA1:	9FDDCEA2B84277FAC2511D537E1F0338F046269B
SHA-256:	0254766237120E599B4C971C8C00340977822EAFE42BD474FFB7482F4F0CF5BE
SHA-512:	644E3CB5620F45FA4F8C0DB9A8A60726C0D2C630FB3229F5F2627681659BF08BC19258FE84AE68A8FF13B683D854D0CA24731C8F0E08C675A3B48C1F66030B16
Malicious:	false

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	F164E5F26FF0FB1700EE8FFFE09FE3BD
SHA1:	FF3BBA87B1FE31AE05A4632E5FE027F406F71EB4
SHA-256:	0AB3004382704008B1B932C65009E56AA6770B636E944C6C1EC8B9841B860EF8
SHA-512:	6C541DB154929114AE25AA54F7059BF59755CC00A7CA0B91FC323480423F356B8A683CA1F0C85B2BA061C586192EBA7702992254C8A45880BF645AF8D3643572
Malicious:	false

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\diablo6-83a4.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	4C50B2C984A44EBDBB0CF831E76A02F6
SHA1:	9B06D0A68DA1FF1EA9D19A23694C367AD92A54C4
SHA-256:	AA6A17F118FDA06BDAF67E8365AA45A1FB0BB5ED687336F1DFD039BACAA0B731
SHA-512:	F17CCA788CDA1E554EE00AA4B1A48386C79C84520F5456E60C5F9639E202E9D4F52C9BD3C06E5B98F20FA3E14841A1F1EDF809A1DD3A18F409FBD87902C0D3C5
Malicious:	false

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
File Type:	data
MD5:	E1890B0FEC2F0426F8B02653BB271975
SHA1:	9E234822FAF6951DF846C6BB1C1090ADAF842FBA
SHA-256:	0A51434D002C10CC122760DC9EE878B61879DA5A35DD600AB573DF92B249F396
SHA-512:	E5D26DE7B5910C80C3F20CC2A9797982BE507A201E50F94CDC1F804810EB7B6E83F3B8340EC2F2F19310158071F47239A0D0E86B325C2A692CD8B80839596A45
Malicious:	false

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
File Type:	data
MD5:	57E78AF4EEDEF5BDB5648DFFDD7BB549
SHA1:	C7F2E1CB819F43E757658EC80D8A54AE68821813
SHA-256:	6D288BFFC64B208B6D9A6D204EC11748063A4BF0124E9FB0EF761454C5911619
SHA-512:	D03D16FF9BB3591D5C19DF958D7CB89D085991B48E391CFB46F1F5C179B443287941C37A90952B85EC22562E29A6AE15B828342CB5E3E4139FD9C1323A5BF743
Malicious:	false

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
File Type:	data
MD5:	CF7FD535FB443FA5FA14AEB07153D086
SHA1:	D879D2323106A7FD53B612402F3DF63FD3250764
SHA-256:	2646DE691C22CE2107B83B3729DF48791C7340D2A8D7579C728A7E420484D265
SHA-512:	0490FDCAB4B6304F09245555DF7A74594B4076FF01690D1A1F243F8F0A170314F0B9BF27E86CD2DB96ADA0EE17D4A9C165DC45B898A0DC1860F91F309A50973F
Malicious:	false

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
File Type:	data
MD5:	C709C66E0C2E9F01856C3999F57F7832
SHA1:	4FB92CB0C87D417DABCAFF963DFD3B59602595BB
SHA-256:	ECE8B9427D2798D437AAD4B355BE3978F9BF14956CE26CA9C9CAF6A60FEEA522
SHA-512:	0A98CCFEB255523773EEDFC65075AC5F9D7D278ED4EC809179DA00073A0C8E69F9F8C7F4F78927920808E6F70B7B06F5C433EDE0FCD8635A438BD03254852817
Malicious:	false

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
File Type:	data
MD5:	71128299DF45E970C25E1B5B995B7019
SHA1:	B0C08A739981A7EB6EDEF172A2EDFE3B5FBF2124
SHA-256:	08B00B10B7B5612C6C124C6E993C3228EFD402D0570C4CB034A5727321F61956
SHA-512:	5C4BF5D6E052D47A3659CF6A84D579ECC2FC8CE39F967A68AA235EB9F1090D222037940402A6EEA1219A03CBC8E64021166568AC04780D5501144576FA9C5394
Malicious:	false

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	3041D1997F286A030317D89FA0D9A58D
SHA1:	485C9B6A7BA6D4654BDC2FF4B1E4D2F78727B11F
SHA-256:	16179E5CE98DB30659AEE3AF08F254C721AE64FB1E85462F9526BB8E7794164C
SHA-512:	28B9F31B9129D8FA9BF8D6289B472206B4C08AD375F43A98680F7D66F9E087366341BDA117C24514E3A4AF8CBE5B344F9650BBB31A821F018DBF893CEEFB9C18
Malicious:	false

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml
File Type:	data
MD5:	2F5BC38DEF5282D7D156D44417582D4F
SHA1:	9DDF7288F7F7DB448353AFC11191C658AA743B31
SHA-256:	AD9A575248F44B14D702CDACEE733989A2BBF3ADF72954D2017033DC315F5772
SHA-512:	321D8AC3C6C72EC1BFC0BBADCA95557D60291B59679A95101A2F445D06FA25FBA9F627F51EF41570150B97DA45D3C1A73C0879A54C748CDCD7FE75E3FC0322BB
Malicious:	false

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	1F14F3060B6AAC5B3C6D92A57E6C5ED2
SHA1:	89A98EADEF6E02658C0C2D0F58BB14A056C88F73
SHA-256:	5AC66268A959ED571736AC86971F3EC208325136DE9DD53FC9D2B431BCD16549
SHA-512:	0428DD4FE9F38C1021E3AEF460D66321E2C256E8578001B8F265528812F9446CBF0E229AFE8B4BB84B9E8B7B29EFCBB20873D0CE8A1CEECE44D3A0710108480C
Malicious:	false

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml
File Type:	data
MD5:	D01EAC9A113A46BA6EC06951EC8C3B31
SHA1:	D247F86DDA44952EEFE08D75F5D81EAB5E2A794D
SHA-256:	BF11C82A729E31ACFCDA1DE2883C14CBDAB89536CE2FA3B1B5AF1149A2DDE169
SHA-512:	D218ECBDB6EF7DF052971CECA8D18FD132804049A19147213F0CF07FCFE7C0051A0C329C9A0CCE26856C3DDCF8491560207F683FA4C04A28ACED20E531C10900
Malicious:	false

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
File Type:	data
MD5:	F2D9D7C7DB3B61AE3F2F9789F06F5EE3
SHA1:	A9830AD12EAA5DC89E3E2A94A65037E3B536BE76
SHA-256:	5DCCD742E9E7E2C12E722120BB40FC40F90FCA2017D793C8CF79FCC1B0DC4EFC
SHA-512:	422ED1E3ACDC94105D7BB535EF44C6D3F52224C6E46F72ED84386CBDAA13C3ADE7A6D1159E4D25CE3BB5C63BF8EF8B8A0E4A0106546382E49079CF496E530BE6
Malicious:	false

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	EB43F871466118E8776DE883C4F0CB22
SHA1:	B97ABCEEE41F4131E57F9EF1936DFFEFEFAEC8B4
SHA-256:	F5BDE9CE914507BE6DD4664BC99653CC7C90C91460345BA82A72AEEC3BB2D5B3
SHA-512:	E865278C86911BD5E73750A0E43A5ED36C81076FF363BB7C03F994ECCC021274F3043396780552B9D2FF386FDF80BDEB97E6C20013318A7129DD58A3E5D2520D
Malicious:	false

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
File Type:	data
MD5:	40993DD682C71ED426DE89E42B26C9F5
SHA1:	874B02C9301827FD9DA569A3AC16D48FA722083C
SHA-256:	62AF9B739E6EA66864471CA0308F7C932D7548283723F4736E32F180C1845EC9
SHA-512:	2928C1AD10E299E85EE51771C15CDD130FA7B1DBD2D9EF4EE5AEF5888DAAFC114268CE6CA9B69ADF1E72671A801B5E830C2D7C4C70C611AD05AED484852BD4A0
Malicious:	false

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
File Type:	data
MD5:	7A59930EE790A8C9230ECC3580F328C7
SHA1:	2674706F7F2209AA839603C5831C3D8028E2CA0B
SHA-256:	5A3D97F1CB00891074BD3F4CCBD33CFA32D0007D74D547F7861BB3E3F3410C10
SHA-512:	61F0A3E0B039CACE72CE83FD63B953FEDBAA956B2F1B5B0CE2CC9B6A4F38E946D253CAC929B320758648F47AD5FF4BBCF1BC616FC2B190041C187B3480781A64
Malicious:	false

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	9924A9F9AF78C3D8EA3DE8781AD15CDB
SHA1:	4EDA6B1F244CB59CF68617C9753416F3B6B25BD6
SHA-256:	217E548A3F264C50D7E7B9AF46115A9F896425D11283F671D26F76A7F89CA38A
SHA-512:	5C5F4F2E96119993BD96F40F9CB120458A8CE9F32563B3671F9AF14350919B9B462CC79B3EB6F969620486487F59160756720FF8B88CEB354DF558E62D315258
Malicious:	false

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml
File Type:	data
MD5:	4CA741FB6B343EA391C569F8D91977B7
SHA1:	74F5C9E1FEAB2C6B1A1761FCEDB45454A069E918
SHA-256:	8CC158F41550D10474DEB2AE4EBF0A36156A14D8BFFC5A800AE6BDAB3B1B3DB9
SHA-512:	0DCDB782331DDAA58A74BE2B2909AE3395BB994CA8040A7B59EB32D7941728ADCFBFC8FF13174DE9017A532C03F12B076F85B876911012B290F44C9728320D23
Malicious:	false

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml
File Type:	data
MD5:	823597AFAB2F5FEA958CDC2CC7D26133
SHA1:	464F9D5375EDA09FD30A05C9FD6B75361AA42CC5
SHA-256:	417F4EF3FEE8FAFEA5684F63AFD72AA1326C70C787044318F9F639686BA8571E
SHA-512:	A55D67F20F70147D88E9FD89E04A753B9ED6D8DB2F6942B05E2C159DAC7F40E699D839E309F8A88A23FFC42B223A4C8F4DCA6B0B2340A3A3CA14B5645A40DE6D
Malicious:	false

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml
File Type:	DBase 3 data file (1060900829 records)
MD5:	5C82B6116A8906A48152A026296C8D54
SHA1:	9F37B2D204FEAC79F7F800B3B36E031E913B73C4
SHA-256:	B73503F4F0B95F106B3FE507F457663F9EF6CE1AA904E6A5BAAC0BC570D649E5
SHA-512:	5C293AE5337ADD1C9E3DDBEB03AD020103A7842D1C481A5F8BF2094F90FE010415DDD76C315C3B382E59B0463308E3B92B9090AC7C5F7FFD7658E760FBBFF0CD
Malicious:	false

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml
File Type:	data
MD5:	E67D6B392B027E0730324F312885ED1E
SHA1:	6EC8A23E7B88936A5D4F4C9F51E84ECF0DBEEFD0
SHA-256:	7C03DA2EC1C3D26BA35408B2931B7CEEDE1DE7EA340F33CBA70CC97734EFF0DA
SHA-512:	B32763DB1ED1915DB14C3EDF470BD92FA2278048EF30F328E45DFA350B5406C880A99FD1794D98FC381220709615BD4692E16B31D650FB6810F470C1D7A95C05
Malicious:	false

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml
File Type:	data
MD5:	412CB8A4632DFE6E7424090ABF4E8044
SHA1:	2319722530796864A5957ABC58DA4F04C3D8A38A
SHA-256:	64AA4A9C467B7C3D6D8A0AB5BF68B5EBD9194CD712D673BBF29ABB0705DBB45A
SHA-512:	74982731BDA296B836233818B26A8089D7211F40DFE080535F8A29038BF40A2AA829B659B1508102489A035462B63AEB73AF90556A44DE525D4A4244F1EB6792
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-1F0721B1-AB42ECBD9D9E.diablo6
File Type:	data
MD5:	1BA9A30AA0553D8185CCCC7FF4EFEBFD
SHA1:	3E8C90A828048C3C59EB1EA7300EBDE3F84C4F2C
SHA-256:	40CD1BF6BAF69B53A31FD3811D3BA39B4BEE4D022F5B428C8709271077A50077
SHA-512:	CDCA5EDC1AAF322D40AF9766E33E49643E8A0F2F8E4D9EDB415BD4066487F8410BF7DDD303BE5B40053A8A8CE2EA128956FDE05EA7909B3397F4719EDF9C7355
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-48BF6EC1-442DB5B8A4A0.diablo6
File Type:	data
MD5:	D34D23EB8073E4F3D0F549367306BB86
SHA1:	5A9AD85B0C64140E364C1D17A822A25A9CA28608
SHA-256:	9591592CEB70054AFDA41C7C2FBDB7202E06B5DA3386E9DFE353FCB34E5242DC
SHA-512:	40DEF288256E2E7F8CDD19BA3DC0E7CAADC072DAC75EE52A79CC80EC439032246931CF34DA2E97F2128ADADA453DE6E78719034286F975EF338F3246B0C3852F
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-4E518D26-7A155DC82EBB.diablo6
File Type:	data
MD5:	64329F09E5CBDE771063D96E3F1C1B6C
SHA1:	2BE786490129C824161A5B389F38BFEBE5934743
SHA-256:	C9ADE9FAD6CA5F56FB1FBB2295FCD419F1AD0429C04E7FF7B46E2CD6FC38C3D7
SHA-512:	8E975623DA304E2415135BFB529AAEC3036B4FF521E8E5E40FB77741006FC91F4F089E92A284916C8B0484CB0090C8D4310E2EEF61C7E597FE10E9FB73B37794
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-6B211009-EE74B58D24B4.diablo6
File Type:	data
MD5:	45B9CEAA95B018D96B2B9B41C5CB4379
SHA1:	C254F371180E831122EE4CE48974CF887D8FAF8F
SHA-256:	93470575310198140E5ED94C3343488D5949203C32564C062F49EBF90F00C2BA
SHA-512:	2D189DCD77207CE165D5ADDF069BD9484086257BB226E9F9E4961C9506C2BC35F4EEFDC56CD4077755B116065731C278337AD582A158641083A8B54689F9C0DB
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-86F2C715-9B4E66465305.diablo6
File Type:	data
MD5:	F7F5ED2A66F5C585676F93CD49433688
SHA1:	F1D17F3DEA35D9065735FECC50FB607AB5A68278
SHA-256:	6A8149CC233F75FA1D2331D1A1332E60A56066A0D937765A85F724C22D6EB3FE
SHA-512:	91277D811CCC6CEEA3FB4760F1BE4010C9E1D790A0A37A279218631358BD7615E136D2939B59A59880FD3CD76D21BA6F496A4F215DA9769F2BBB949C02D0B100
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-49DF324C-13BF105BA10F.diablo6
File Type:	data
MD5:	DB436BFF6EC4E30BC17A3646D4946E24
SHA1:	2FF9B4118C8B466DC3E52D2211DFDCE8EC697B87
SHA-256:	84B233E89C0A8E81AF6BFD5F57D3A2CB7F9087786EB03411B9272766FE0F9209
SHA-512:	91D9E341124D506737E1F0B154444E372646A2332D8A60020D7DA3755879889E7BA9636B75E0D06FEA027FCB053EAF89496446BC003F5D8211A52A0FA6D8FD4D
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-78566B2F-AC2DA5A60F2A.diablo6
File Type:	data
MD5:	341F76290D2D2DE3EC35430A35EFA919
SHA1:	DF74C7E78FA4E5BEFDEA6EDACB81BCF531B69FB2
SHA-256:	3DDD2C0639E5173A429537D05E2E1E79B5A67FDD0FA4DBA4ED63A8F09268B92C
SHA-512:	6AEA31D3ACD7E7159328B8F7EE57DE2D4B4E83BC089F7B2D60022EDE67B313A5C609658F1FE99CAC1CCC9643C8640EBAE3D754C5607E3E99680535457648CD8B
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\DX1KWDRT-SWHS-3N44-9C0BC7B8-77B121E762C4.diablo6
File Type:	data
MD5:	DD0F223BC65F99886012CF5708379A4E
SHA1:	BFAF17C206802755BD6C6869CD2C77AFEDD1BB43
SHA-256:	B4657BF0A69460044F27ECF4A42874E074721926E7B35166F8508390DF0DBE80
SHA-512:	306E8C4BE41003D0AB1A40E1B15FA95E1EB2BB44D1256D88094219D1E9F544A9A5C36D2754D850ACC1C6C478A8750FEBBF196F3A01D2D75466D8319ED3ADC86B
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\DX1KWDRT-SWHS-3N44-05FDA6DD-E2799F720F12.diablo6
File Type:	data
MD5:	A4DDA957DD73536F69688C501F879B6A
SHA1:	6FAC47C216FAE21BE50AB05B06ED1422A639F2F7
SHA-256:	94804B3AE74261084B9CF740D7C06B1938336AB883EBB2EB230775EE8AA838B2
SHA-512:	BCA8B59DEE4BB5EE2C41B34FD87E73E3B7D7BAB9E38A502464C0065F89FC736CF77EA1CF987B286621F9CDE7A3E8E23D59D11ACD7019A455625CED68001A3D2F
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\DX1KWDRT-SWHS-3N44-FB77D1FC-A0BBFE41800B.diablo6
File Type:	data
MD5:	F048F5FC332EC5CEF009800C25174228
SHA1:	79E2D542198502CC96EE0A8DBC7834211C5B5F6A
SHA-256:	7D0FA4608EE1A6C0EE6119CB7DC4C0B87ACCAC005EFFC86DFF5762063611090C
SHA-512:	616CF4E7D8218A81BCCB4C731BFB0D0C6141DB72A8DBAC9D1898B1C24750134F15B8A50F99D493D3BD58C5784008C3586A8BE38A731C3D2ADAC0B8568E0E5AAF
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\DX1KWDRT-SWHS-3N44-D4C9A525-FE9FDB842CEE.diablo6
File Type:	data
MD5:	5EF457F14AF793149B0EE423324682B9
SHA1:	D4CC30D4C9F3C0BA85A48CA914510D9079AE1D9D
SHA-256:	FE64C260EF201A6AC898CC8C66A52D1A98FA3E8C2DD1089503612567344817EE
SHA-512:	490CAEB33B3520BA8D4D701CCA75D1EC8FAF1E763067DA930D42B1FFBFCBB5BA6266D73AE424FC463562136C6D7EFFFC7BB639090499AC78EFAB5D2993A127A2
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\DX1KWDRT-SWHS-3N44-D3A01F0F-399CD79F7BFC.diablo6
File Type:	data
MD5:	9B0DD4BE797A201C258E1277B5CE98EE
SHA1:	F68B60064B5990B50353185650FD500F4D972C5F
SHA-256:	644E01C288DB4217BFE709123990B5E0C11EF4DCEDD57E2F1A5A6FBF5FDFD786
SHA-512:	7190821765B11F60A258C257D6BD927BB2C9CBDB713CFDA49A9812C58068A349579626575360AE7CA293A920E40453575795BB4C8ECE4715451B74CFC70DCF37
Malicious:	false

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\DX1KWDRT-SWHS-3N44-1C882090-6083E68A29BB.diablo6
File Type:	SysEx File - Soundcraft
MD5:	2844CB0431EDF40BB0B6F909BA66A9B8
SHA1:	92DB25E7309ED9084EE31834425DFB149389736C
SHA-256:	63BF5AD9B03885961FD8F8415B4EF502C01B3C29E80BDFADE4C43E57CBFF6B07
SHA-512:	D5E3B6BD6E49D04824F6277082F564AE61905D51A22051E3195ECF2A6048D048EE60016EAA2146C4AE78CB55F0D5D03D146F47C837CC510D835B62B7819FCEC8
Malicious:	false

C:\ProgramData\Microsoft\IlsCache\ilrcache.xml
File Type:	data
MD5:	DD2B6B3F47E0D519980B6976489820D7
SHA1:	C5316700A645BB0E7BAE3390FD7D744B79246FCD
SHA-256:	240F91C9C08CC93880CB7DD05677BBBA617E2C277652F8B1F45FCABF565A480F
SHA-512:	814DDCE93B7EAAD317140F47586D71B12F004B0E0E3E54E312B1F486F5D7A6A1C241E6F164D44B2586FFAD9C90987CA2C8A609DCE709E6E5C0AC08E10BA79AF6
Malicious:	false

C:\ProgramData\Microsoft\IlsCache\imcrcache.xml
File Type:	data
MD5:	E7E757B6ED42B4BD458FDBC62F4F1C0B
SHA1:	98B598251022E04A5F8C389E706479F34D3705BC
SHA-256:	F67FE07CB5F0C8D4F99F014C2A34BE65783F0633EBD8A1C7A3B3F898093C56BE
SHA-512:	B950115966C3C2B7205B6994A2EC30BBC5EAF10E386C67D77CCB90648239481168A88FBBF4832973D3193B2566DAD6551EF9C91722987C89089059E66598C394
Malicious:	false

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
File Type:	data
MD5:	430832D7CE238BC0718AF4F65CF50C41
SHA1:	75126F878EF5CE6190C64AFCB7D232239B6112F2
SHA-256:	3CE9AC3187037E375E922BD78959F3A9F09D20233713C141ADD762C676256DD3
SHA-512:	E645BA96C2B008E4393F1212F0181E3184306C62AD1AB0BD8D490720368DF37DABA0B0FA0B000CDFE53056D8EA822A6F98560AC087194B4EE61D9DA08FF27CCB
Malicious:	false

C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
File Type:	data
MD5:	9D83E8D846366128E75AEE8C73145E16
SHA1:	440C3D4D520EB267DAA431DF49BAB0ED8ACC6EE6
SHA-256:	51E0D18420E7812F63094228B615489116E15629301E1A4D6435B2BDC23DEBD1
SHA-512:	1515398250B914C0BC0542C1E63DA813C1101A2D289E4FE2E0AD3EA161D20814026045F8062DCD66686F06694BEF52C76BBF2EA57D853A45103A0605F684C08A
Malicious:	false

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
File Type:	data
MD5:	21BEE4D0355C91DCC159E04F72F50507
SHA1:	660C7B6A0CB765093A93B9717D50339121AF4937
SHA-256:	3E1122C690F057149DF14AE9B2923962B93DFB8CFA47165DA22D2F27C8505E8B
SHA-512:	18A13AB586C0664CC1797F7C063104CDD92B85FD2BC3451294277A2C52275C412765FF776EF50F21F87FD544AFF5860019198B4772EA3FEEE94062EA9E222CEC
Malicious:	false

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
File Type:	data
MD5:	24A38443ED4A88E4E4D092E2480F2317
SHA1:	670D3558EE587B6D7244DC33765C697BF5599C6F
SHA-256:	4F5D08DDAF269D5A2BB639F7FC69A0DA1C62F411A1DE8743E70B6F9CC692DE38
SHA-512:	1E7B63F76ADFCC89E3341846A258E9B7A3A5033C9A562B99EADD72D9D3E3DD954570C3669DCD391A95BB01315A7D5784B5EEB8F177112D28C75B7F0724B09469
Malicious:	false

C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
File Type:	data
MD5:	CFA224FB93DC468CB54E68F88BB029A6
SHA1:	30D722EEF857808DE1632E69638F1A13EE65571C
SHA-256:	276D652D1B1E6D9ED64C5A4254742825FB085F7E84E5065F0AC62F76DABC7A9E
SHA-512:	B4480547351B7EA827B83C9349AF0E2118D6DCD00F9892330B076DDC051ACE99228CD551C8DD6663339C18FD4C6DA40408D309118CFDD0981E526D9563943EAD
Malicious:	false

C:\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
File Type:	data
MD5:	28126640A4BD973EBB7CDB99ECF48417
SHA1:	48783B251E0EA15B4AD3C34B956BFA76EAEDEBDB
SHA-256:	DFF5FC17EF73FA86A85167EA2C0861A9D9C7092E2C5FC0965CD66345BD5490FB
SHA-512:	712D8DED2C66A95F0A487ECE1B6605ACBFE694FB846594F7BEAD88FA455A7D0A7E258B474BA9BAEDC10094BE167D1D3C1F0B5E1EECA1C74D3F0A87E3F6035BA0
Malicious:	false

C:\ProgramData\Microsoft\RAC\StateData\RacMetaData.dat
File Type:	data
MD5:	7809C2570EB8A61C550D6EB41E04FE54
SHA1:	788EDC18E353747D709B827CA734B649F8DA4F5F
SHA-256:	A8E77F533120E32C653725372A1B19316D0D7D5E32F91CDD54902846721281F2
SHA-512:	7C2BE76ECC6E7925283DDDE777E3572E5ED2FCC222893BE0AA04480BA33ED1B51E6306BB94585B515B46448C51E093336B1142E83BC3F1C8545B88564E83537C
Malicious:	false

C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat
File Type:	DOS executable (COM)
MD5:	EF50B9EBC8953DA7CF1300F9FCB92E1F
SHA1:	7B8AFBDB83521488414CEA9B9CC9DB1A65612B8A
SHA-256:	2B553F0BA9B7B83A4C0751D04A8CFB37FB5B3D6C03CBE2A328505880D700D78B
SHA-512:	988E4840E07B4E3B7F8411C4F8561E96A9E1B9F5AE8FFC859C5F301D48199524DD7AB97EB3C1A2088B796633906E8D3D4751B920061064760CB6920F445DDDF9
Malicious:	false

C:\ProgramData\Microsoft\RAC\StateData\RacWmiEventData.dat
File Type:	data
MD5:	DB991AA414867FD0E971FF62E304458B
SHA1:	4FFE41BCBD7C218FBBEABE584D6DB2EF4A3C1CDE
SHA-256:	ABFCB67BF46CFDFF6F525F01C330E691AAA19C35BC63F7FBEB950F877EE62FE5
SHA-512:	43D2CC0800A3501973F5FECDD8F66152420D7E116615781BA501D855BD20480A4CF4D2E8B33847E90D291CC9CBF0080CE81C9876A3B58676451E886B8BA40A97
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-09F1FE9E-F31C44B9C3F7.diablo6
File Type:	data
MD5:	3139BF3A1C97A9B0DB300B7FF69D70F8
SHA1:	FCD34BF0B9F5BECC329446C93C4783ABA5822AF0
SHA-256:	6F1466F8A3E427AAB7D0FC13D4ECAE142489B6A16E6827DCF0603BBA6CC58B13
SHA-512:	09BD282AB81C2C9580ED3830D4B0C5014AA6B8F966ED66D1A920FC322E4898392932F2035D923C0889C87679F97E06C602E12E8E38F774C0A0651F6C02289EE8
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-09F35816-50333C6ED5BD.diablo6
File Type:	data
MD5:	2923E83C22B25617BFF0A2BE45169E67
SHA1:	5BE61AF9282DB00EADFC37271F029019C466385E
SHA-256:	348BE80637259AE110C314721D59C0A7C22956B6DF769A6DA175F442AB09AC07
SHA-512:	4E2F4B6E3C66CDA195D18F1EF5DFA84CD3F6D0A4F325FD3438E0DFAC4B5ACF122714E405D7B23F07DC196175FC981F11E9A231A440B2411125D3D648F7981E3B
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-0CE45665-F3BC0D684DC8.diablo6
File Type:	data
MD5:	F8F26436E50DC919FAC7A334FF673516
SHA1:	7587945993A96D77A58A03B4CFE69A6A204BF4B4
SHA-256:	6B7280A787C6F71C18CEA14919E9DF2FCA80164D363912C0222F64F3D09EB624
SHA-512:	2DFA2A60645AAC45A5F0C0ADFE76BCF365472C5C81886D8548349633CF2641366A30DB3938FC2E1DD00F4C4E0BEA2D857B0226C7F256B1ED1941800D82C29719
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-0FAFECF6-9C9177C7B021.diablo6
File Type:	data
MD5:	10E386907D4F0A83B2086902F1E2AB4E
SHA1:	BB38E5736ED9B8C4502B1F7A2D9FF0BC86E64597
SHA-256:	61A8CB8B299DB479035BBBADC7FCBA6EA36FF946CEA956D1FE6630624FDB6B18
SHA-512:	ACF5E935B9D7D45FED4E4B82EE2172E2DA9CB84C09A1BD5995E9C13DEF2C4914A0143FFEAB5E8274B103BA8201B67AE1F11588236673BDE66AA748FC28214661
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-16B3046D-0389FA1ED436.diablo6
File Type:	data
MD5:	8284DF22E21290FFA86B790E4FDBD2CA
SHA1:	D1A19E4676F45209DFE81831BB83CFA33355A92C
SHA-256:	9717ADED3CA1CFF932A48FF6B0D4AFF6826A9A967B01F475DD71734E14A70ECF
SHA-512:	7129C56B31F968E30AE1045C402C64DEC530D5FAA99E4C6F2A56B62B591A2F64D46A2AEE41DF0B777251EE016A71336FDF367849BC3C5CE55BE5E75DD1D53E1C
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-18C21800-53B6850C9144.diablo6
File Type:	data
MD5:	118B2F3ADC1B704AD863B988408EF9B9
SHA1:	C9F11B629D0033BB2CF4DE74AA9DE887830CA7CF
SHA-256:	65ACC02AF53FA907B7651BB1BE6D91E58AEC477C5016D4C45E134F838C62B1BA
SHA-512:	7434E0CF196E87E772B1B790FBE237FE76E00B8EE668483D5668B17DB6E1ED47439024CE17A50AB62DA3F84A5A3C911DB53017A2ABD3B55CC2266359A44D0FBB
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-2C526F95-7EBB5D7864B7.diablo6
File Type:	data
MD5:	0879A16701310CB7360FC7985129FC8A
SHA1:	E6A0CFDE3D040FFA0D0745A541252719F494E4CE
SHA-256:	71A435ED2CBD79D47D769611650165B83873D25B23D126EE6FF2DF76646A9DD6
SHA-512:	00B7C00C5CDF924E8E2F5B8FBC0A8CCD25ED6C70BF90C0415B53FAE8CDCED6CC6A1BF595B69C37E1EB59BA944FD3AA58C41DD60E20AD7733C446C8052C48331F
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-3E2D5E51-BFBE603A9CF8.diablo6
File Type:	data
MD5:	71C8DC02EC9B7427348F66498EE18B7F
SHA1:	093CFF89943D81F28E8EAB5818D42748037493E4
SHA-256:	CDA4994DFD3870AEC2B8559C49BF90CDA95F7FCF0B3F471194F6838DABFD4FD6
SHA-512:	FCCD20DB00BA110E39CD3A0DDDC9FBE66D8A73C32D340851A59408A03DBC2A564F564DE5691321F73E56E5185CC05496930BEBD31C7225B0611B0B6527B777EA
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-46E02FDD-46B5BC12EB5E.diablo6
File Type:	data
MD5:	1CF7848DE8FB6CE57F3DE4D6A79E42C0
SHA1:	BA7CCA528F8B5E0532C55B647C80E11779D9B89D
SHA-256:	128A48843544BA811B483375CC2D69C9F6326B53151A853C87BC7BB093F3A598
SHA-512:	FF55D3E1714FE0D0C8B2FC98E44A25EFD0BEFC1BAE814DFFDC7975521D42FD46975DE362B25E0692CA69FF6C82D5E65D930D8B13EB1BA65C13BE50FA0139C268
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-4D1DE250-8C7F87BE0680.diablo6
File Type:	data
MD5:	00ECF489E42FF03ED0525D510F202CBD
SHA1:	E8DA344F9C37A50EC09D4D66CB92040B67756B59
SHA-256:	E1272CBCA5A27112DFBE1E204309C9DA50BFC5B53A3C311F2E5E7E5C7E799726
SHA-512:	03CB2BE14E6A413D7DB47B9126AD0F78C6C3A75A1C1EDFF29EB436FABE144C7F26EA90E009B9EE12F16919737E669018C068236D3A5504B34A6DBA12805E4445
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-5F583363-28F534B37723.diablo6
File Type:	data
MD5:	2EDF39E5D0D3F50BB5653013C1DD089E
SHA1:	86DE14AA2CF4721B56C0E9DB4EE6DEF2E4830515
SHA-256:	F6B30147C9CD7B63DCE856E5B01BD3E2ED5679CF3A7725832071A3B968C7E9CD
SHA-512:	E1ECD6FF45207DEDE2C5F95DDFE7B347A99F5FC85D84870974231B72D18260998202A0B7D08EFFEB37344ECD1E4511A0FD066E3B3E5BBEA059409161780118AA
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-76FD415A-FA3FB51B63C9.diablo6
File Type:	data
MD5:	C22D02871F2D8481A40979793877C836
SHA1:	1A1CD82753580E64014A1600064D1E8DE63EE271
SHA-256:	AF4E49A3538398A1CB447F216EA2B1FC42F9726A73499ECEA13F26CE9B80E0E0
SHA-512:	83351843EC222F59A8A2BDA58284641DF8BC648ECC365C517F94DFBB732E418B867E1E51ABF92E64E84C9588DDA5BAB0BCB45BCCAC4471C16A4097B6F66B47FE
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-77D219A4-9B73FF318262.diablo6
File Type:	data
MD5:	865F63E6AE5CD1281F6D19DE21E29776
SHA1:	AA239036D247BD7217CD099FC6AF16BE39B22152
SHA-256:	1961EB4416D246E83DBCC7F2AF208BC9CAD39DF50197979452E66D6A6ECC9A2A
SHA-512:	FB649C4776437995F8536882928314AA6F63464CEA9B850385AF846E7B889E78EAFB8BC9825E41F73542587D29E1AB8A728B780C51E5C0DD9996624F03E5972C
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9151A83B-0185E7CD71CB.diablo6
File Type:	data
MD5:	A51DB752A4DBAE9E24C26485FC2DF4AD
SHA1:	3B1DD7AE8FC925B6A171755255B6BAB181787312
SHA-256:	6B723A006F20D6548EE18E6B7071A113D4000E21CD7B889652632D2E972EB5FB
SHA-512:	0228EBC7A39600E3DB93A9A6DF11D94B2AF1DE57EE3490FA9420FE04994815ECFB4424A938B08632E517E4A2E5B002F7BE975A6F4278B3F1923CEDE07EDE987C
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-92E2E88E-4E4E61214CB4.diablo6
File Type:	data
MD5:	41EEA381FF84BF5FD2829A9DE76E0D86
SHA1:	86B8678A762C6EC4D5F9C3677858AB7D57392568
SHA-256:	2FC909C93A97DD53DBF7F93E0725C2DC938F81002CBF1B30B3E9D5FDF9E122F2
SHA-512:	A45947CAAD6456B5CA2AFE13596CCD3CE6DE45EEBB0D70060BDCD4E40BFDA52A4C4D608BFDE87AD89C64A6F96B25309724C37500C8DD499AC7FDFCA7174667F9
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-93667567-48393B93CAC0.diablo6
File Type:	data
MD5:	EEE90ECB773A4CB61657559417538FFC
SHA1:	ECEA875E33019B2D22BA6A35AF9D12FF262F5691
SHA-256:	9FFCB29308BB045091D5F3CBE96E85CBF4545DFD6A1AD9F334F8D9C788340BD8
SHA-512:	0C389369A83C349EE967EAC645DF5C075847F2FF28F341A5CF37A9753DD593FD46FE92879FE54F27D1776E58AF1036FE542B321912AB26CB89FC9B953E2877EB
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9487B013-238CEBB7915A.diablo6
File Type:	data
MD5:	6CE607D719DAB7E9FE5EC24DA47159C8
SHA1:	4C0B25995BDC13BC9E6CBCFF2036EB67F3D506AE
SHA-256:	4AFF20A48FAB7A7485B1AF95D3399541792DF75C792CFCBEED6DF24AA727A095
SHA-512:	22C5D6BB46FE73E79E4915D56391607F08E55D6301416BB04C90D29142CAB5A8B0F7E128D7FA6DB439DBE83D26A7ADCE2DDB23E836EE387E790E057214041588
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-9B88FE27-47E8197ADD5D.diablo6
File Type:	data
MD5:	88E2F504B9AC7BB47418E8098E85B353
SHA1:	80773AA516BA349795FA075E0A00006F30A607F1
SHA-256:	DD5581574533B07F9E0B104024DB1DABD3EF99E540A3B9930EAAB22B73248483
SHA-512:	947717160CB3A95910946DA6B1AEBEEBF458E88F640ED5B057C1B838F625BC15B7685415686E756FCF8E141B0040921A10EA301E5F0688B37EC4840878678483
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-A56D1C4B-0378A2894EB3.diablo6
File Type:	data
MD5:	77502C69E373F09285571C287F31BF54
SHA1:	088E95F303F5FCA26C40B42C2E5549B99D35F12D
SHA-256:	0BAEE2D06A04313DCE2B4773743E17D8BA9A010CAD0D92A1C800685A03547633
SHA-512:	F318EBD0F1812D2022CBB6536A7E61746F44C1A65427C7C3920DE12B6CB8E6DCFDCA3D1AFE216F3BC7D188779EA783F1D2A75BCC51863E1F917426CBF3EFDC90
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-A7CA5F86-FE80D29F2EC8.diablo6
File Type:	data
MD5:	C00988B8145D314555A9BC42BCB0A512
SHA1:	59B4BE429A1E2853CDB7F6F3293131FCF1081F2E
SHA-256:	56D6B096F9FA0D2C834E05B23983E20F70B888E1BB5FA0FD472C1EBB8C6C28BA
SHA-512:	6A76132C0CB1BD79B76B0330B9FC49A3C5493AE5C026F6A82F2750BBE54855B468FAE4035DB72CB2379AB01719C46E3698389C07CA83F49A9A052D81C73688C4
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-AACAC23A-73246FBF1098.diablo6
File Type:	DOS executable (COM)
MD5:	22E52277832BE9BFB2F52738D8CC4AAF
SHA1:	D64694E1264F7465BE14DD36451688D6CBC3D78E
SHA-256:	285B46AC7999600FF68FA64B1A23C5C3CE9F815B3B72A74D5869187764557D5E
SHA-512:	44886BF75B4447B3B41E886D52CC6C3375671E5EE1DB77F2923BF6C57EE9644CFB521CE4203BC6A3B9410E11E1946948AAEB3ED0C4D28AA81C2E8C8D1F9F3C91
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B04A7CB2-D59B70D333C0.diablo6
File Type:	data
MD5:	68EA794A8ACCE929169657F823E6A44C
SHA1:	5509568330DB3C8BD4079919C6F9591223BFC8DA
SHA-256:	67BE17066A067357452950D3C2AD4D138AB2935DE2D3574F9CB8F86CF5A74E1B
SHA-512:	7C3E4552A2CC85BFF9DD42BD63AC99930AF025AC8E5C6923D6815451DA244DCC79D20C1CAF7927707C28FD3A8BD0D55DA3366F0F60396D3DF1131A9B31C32E66
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B5643B6D-9AB60CC7EA87.diablo6
File Type:	data
MD5:	58D17CC6F98CD54B56EC7E21E6B5AAF6
SHA1:	23FE7A668AE95555567214F31B0981D4C36F5062
SHA-256:	3175397E34844A3A3D92C234AA1EA5C8721CD459456A7032EEAEF1C649E89A9D
SHA-512:	986014E49EF4F93323F298C3F8C461D08B7FCA5F84BA04ABE8F4435D12FE738D931213E732187621DDACB407D2E9BE6751C1B1BA871FBA5D062A152BB51D7D2F
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B83DB32C-1C0DFE7A9282.diablo6
File Type:	data
MD5:	B9016E76CA7CD6D0383A02464E9F0072
SHA1:	77AED52D52820B18A8B94CACC025EAFCCE6AD252
SHA-256:	A5E3C153F8457A7108FBF360C2F62C4CCCF4A101BE2E0F824085B0BEB42E51DF
SHA-512:	EF9204C1AF18BA156CF9CC9EF7A20666676B62F5F5A7586DB310B3B59742B47AD05A6202E3A0A82023FAD84F8888E52B1194D3AEF1C2A1A6B5EE1D874E18B120
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-B87CE978-D194B11C30AE.diablo6
File Type:	data
MD5:	8537C21CB63607B38855AE14FA787D7D
SHA1:	665E555D0B8FBCF5DC6BD566BBFA418859D3B5F3
SHA-256:	BE7EA4D4D007F8D6C34A7F540C576AF123788502743E53EDA60E366AE31C4DD4
SHA-512:	0246CCB9DCD418446BA205258BE1D09721C100E0AA1CC4A9DEDF89CEF9AF1DE0995176B920FE3B0FD631042DC41724C50DCD0618F888A044D672C0C9D7B0CBCB
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-C371AFA4-51C4B3DA2F72.diablo6
File Type:	data
MD5:	A336E835E842DBEEC47633E84B244376
SHA1:	2E1DB24C37C28652F76CE709B4DD12F328098AB4
SHA-256:	318194E56F4DCB00DA6CDB7D04849ECA38273B49B944DA0092C59084A205E5D1
SHA-512:	B3E3E90BF087BC3628E2F80C261286B738EF7E6DA90401F6D40BEF892B54CDD18E547B849023B223C425AF7BC6BAB1398ED1ACC3F48FB46A57C28C4798AFCD7D
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-C74F384F-830830A8882C.diablo6
File Type:	data
MD5:	64BD08A72E3D8463537E3EAB6FD4534D
SHA1:	604678439DF0A9C254DB9D46DDB76977D3C0EE90
SHA-256:	C1167866E0D01CAAE1E23A08C7054DFD4CD66554E35E2854308FB6C9CF926EDF
SHA-512:	265EC7A2365B6E6ED50B465F5DF3868E276B097DACF1811E5F5846C357A9FC570441E3E0FCEFB6AF5C41F29AE0C3D9F6E7EB647A50E54C740EEB2DFA458E0C57
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-CE32DE59-DC2FCFF73B7F.diablo6
File Type:	data
MD5:	FD9212E003036914504EBBA1B6EFF0F5
SHA1:	E56481355C2FA9E44DD16B454EFCE70474AC4D45
SHA-256:	C0E11BE84D384E7125C33EB4FD5EDA1B27B4D7B391A1AFF0763BAF4418C4AB8D
SHA-512:	75FB4C28B6B204C9F5DD8CD4BC8813DC39171D39F96F7740B6C201495564E23C9762286CAAD253257894721E9ECCB2516C02770F6A715FA6E8FA5064CED672E7
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-CE9735D5-714DBCBF6F5D.diablo6
File Type:	data
MD5:	CF45D004EEBF0328EBA0345FC830E5DD
SHA1:	D3F46626C921BECA2536E63B3D6F04F5ABE0AFD8
SHA-256:	027D86571F80CDFB4F2A96E693BF2A91B5607DF4FF5D6CACB5F89C1ACE5EC645
SHA-512:	1AD6700E6E59826027C9EA5778E1B53DA57EBE27DD25460C94A398E1640D81F7EDEB0E7385A44EE7594F34774F7CBE35B25EB46AD64DA1A21608E3D7628A12A6
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-D19CD156-5CE15E2B8986.diablo6
File Type:	data
MD5:	8164E99F5C75CF6E85D3349EE35BB561
SHA1:	EB8BA058E7DB82A52EAE9DB7CBF3DE7B6F909976
SHA-256:	BA2CD9C7B3CD1FE4DA993F3A0DD85E53D786D4ED30ABCB05D9A036F8863703FF
SHA-512:	D773FE834B1914FC847AA33A05CD519C70863711B63BF311C93456821D9E2D79518F5F3C9E9B5CA901BC6ED8FE883E09B7FA461050FD18A2A76C26751550337C
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-D5565821-5F42AF8D3FD1.diablo6
File Type:	data
MD5:	11A69E29EA78C946FDB1B01D884A4A8D
SHA1:	21DAD737DF5DAA9210280AE890BCAA81176D8B8F
SHA-256:	DF8B64D7CD2BCDBD44CF6A7D0BE9E33B6B6BB759FE7383E44C000A991860FBAA
SHA-512:	80E99221780CC4126FD57A37C3679F2BD56A195C435FD84AB364D8E6A18F1EF3DFE3709C9E3C9A4A73517F16FB52AC48DEFF0153961CE1A3318944D47F35FF36
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-DAA6DAA0-D9831C6EB3CE.diablo6
File Type:	data
MD5:	80A2487C44CD7D5DFD901BDA1D3ACF4E
SHA1:	2AAB616653E2F03CE94967D8B62CD88D53F8608C
SHA-256:	890BF75CFF4FCBB7053C7FB073D5AC965F58F143C78D2D3C489760C3B1369DEF
SHA-512:	EC514CBE6E598E667BC664860C07A56E4FE3C0BA97EF56B1E3133EFA6FF6804B61EF4537F0A41E5A804E87E9BE2C1DFD931440B7A72A31958C1F55CDAB0C34FD
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-E558E0F7-647595672535.diablo6
File Type:	data
MD5:	7962C357C56978D05B165554162C0D54
SHA1:	F996E0A65731F43931C3C08A828FD9B83DFDFE67
SHA-256:	3ED586CE2655C37EC3F1A8C59416EDF84731840990BDDD4BA2FACD39CE50A562
SHA-512:	13BD80BED8786AEA5D11BB9F85C37844DE3E516B32A734BCCBFF38829126A8B069C7E9BD98134CCDFB78AEC457EDF88C90762B3D3E917D4E0C20AE126C090164
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-ECE40EFA-98EA844AC354.diablo6
File Type:	data
MD5:	F898B831DACC5E6B4A4BDDE05BF49165
SHA1:	296B06DD0A9BBA06B24705E392866B910C2297D8
SHA-256:	DF7FDEB87FB88B0A9CB7940D71796035E0E61B6CF88B06B7AE0EE111A96220E2
SHA-512:	2AD81ECBBE74D9A0A3F8C6AB9950780461B12A1EE4B106B210256D6410A9DF9B2C9442EAA13E184FEC54AD56A7A5741529F9E5F33BA5093C5C8D19C503EFC3B5
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\DX1KWDRT-SWHS-3N44-FF67C6F7-A0A40862C1C9.diablo6
File Type:	data
MD5:	7E294562FCF04536F4B2B26071D32456
SHA1:	C531C9BFF053BBBDA40924D5514CFFEEDA6C541D
SHA-256:	4A3505C5583B0E546CB8D448C3BAE54993672532A07D6BE6571FB1691ECE5D49
SHA-512:	3769E933658915EDE087C76D4ECA337C6B47A2E7A399AE9BB1B690A53A0CF4A29E634A45BA80010D2F3A2A1292677C4D734CEC53BED76199015C4A6D852DC688
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\WOUTempAdmin.dat
File Type:	data
MD5:	97CA9F7C98779EBB6653A1CCA3A7A5B2
SHA1:	D3D4E72699C2D710B01A7B12F9D8FB58AE5F959F
SHA-256:	761B1A9EA4276C70B9470F9B9E90B68EF4D04F9A01DA05010C679887268E8AC6
SHA-512:	5C64F2F8D85A068DA49D059FC24C984E1AEA43B93947E57CCD623B5CE1EE69A8D963D0838370132132EF6584D81E9F07548A8001ECAA0E3FD4B7F91C7BAE0076
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\admin.dat
File Type:	data
MD5:	4E08C34915ACB21C0794C3D7123DA5A4
SHA1:	F396614377658E24454B8A422403143BA7025761
SHA-256:	6C51570A40F793C5718A23A6760702F0BEBF46340B1619DCF8C6E8F0BFD08487
SHA-512:	87D7332227CAB8AD2E9F2D991F148AF142F582861B69B62D8DA832804C95CCC215922CA1B239542FEA07D7DCD5B547A601298F2029E0C0ADF913FFA1E1968194
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp
File Type:	data
MD5:	DC5B72FD51648C2BA3536F0311FEBC26
SHA1:	90A38019FD6D8AF05D7739279084B2030E802A25
SHA-256:	03CC323A8CEBBE68282FD200E29D809AF293F1E9445247323A3247341FE0EBCB
SHA-512:	E87A2D22982B6D0E97B50DAB2AE432728CBFA3C2676D485D1820F8C05C450D6EFDD7C15C66A20A05457A9202720D8068C98BD7AD1CA5F31C7AA2A71B451F2AF5
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\user.bmp
File Type:	data
MD5:	03F11FDF46C3E8D3BD4DC24C8099BA5F
SHA1:	43E92171D16DE0B261E299BA51B10F390A478B6F
SHA-256:	E44B73577D6E0A747E8D069A59E84AA85FD72B4DD49374DDFB21495F5792E8CB
SHA-512:	A0FE5300CF5E66CC8323E71AF1AFBB89FC4B55E33BB4D5B25BC7965E0B298D2088BB4FA344175030BDEB02E77B919E56A42CF95F4177FDF33DF0B715CCE1D473
Malicious:	false

C:\ProgramData\Microsoft\User Account Pictures\user.dat
File Type:	data
MD5:	336665684A707C8D96CEAF446A628BC6
SHA1:	497C7EBD862BC31D567A0CC92B013355B43A8FDE
SHA-256:	ABED40D644295BD791C036E54FDB5D11749168B25C9A55869F6A218DE2ACAC3B
SHA-512:	1EBA90F308B38B14A5EB9ED628B482D30A401147C58029B191F82A8DE423E6812AAD6BCC67443AD5E2D0B0575E67F2A16E65F9965EC2B072CBC1D22B9C19BB01
Malicious:	false

C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin
File Type:	data
MD5:	276D2B55EC1086E174CD3BA70098901C
SHA1:	2E0CE3A3615422A3946F2FE4238D8A3BF9489100
SHA-256:	371FC2C9AEDA22136ED6A61FD4B10029F9D168EE4FAFE9E96274E5CB3433AAD4
SHA-512:	ED39509BA583D43FAF78FA0C099A2984E48EF60226B36CE45A49A1FC88C7506779FCA6879A581338543B808FC7C2D713C8A075F4BEB8045DABD60865379A26BF
Malicious:	false

C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log
File Type:	data
MD5:	C57254969C5285D1E5E32EDF4BF9F0BA
SHA1:	C42FE4BD34241E88A867C3EF9DAFE4CFAA9D50B7
SHA-256:	3ED5937EB1E88E0F8D76B2400D85D2828257BE8CB7D94950CC6A932056E30E74
SHA-512:	F4D3A7109391D824068AF518552FE68FCD50A1B34F923039BC5C6290469ECC09141786F72C207B232C861CA4E7EFD3128BC80DF128CE48E12E13CAB78FB507DD
Malicious:	false

C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-1F2B164CC5B9C448026AD0FFFBF22638AE940E84.bin
File Type:	data
MD5:	259AE35A10704F65CF56497EB52115EE
SHA1:	D588EAA7504DC5E5D8272BCD3C17FF3208A5E7F2
SHA-256:	D9FC0CBB83A81A42B2DD338A7A9CB69C6B9ADCFA2B6861DD5D74829D02E491D2
SHA-512:	C75C6D7B6A25905111E2AEA19C794A5EEC71B82FC7AB573618B8440E13A189636B9E546E24FB16321237F7504D5F592BDBC7B82C485A889EF128A5023FE0696D
Malicious:	false

C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-215552.log
File Type:	data
MD5:	350D865EF8654A8DA1356DA88282BBAD
SHA1:	E1E1B1B91C8F97B3016E0DFAAC959906CBFB68E2
SHA-256:	4EB80828B2A3046009BE50DF857932F80CF84C2C36651979A72822BB62C2E26A
SHA-512:	18443DD40E33AB0DC11A30802D3B82ED060D50C0EDC29FCB70730AFD2646BAFAB5B769FB064E72290946938F7DD044B1B2D68E4AEA5B4C05D227F1737925E42F
Malicious:	false

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\DX1KWDRT-SWHS-3N44-6AC76FD6-BBB08AE940F9.diablo6
File Type:	data
MD5:	F6B1F9C3B07FD1AFE0EE93EB9716554F
SHA1:	20435E63900528F8E2D35E0B01C73155F3804412
SHA-256:	DBAD706F52DE786C5803CE03ED276B62DA28F520D0FC80D47495BFDCD6D6BC12
SHA-512:	ECE2A56E0EE884B4158DF195385D7641B5FBFC6885B77D8CECCF8FDF840E8F04678B314AD88745F75BE302F02B0D47066D440F082D8D56BE4763D9BC7593679E
Malicious:	false

C:\ProgramData\Microsoft\Windows NT\MSScan\DX1KWDRT-SWHS-3N44-372C1AF2-D4441AEE070F.diablo6
File Type:	data
MD5:	C0BBDE3FE61F5E9AD5421E9D48D037F5
SHA1:	FC0B39B130C07ECD4290F69E9E32F7AFF7C84A2D
SHA-256:	7FAB69EEAE172262ABCF9BACB5128C15BCFC33AC856DE9A545BDFFB45E55C567
SHA-512:	D67B4B6D1A952D96E50119235B3AAA20CD1751156F70F20E4C4FE5CDE4A24EB7DB807C4BF93CDFDF6011510A8F46C79C9635EE69A759324F9830A265FF63EA59
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice-1.log
File Type:	data
MD5:	D170B29071FCF42FDE77284BD755EFF3
SHA1:	FEBA653B53CD8036FF8D6DC39E2C8E5E35FB3EC2
SHA-256:	53B3D8B9B3A68E1743C1F20AA9319CC5859C09C5EFDE3A18E037B5107ACE9B12
SHA-512:	EF38F15BE58C09154C515C1BB723D601CB8BB3248ECECE332ACCA41E4FBFD7CCEE049EF70614DFA8ECBD0D759DA8B650B976FC37016A87E627FEECEFADF2FC35
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice-2.log
File Type:	data
MD5:	5F8CD4B058CEF56F1F9EC6A15B6DC82F
SHA1:	5589D20AAA8E5B86E6BC4C59763532461C802570
SHA-256:	89BA114B1FF74B3FFEFEB7E678183990F1AC6910BA47BAA9BCFA764FDD6F46B1
SHA-512:	812A13E9B6ED688999A7FFDFEDFA559493D05F7A89F09C73842032EE794469F63B0E17D2DCA391D8C37416A00370BED60D45D39D4FCC086F6B021DE3463956F0
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice-3.log
File Type:	data
MD5:	F977B67151093D51C7090937BADCFA83
SHA1:	81F9AF4D7B875BCBA33CC97124C6CF9CE5CA29D7
SHA-256:	5506FC3315F8BFCD606594B6A24140217AEDB36E9B6321F1A944736F9997E59A
SHA-512:	1885B58A30F09D083E9C1843C5C0A4C20ACC82F1AE041EB6701EE4D020BE222A1FEDFC3DA0C0314E939D23860917B8297078F2EC416B6A34B5C98683D3287BE7
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice-4.log
File Type:	data
MD5:	F5E897032897DEC8FCC3AFD6224A6C82
SHA1:	3DA2E083B6D89FCAC881BF18F23BA0EF71C853BD
SHA-256:	EBBB00EB9EE0B5AB6B222BAB342B357A0F6BCE94E2231C233547E6910E13B2F9
SHA-512:	F0218BB02E85FF0A2E10BDD3F16E67700398FAA27DB80D96C0AAFCD45CF7BE4F3631D9E60245EC9FFA23034CF3D25101B25C380FBFCA7FD91BDA9A35B831A4F8
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice-install.log
File Type:	data
MD5:	7C6487D52D5B7A29DC8A8C6F23D85A29
SHA1:	DEED312C3638C95C05E69FBFC679EC842AEE05CA
SHA-256:	0473072F3965580E5B0FFFF6A37FB4BF9FDD85F440947525F8B93A6CF3BCADFE
SHA-512:	3B9DEE972AAF576FD79DBB63DCB9164E4A783B4530A74CBA378425531179353C89F3131689CA23C6944466BE58E5C798379981027183574D1D5E31EC421A604A
Malicious:	false

C:\ProgramData\Mozilla\logs\maintenanceservice.log
File Type:	data
MD5:	31CC2CE69C71DB872AE7DC67E2711F99
SHA1:	3C1C7E14A3FD41FEC0CCDB0A199C09C060C673F2
SHA-256:	C0EFF1D145967FFE384C611C4DE175A508CB15BA3A956BAAE1437D099803B8D5
SHA-512:	F8A12DB3A78C49A92AD24FA02B2E2C1EC17C2D29B0D5D8AE6EFE5A751C752031B98A2D887E46AF32AD7C9CE0C5FC3334B72F006AD64467897601258D2E0B2963
Malicious:	false

C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
File Type:	data
MD5:	C63DB87738A5CCB288A38F3E6721C5A1
SHA1:	3A582F29F692E73DCE070F7D4FD23199DBE7CC4D
SHA-256:	9C02FD633937A1B6ED9E044E86B607FF93F8A409C263CD16A8D6B06A1080F605
SHA-512:	C80831BE0B4D6BD64263E358BEF3319CB45DDEDA788183EA32C03F113C630D114E549D645E66F4EE8506AF0ABB9BBA76D61B3B6121E9C01EFF03156A499AF2D2
Malicious:	false

C:\Users\Default\NTUSER.DAT.LOG
File Type:	data
MD5:	CE01568D23D82E97607B764F0202ED10
SHA1:	69E0BD1B2C0371AD3920F4C192C17D8EB82DC70B
SHA-256:	2D25A937854BDB00545973C0958E77007DB73740A58C761B7D33DF3EB3655BC9
SHA-512:	79A1565B509B1E963D6FEFACC2154516D58DF5B71B81ADBF2BBBB520553B5494F2634F2164BA39AB2D321B75210C4AB0CF0064905AA4282BEF2F257E572F7367
Malicious:	false

C:\Users\Default\diablo6-1193.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\Users\LUKETA~1\AppData\Local\Temp\Kno5E97.tmp
File Type:	XML document text
MD5:	002D5646771D31D1E7C57990CC020150
SHA1:	A28EC731F9106C252F313CCA349A68EF94EE3DE9
SHA-256:	1E2E25BF730FF20C89D57AA38F7F34BE7690820E8279B20127D0014DD27B743F
SHA-512:	689E90E7D83EEF054A168B98BA2B8D05AB6FF8564E199D4089215AD3FE33440908E687AA9AD7D94468F9F57A4CC19842D53A9CD2F17758BDADF0503DF63629C6
Malicious:	false

C:\Users\LUKETA~1\AppData\Local\Temp\~DF7E8A7EB1EF408030.TMP
File Type:	data
MD5:	C48211F7CB30695EF830727A8493397F
SHA1:	293B7DDD882D611B15D4406272B01D335CF78302
SHA-256:	605E5A766E5823AC972089B3EF326696ADAA24DBB58ABC4D1972B65A545B1B2D
SHA-512:	09590182CFFCF0A56BB40435F77AA2F803ED0E4FE8304BE66C7B2AB1B682DFD09056ECB178DB718C5F80739E1D8845F64FCA557227C6D56BE6949C9671E6AAC8
Malicious:	false

C:\Users\LUKETA~1\AppData\Local\Temp\~DFAC0E3508683880B6.TMP
File Type:	data
MD5:	67818FEE50E72D01F5419D8246838D4C
SHA1:	EAA3A2775640993ADD2972866CEA2B9BC99B5F6E
SHA-256:	EAE4AEF3F87C4466334A8613A63A981FFC333B7C9C893B476B71BB08A8AF2271
SHA-512:	C1A6914AF27BAC6334E75A3A1DF9B0F56631D8ABF52C08B678E0A671FC786208A2737F7AE638E748ADC7F27E1F9A94020057380BD3B7AC566030DE49575961AE
Malicious:	false

C:\Users\Public\Music\Sample Music\Kalimba.mp3
File Type:	data
MD5:	CBE2B89B387B3543BC01C890A3421535
SHA1:	278154028F3C578EDC326E53E752BBC5DFADBD98
SHA-256:	5B6C95987FF23632765419E0E283A5DB6ED66F42C0D37E22A1DA3E28DAC5DE60
SHA-512:	33E9D2BEA64E2F1D88C9E27BBF4753A49BF15692B71E4B5FAF39E1EB47547305A5BBFDF8E23CAAB3673A5625D678D27BF1E6D28EBDB1056CB390398B3F4436FE
Malicious:	false

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
File Type:	data
MD5:	449A0978612CABD7C457D8D75928EFA6
SHA1:	BFC795D80EAC6477C0D219FDE1F8DB1078A98CD5
SHA-256:	E452369C80B13F33BA593B01F9CDD26125A7FD09BA785E5D703F7078CDA50F7B
SHA-512:	3D529F8C7A6E661D35FC1F382285DF47089DC3A34E1108612E805489A6300F92D6634EB72470CFDC1E1B5327A9E7D407631C17D1A4DEC93E791E86532DE579ED
Malicious:	false

C:\Users\Public\Music\Sample Music\Sleep Away.mp3
File Type:	data
MD5:	944744197AF156FE37B9CC9BBA4A2757
SHA1:	ABFF51352AF2F6A262D23C74D29D567F23061AF8
SHA-256:	D853B4836986349F06CBF0DEC6692CD3341865E1B2D70BE01D8906B91472BEC7
SHA-512:	68A6A482DCEB34BDAE6751F987E9EFFD53954543B9B188224FB47ED1B682F5205AD28067014D74AAD575140E67A998E93BE03D135C2C0DB708DEF1EEBB27F4E8
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
File Type:	data
MD5:	E2A68F2B8FF8F62876788416FCD49EC1
SHA1:	71B280B2FDAE02B981B7A46FDC670510CAD8C635
SHA-256:	5AFCB8BA742E2469D967BB2F09ADC3BEC013710B033CE27DEBA690DD44381758
SHA-512:	761FD34A531828D0FA42933E4CAB00C1A276BFAE4A71CF04F800EBF4109E07FDFEB1C04E493CA405ADF08D90E1D93570CB7DBC8A7016F1E4D4B3D42D6701663F
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
File Type:	data
MD5:	7E58B697EE6330BFA44C877B8102154D
SHA1:	FB663A09DE2EF8CAC92170F018DBC278BA0A7A59
SHA-256:	3FE3BA0CD6A7FC58F62EC11A897EDF52DDF9F6912878D5A1DD4B00FF92B065D4
SHA-512:	379EBA4CC2435BAE59BD0F4D3148BABF616092C2030D865B19CBD7DCB0E540923BD527FE59244685E404D03F07838A6F25D9822ADCEF16EAFEE5C6572D4E5592
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
File Type:	data
MD5:	55AC691907B109FD0AABB8AFDD4665D7
SHA1:	863A4181B895353C79F1792BFF3C2B9147852699
SHA-256:	D6E09D75017E8D51248F75899F8F5A5DD2B165F3D0FF429AED6B4DB8B9177ACA
SHA-512:	341842E970D1C3B18A17F91C8B48451A5A5D47F531393F078F66E97DEF199B5E8C9F3872D9540EDDDAD1F22CB9FA001EED0017E407D912A225A8A1357842B28E
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
File Type:	data
MD5:	864660D83E8ED84A848A6823A8940095
SHA1:	53FBD8CF8112C4CE26E9520E014D4BF50A888466
SHA-256:	31F4D9F5597A96E6E0EC0F44881097F4595AAF861A3BAAEDE57EE036DB699DD9
SHA-512:	3A163DB1CCD0EF91840DDD0B85A26E61F5AF946AF81991359DC53A05C835F6C31D3F855A759152F4A1C7CDD18BBF5DB2FE6D33780D876CB42C1F9E7CF09C6D72
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
File Type:	data
MD5:	35D3D0AAD7746E74B8D8D45BD66A68A0
SHA1:	47664B482574B42E31FE8CFA76AC685976787178
SHA-256:	FA5BE4440A4DAA661537128B5A15B709A096E945D3530C59E3BFB7A9D35F0DBB
SHA-512:	147D88BC2A7F2060989ABAE753D5D25BA3ED7A2B7FF7E747089CCA2B4509830C25DE2ACA3B4B180B23A1C3447FAF7CD79FB8369A8E6E529E02229621C8CCEE2D
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
File Type:	data
MD5:	48F8661E1F673602B93AFC5843EC5E7E
SHA1:	6029713FF6114715B2F8CA1999E9D589CCFE5B8B
SHA-256:	66EE022527ED98417C9E33BA2BE27E6AD16D7A145BC5C153E453D1189D8802DA
SHA-512:	63DC273DD7592CF3BD1A7F16343AD357F9A2A7D2DE6F2E8F0194F651A884E4854EDE7B2C17B5233EFD029A3A9C37B2780FD6D58109B0660FEE519C2D16A6CF2E
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
File Type:	data
MD5:	5E229E23CCC01D14EA344F5CB9BA1D86
SHA1:	A38E7964FF25EAB58135A1DAEFF31BFFBE86A690
SHA-256:	C34FE727A376CD7501275842F4D799D7247AFECAD7BE33A6C18FE737B1CA5030
SHA-512:	BC14FA115248DDD46529CD86DB43E89BD8393D37F0C668CFAAA76B46DF62B1513A7E93FAAAC87DC75647CDBB8D10F921A7FDE40420E2C46B5CFE5E78551CC4DB
Malicious:	false

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
File Type:	data
MD5:	A33AC8BFFFF0CA0466A6C9C1858ED822
SHA1:	7FF2063F9B786402E3D9418F79FD12AA4F52FC38
SHA-256:	A92F77B22C6666DD87D0E493D0E447E0B4F5CDA8DA283688736DDCD97CBC015C
SHA-512:	1DB8814573AB756338909326C53087DF7683BED6AF950B80E9027BCFA14142F703923BC1B0DCF12A27A645B46659EB37E15241AC899A89BB08A78FFD8A56E243
Malicious:	false

C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
File Type:	data
MD5:	7D111C6949B39D25021C7E29C61A9811
SHA1:	413014A3BAB8BFF0C6642DDC0FFABC8F5F67106A
SHA-256:	9B533F315AFF09D0E8948BC232F3B2BA07AC17B7D945834C60DCDF03A7023F9B
SHA-512:	0FE15F89A65B9160276E5AB158AC5C380865DA3C9FA79CA5DCCF421024AC39C0768386114787CC9F71E2EF0207D6ADFEC88F82ADF2BB5D4FDFE8F0C7DF044CFC
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785
File Type:	data
MD5:	79BC2DA0F1664F162FAE36309162010F
SHA1:	4526C50E6690F65E2D075EE4B3590B15DA3B2339
SHA-256:	F5AB1F4DB7694697B5E3B098DC115F70E97FC228FFCB6192B4453C9FEFBDDB8B
SHA-512:	22F81A93F2DD1AE59A8586FCDC0EC76F771879C23C2623E919CD2546F343581902CFB990202B3638F766A56B6E9D7FA8295F6C96F754E14749984960BBB6DA33
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
File Type:	data
MD5:	00B0F22690A554D83309F77BFA6568D8
SHA1:	51F11EE3390DCFB6688AFE10105293BB5EA6A8A8
SHA-256:	BFCE4DDEBADD47E5151A311C045348BE24C33D04D275279C62DAD791EC99AF86
SHA-512:	39B9E8C1A16D662CF1F659E1BCC5F8BFBF18AC844F34C094872503F35693979AEA3E850ADC3B6D307A02E21ECDC24DF663BA2313C40F914D37CE54B019B9F1FD
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
File Type:	data
MD5:	05BFD3E5049B1C50F257EA98A2F106C1
SHA1:	F2A11912A0195135173E1E2484C57788F2C3DA34
SHA-256:	075A0B09CD1B9ED6F020EE68FDCB63B6B4FA8D21F5B1C2F24927D87171092532
SHA-512:	46A5C5EE6ECEF76AC7AE2DE80897E656E2BB1F98BF021494B61B09AAC24FE12E273F327A4B6C186FCB77252C57573ED596F7AA6A74C71B1019F4A91DAAC7D82C
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:	Microsoft Cabinet archive data, 6564 bytes, 1 file
MD5:	B7276CAD92CC1209EBDF72E2F897B29C
SHA1:	19575F70B3AA8576EB97F7989035AB0321A214DC
SHA-256:	8A8CEAB2F50E7DC7F42A32A298F7C81BC9680DB5C881A3F532390A3A26E08503
SHA-512:	80C9ED234A103B92D303322EB0A2DEDF7375A06F96BA3603D0E6B82F5921326BB44D7B0F8A561351642EF3E098D1F8F114D50E869B284A452D3FEBBCC9A533AF
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
File Type:	data
MD5:	B556CDA9CB7DD3505EFF20407FE6AFAA
SHA1:	9FF906CBEB2C5BFD8CC9C18DFF827536E438C579
SHA-256:	039491A2993EDF894DAA4D7206B8DAADDD1A4BF61EF5E5E65CEB0B0212BA8D81
SHA-512:	6AD756739D92B8490E20D4916BA6FB9C1564479E07DDDFD948873EAFF788AC5635A7D72828449171902D1EEE6CE1077CD1ACCE3F92F01D700F8775CDB5EEDB9E
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_F85B8279FA54A31CEEC2563F5A8F73E8
File Type:	data
MD5:	39E4B396009FA70554F973B157C3A23B
SHA1:	0B643CA65396193EA1786190B9294CB6605CFDF5
SHA-256:	AD2E5BC2C8CBB79E5CAD95F937D74C572232CC07016484F720E28CC1F2CC43D5
SHA-512:	74CE153F5A7104990B0A1A14915E5B9BF9D7184C14E57DCE8AF232C6A6401A5DAA38841B36619EE039AC7C2FA6194046EBFEECD4C1D78486F9A0E102D853B2C3
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785
File Type:	data
MD5:	A5DBC7A6B74F552C51B27AE3B8F93948
SHA1:	C5080CF0D5F55A24D682B6F7C663F7FA034D04ED
SHA-256:	3C781CED1882347E7D7D2AF3CEACE498CCBAA5CB3BEF42DE8DE1F0FC08925F87
SHA-512:	D6DD219F295E0A8E46C6C0860670E3098E1CBC4C76311CDB79F90DC463745DED53C883C21CC4C3CE00D5AB746429157059B6A407A9E4FB8FB558504DFA645052
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
File Type:	data
MD5:	1451F03C13710A9A54C480525BB44134
SHA1:	33634752BC607A58160D127C75C3F09478AB3456
SHA-256:	611E0E581164AD77C9B776E49A168C4259C4D1045F1C28047B8B59A477155228
SHA-512:	3F67A661E82A895FC7CFC0D3D23600A79B7D284DF5CF3CD844C0A052E1C9AA6ACE8F3A3DFD72D6DA0178B8F743FD20E6EEFEB9B451AEE055EBC280525FA14A1F
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
File Type:	data
MD5:	28CEA267DBC0FBE570A09EBD4EA489C4
SHA1:	CD753DBB4A0B9AE8B8C11C0C2B5CB06B81142920
SHA-256:	B1BB0BE444187211E7F547A96B6967A9F99332E41DB641F176A0517A2F9A8939
SHA-512:	24EFF84F3A7020406C0E4BD5EAD9264C8C34F7A6762A9F307B94C06F0939A50DCF83DA3EE28CD5C96EA6A306925BE3352405286D196073F2E1D61A345199EBCE
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:	data
MD5:	89645624D8143CD824A0FA4D946E6640
SHA1:	20D596D2EC0D727DACB47F6D12892C2955013F26
SHA-256:	E71F139EC3FF348479C58224FED432E1100975C17E480B2E96ECEC64FB9893AE
SHA-512:	A7FEEE96F302055F9DDF766375C70C6D4F99195AD0921649C17D9939783B9310925BB9BB7958A38AA51981EBB1948F81C14C2BFE665136954569537E9EC82B38
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
File Type:	data
MD5:	637CFB980A049A84497F93FA27013461
SHA1:	ED79FDE8734CF12BA0BDE40111825AE7924EEAF0
SHA-256:	9528E60E744B22CFCDD6BB6B32C85352CC62A734820C9244C11709BA4D417925
SHA-512:	BA71204C883CDB4D777C0C5505D81B204D548BA2DF762D435E6E23D4DE86ECA6E1D1DEE483911DB6D369F13BFBE7D899377F38BAAA0E12CB0164E41F3116AED1
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_F85B8279FA54A31CEEC2563F5A8F73E8
File Type:	data
MD5:	E917800CF3C38BDC74C790E7BBB50429
SHA1:	9E6E5B64922C4031AD52DC29FD7300EFCED578BE
SHA-256:	629F4A3B29CB94F5FA89049D4A12CD7018D078498BB839690514E9EB4D2E59A6
SHA-512:	928207430B10E9A493A61366D6B5A0F5B282F1428C533CFDED0FBC6049748D211E9013DF34815925F9BD84697942FB134E2B64CF59EE8AD5FD3CABE0DD0A6E96
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Type:	PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5:	1A85A1A8E48D59921E4802DF39CAAD1D
SHA1:	8274A054D39EE873AC2ADA3C447845386D080738
SHA-256:	A397C7CEEC858FDF9DB122669662F6D89D30BE1E4B6DE727156628B5C48DF62D
SHA-512:	7A6A77EDF9EB8DD289EC01763DBAFD24692D1270BAB71A190656B0A6B07936CA65EF928CF1C5C425B592C1BC2D2D108317E4B1B1916E04A9BF462A7C943B1125
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.2
File Type:	data
MD5:	5A34CB996293FDE2CB7A4AC89587393A
SHA1:	3C96C993500690D1A77873CD62BC639B3A10653F
SHA-256:	C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD
SHA-512:	E1B7D0107733F81937415104E70F68B1BE6FD0CA65DCCF4FF72637943D44278D3A77F704AEDFF59D2DBC0D56A609B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
File Type:	XML document text
MD5:	CC71D4468DD4A3A28EC060A8E1BFB8FF
SHA1:	2A386974AAF4D6AEA5F9A04A9B83E088B1F7AABD
SHA-256:	C2C5ACAB4CE9C759A2D4F96EDD9BC9EC0B7004168B86793F5295FF568ECD559C
SHA-512:	522B7481DBD8897783ABE35548C9B21EEA22C59B7C17518536FE6D29A978F5848666EA5A63F0D8661F69E1C449AEB2F716AA9569F908795DF71FD692DA12BC73
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{679A44E5-843A-11E7-A80A-B808CF8DE4D6}.dat
File Type:	Microsoft Word Document
MD5:	386493D814C0579F864DA060B6A9AF35
SHA1:	CC697D2A8D03F739FBF8331932CC3A48FBAA1F0F
SHA-256:	069E93BC3173465738672314EEDAAA6634BC3117F0EA8D31CF9FAF11ABCA43D8
SHA-512:	C92C6E7853BB3E92D674C32BF2AFF275636ED397508A2635AB33A050194C742D49800689A60178CF2F88C5A88723531C604AB92DE5551E90CA764A67C07AFDA8
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{679A44E7-843A-11E7-A80A-B808CF8DE4D6}.dat
File Type:	Microsoft Word Document
MD5:	F87095A4740EDC59332FB62B1F1FE731
SHA1:	98A1EE1B3B6C6A2B51E13286511CFA346922F29B
SHA-256:	CBA032AB06837BDBAC01F65ABC0B625A949F7678DAF0EBAE928F0DF00FC9CF42
SHA-512:	BA1F60CE29E8D16799E55396844D2314159B7F29C48D42BE6057484EC880C111B7B5A2FD2C56C45578F8743CA519DB8654FBF11173A72E41EE36C6E0D4263780
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB8ED.tmp
File Type:	XML document text
MD5:	AF773B99E64F354DCB9E281473D2FB85
SHA1:	5D73CC5274758DDE696A0B04DB7F5349CB22B916
SHA-256:	B757C1F02E664291317F7D77F43099D0AA0D9B024D261A7A9AFB6FF51B0BA056
SHA-512:	0226485642EEA9127BEBCFC2711E41FEEF591B1EC2F1BF933DED2FA9BB89EE06541DA4FFA6D16FF4C84CD30FBE64C51C752F1BB91FDF0C3DD5729D4B0EDCEE34
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3HOVZAYJ\iecompatviewlist[1].xml
File Type:	XML document text
MD5:	CC71D4468DD4A3A28EC060A8E1BFB8FF
SHA1:	2A386974AAF4D6AEA5F9A04A9B83E088B1F7AABD
SHA-256:	C2C5ACAB4CE9C759A2D4F96EDD9BC9EC0B7004168B86793F5295FF568ECD559C
SHA-512:	522B7481DBD8897783ABE35548C9B21EEA22C59B7C17518536FE6D29A978F5848666EA5A63F0D8661F69E1C449AEB2F716AA9569F908795DF71FD692DA12BC73
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3HOVZAYJ\known_providers_download_v1[1].xml
File Type:	XML document text
MD5:	002D5646771D31D1E7C57990CC020150
SHA1:	A28EC731F9106C252F313CCA349A68EF94EE3DE9
SHA-256:	1E2E25BF730FF20C89D57AA38F7F34BE7690820E8279B20127D0014DD27B743F
SHA-512:	689E90E7D83EEF054A168B98BA2B8D05AB6FF8564E199D4089215AD3FE33440908E687AA9AD7D94468F9F57A4CC19842D53A9CD2F17758BDADF0503DF63629C6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNNUVO51\favicon[1].ico
File Type:	PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5:	5B188904E3BC002102653489E7AC4A4A
SHA1:	96607BA47296757DF3A005614947A5E83BA8683D
SHA-256:	507C647828E8B817E23D90C7BE73B3105C32B9900147D0647B35046A32BE1016
SHA-512:	99BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F729738048A09051688771E8C92D99AA6B0C5698C702FD155663DF28916F74561CAE1F8C73C0D9DD1A9FF7
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JBDEVYJT\urlblockindex[1].bin
File Type:	data
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false

C:\Users\user\Contacts\user.contact
File Type:	data
MD5:	1D88C0FB23CC20E31DDD75C6C42BDBA1
SHA1:	AA6ACA4FE53F7E874654ABFE644CCF80228FFE6B
SHA-256:	4F1B69910CEFF66F789494A487ABCC5966FF967B8438789D5A706A704383BEB7
SHA-512:	84593A4924F89B5C008B3FA3F0D927C4692E795450C82E5E62B9BC686802234AC40A7C19627008EF6A8D12BD5B6D2CDAF6EC0DBC9DCB465DB0C8A02137EC6AF2
Malicious:	false

C:\Users\user\Desktop\6422942404.doc
File Type:	data
MD5:	E5F6541AE7244E381F375A4951F63253
SHA1:	F445D0A6039A67C485E1C7529D4B38DE9CB6603F
SHA-256:	D8DB80085A376946A5A135F9E7649128087367E44D3C9DF2F24EA34DBA2245D1
SHA-512:	9400DE25F040211BD5021A8329FD6DFC29ED087E16644110331BB4E396248385F230AE62CAB08ED17D95F8209CF4A2DD185BEA1C80C2808494E83C12B0136E0F
Malicious:	true

C:\Users\user\Desktop\7245361316.doc
File Type:	data
MD5:	0CD3C3AE5CCE9B162251D5E4F2B8D624
SHA1:	00FA98516A68E4E6C78302289EBE6661262546E7
SHA-256:	3CA476915B48CABB19311CAF89D6DC529910B7B19EAA7723126397D4CA58CA7B
SHA-512:	27C4E67BDB0F410C3F2A1D15C588C1D797EE331B47C50127BE4AD132CC59F999247433297DD98D36385177EB4DF51B7C0C3C4E5C6928C088EE7C4DB5089F4A0E
Malicious:	true

C:\Users\user\Desktop\8182259827.doc
File Type:	data
MD5:	8EA87C3A71D76D0FFEFE382BAF9BE83E
SHA1:	FA62FB5B04A54054BBE51A01397B6B61B3FC570C
SHA-256:	3E8DBED4CD57AE35FF98A35E451CCD8B36D378D12902B4DE47D021A66405781B
SHA-512:	0546571951E2FEE9831B24AF92B44F3A78610B1BA89FE1F4DEB2D6899C8DC8D55B9269E9CA2DF51A76D73E3D28A09C338764B53884B9178EACFAFE5B9A0AD4F5
Malicious:	true

C:\Users\user\Desktop\8886835349.doc
File Type:	data
MD5:	EFFCB1BB2D4B243E17EB61F08F0EAD93
SHA1:	507B0F6B8670DFFBBE089D78CDFB886FDA17C23B
SHA-256:	66D9C6474FDAE833634CC865D5F796E99EE9C13DB21502F638CB85ACE05ED908
SHA-512:	8355998B2868BE3D3B658A301F156E5B45942A24BABA14148C26059B48CB0E13C3F199A65E7DE1C978029A95496DD629C9B39547F38BE2ACE09CA18E4761B4A4
Malicious:	true

C:\Users\user\Desktop\diablo6-19ec.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\Users\user\Desktop\diablo6.bmp
File Type:	PC bitmap, Windows 3.x format, 1229 x 670 x 32
MD5:	C647DE635BE79AA85CD5F2D2CB2F20DB
SHA1:	8C8EC54D0209241FDE098B5ED49834EFDE9FBAE2
SHA-256:	96309EDC0A495929D42B169D7B4ECDDF4EB3CAE9697D973A75345F45C1DAA292
SHA-512:	CF24704D5830DEF5F3CC20667ABD91305329A74E757697A12EBE4BAA30299FDA488FEA819A62E6630A4B1522F7AE0F35C13C05E2EFCC82053A128C3FFF6476D4
Malicious:	true

C:\Users\user\Desktop\diablo6.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

C:\autoexec.bat
File Type:	data
MD5:	D9C483A5D3FC88FD29FF5EC493EB2EDE
SHA1:	6DCAD8F5E1C677FAE4883B2C7E1912E9BC1664C6
SHA-256:	AB80189C36A54A79EA2202530F73146C4021174E1B89A4083B5EE08CD3F9D28A
SHA-512:	06E4F41E7B0437D29D67AFF1A00B67DEC659F5EB77B4ACEF9D2F07CFE32BA60D2B51C196979A44B6A67420BFBE2F5B4154D3B64CAE4EB4CF1BA450D979851C8A
Malicious:	false

C:\diablo6-db6f.htm
File Type:	HTML document text
MD5:	EC563F69B71DF7252FD520FB710F4874
SHA1:	AD67F2F19D6B91483114A5BB70617629FD0F782D
SHA-256:	833E6DB3750DD83A2BE5B4D2997B8EE3D841ED5A31942E52F67C269481AD7F7A
SHA-512:	D272C5D7BF308264EC4C84805CF971C813F22A45803420F9374E8C5566819B00C839C6D1145C6156E5D4EBAAB93B41CA706097B3234F4708C8188C2CDE00561C
Malicious:	true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
83.217.8.61	Russian Federation	60651	StekKazanLLC	true
31.202.130.9	Ukraine	34700	MAXNETTELECOMLTD	true
192.168.1.16	unknown	unknown	unknown	false
91.234.35.106	Ukraine	56485	FOPSedinkinOlexandrValeriyovuch	true
8.8.8.8	United States	15169	GoogleInc	false

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	y872ff2.exe
File size:	620544
MD5:	544bc1c6ecd95d89d96b5e75c3121fea
SHA1:	b4dc5f5d47b87baa0be87afda5ccee1f00497984
SHA256:	f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b
SHA512:	2c973d0889e1676fd47868cc4566b99c7a0cf152336a4e4d7d664e83df8aa0354be9939bf69d58535fb4a020b70c5f859b0a92e5cea15277be75e6199311121d
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O1Q.............................\............@........................................................................

File Icon

Static PE Info

General
Entrypoint:	0x405ca2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51314FC7 [Sat Mar 02 01:03:03 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b0ae8ca12fba7534a1ac5a4b4dbdfd1e

Entrypoint Preview

Instruction
push eax
mov dword ptr [esp], ebp
inc edx
mov ebp, esp
sub esp, 30h
lea edi, dword ptr [004131A5h]
push dword ptr [edi]
call 0F663031h
push 00413199h
mov eax, 0000000Ch
push eax
call 0F65EE92h
push 00413199h
mov eax, 0000000Ch
push eax
call 0F65EE81h
mov eax, 0000000Fh
push eax
push 0041317Eh
push 00413175h
call 0F65F026h
test eax, eax
jne 0F65CEE6h
mov eax, 0000000Fh
push eax
push 0041317Eh
push 00413175h
call 0F65F008h
test eax, eax
jne 0F65CEC8h
jmp 0F659059h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push 00413195h
push 0041318Dh
mov eax, 00000000h
push eax
call 0F65E5FEh
lea ecx, dword ptr [004131A5h]
push dword ptr [ecx]
call 0F662F9Eh
mov eax, 0000000Fh
push eax
push 0041317Eh
push 00413175h
call 0F65EFB5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x948fc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0x32a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1704	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x947ac	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x96000	0x80	.dec
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
.text	0x1000	0xcce5	0xce00	False	0.27510618932	ump; data	4.89592306822	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE
.rdata	0xe000	0x87082	0x87200	False	0.927152593085	ump; data	7.90630231924	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.dec	0x96000	0x40000	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xd6000	0x32a0	0x3400	False	0.0416917067308	ump; data	5.95758062312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
DAS	0xd66a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd68a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd6aa0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd6ca0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd6ea0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd70a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd72a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd74a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd76a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd78a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd7aa0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd7ca0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd7ea0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd80a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd82a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd84a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd86a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd88a0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd8aa0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd8ca0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd8ea0	0x200	ump; raw G3 data, byte-padded	English	United States
DAS	0xd90a0	0x200	ump; raw G3 data, byte-padded	English	United States
RT_STRING	0xd64a0	0x200	ump; raw G3 data, byte-padded

Imports

DLL	Import
authz.dll	AuthzFreeAuditEvent, AuthzFreeResourceManager
certcli.dll	CACloseCA, CACloseCertType, CAEnumFirstCA, CAEnumNextCA
user32.dll	wsprintfW, LoadBitmapA, IsDialogMessageA, DispatchMessageA, PostMessageA, CharToOemW, LoadIconA, IsCharLowerA, DialogBoxParamW, MessageBoxW, GetClassLongW, DrawStateW, PeekMessageA, InsertMenuW
cmutil.dll	CmFree, CmMoveMemory
kernel32.dll	GetCommandLineA, InterlockedDecrement, CreateNamedPipeW, GetModuleFileNameW, WaitForSingleObject, SetLocalTime, CreateThread, GetComputerNameExW, FindClose, FindResourceExW, ResumeThread, GlobalAddAtomW, GetConsoleTitleW, SetPriorityClass, FindNextFileA, CreateFileMappingW, FindFirstFileW, FormatMessageW, TlsGetValue, GetLogicalDriveStringsW, GetProcAddress, GetPrivateProfileStringA, CreateDirectoryW, CreateSemaphoreA, LoadLibraryA, GetTempPathA, GetModuleHandleA
shlwapi.dll	UrlGetPartA, PathCompactPathW, UrlCreateFromPathW, UrlCombineW, UrlEscapeA, UrlCompareW, UrlUnescapeA, PathIsRootA, UrlHashW, UrlIsNoHistoryA, UrlGetLocationW, PathCommonPrefixA, UrlIsW, PathCombineW
odbctrac.dll	TraceSQLCancel, TraceSQLConnect
shell32.dll	SHGetMalloc, DllGetClassObject, DragQueryFileA, DllRegisterServer, SHBrowseForFolderA, SHGetDesktopFolder, StrChrW, ExtractIconA, SHEmptyRecycleBinW, SHCreateDirectoryExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP:	Network PCAP

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/18/17-19:24:53.874549	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49191	80	192.168.1.16	83.217.8.61
08/18/17-19:24:53.874549	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49191	80	192.168.1.16	83.217.8.61
08/18/17-19:24:54.247924	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49192	80	192.168.1.16	31.202.130.9
08/18/17-19:24:54.247924	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49192	80	192.168.1.16	31.202.130.9
08/18/17-19:25:24.465643	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49193	80	192.168.1.16	91.234.35.106
08/18/17-19:25:24.465643	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49193	80	192.168.1.16	91.234.35.106
08/18/17-19:25:38.765260	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49194	80	192.168.1.16	83.217.8.61
08/18/17-19:25:38.765260	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49194	80	192.168.1.16	83.217.8.61
08/18/17-19:25:38.935457	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49195	80	192.168.1.16	31.202.130.9
08/18/17-19:25:38.935457	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49195	80	192.168.1.16	31.202.130.9
08/18/17-19:26:08.946030	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49196	80	192.168.1.16	91.234.35.106
08/18/17-19:26:08.946030	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49196	80	192.168.1.16	91.234.35.106
08/18/17-19:26:14.728592	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49197	80	192.168.1.16	83.217.8.61
08/18/17-19:26:14.728592	TCP	2023576	ET TROJAN Locky CnC Checkin Dec 5 M1	49197	80	192.168.1.16	83.217.8.61

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2017 19:24:53.873334885 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:53.873394966 MESZ	80	49191	83.217.8.61	192.168.1.16
Aug 18, 2017 19:24:53.873476028 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:53.874548912 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:53.874576092 MESZ	80	49191	83.217.8.61	192.168.1.16
Aug 18, 2017 19:24:53.874773026 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:53.874792099 MESZ	80	49191	83.217.8.61	192.168.1.16
Aug 18, 2017 19:24:54.206367016 MESZ	80	49191	83.217.8.61	192.168.1.16
Aug 18, 2017 19:24:54.208709955 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:54.209047079 MESZ	49191	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:24:54.209075928 MESZ	80	49191	83.217.8.61	192.168.1.16
Aug 18, 2017 19:24:54.246371984 MESZ	49192	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:24:54.246454000 MESZ	80	49192	31.202.130.9	192.168.1.16
Aug 18, 2017 19:24:54.247409105 MESZ	49192	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:24:54.247924089 MESZ	49192	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:24:54.247952938 MESZ	80	49192	31.202.130.9	192.168.1.16
Aug 18, 2017 19:24:54.248117924 MESZ	49192	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:24:54.248135090 MESZ	80	49192	31.202.130.9	192.168.1.16
Aug 18, 2017 19:25:24.369997025 MESZ	49192	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:25:24.464909077 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:24.464957952 MESZ	80	49193	91.234.35.106	192.168.1.16
Aug 18, 2017 19:25:24.465044022 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:24.465642929 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:24.465660095 MESZ	80	49193	91.234.35.106	192.168.1.16
Aug 18, 2017 19:25:24.465823889 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:24.465837955 MESZ	80	49193	91.234.35.106	192.168.1.16
Aug 18, 2017 19:25:38.745506048 MESZ	80	49193	91.234.35.106	192.168.1.16
Aug 18, 2017 19:25:38.745774031 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:38.758501053 MESZ	49193	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:25:38.758539915 MESZ	80	49193	91.234.35.106	192.168.1.16
Aug 18, 2017 19:25:38.763056040 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.763139009 MESZ	80	49194	83.217.8.61	192.168.1.16
Aug 18, 2017 19:25:38.764513969 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.765259981 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.765285015 MESZ	80	49194	83.217.8.61	192.168.1.16
Aug 18, 2017 19:25:38.765413046 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.765424967 MESZ	80	49194	83.217.8.61	192.168.1.16
Aug 18, 2017 19:25:38.932610989 MESZ	80	49194	83.217.8.61	192.168.1.16
Aug 18, 2017 19:25:38.932801962 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.933295012 MESZ	49194	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:25:38.933329105 MESZ	80	49194	83.217.8.61	192.168.1.16
Aug 18, 2017 19:25:38.934825897 MESZ	49195	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:25:38.934894085 MESZ	80	49195	31.202.130.9	192.168.1.16
Aug 18, 2017 19:25:38.934993029 MESZ	49195	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:25:38.935456991 MESZ	49195	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:25:38.935478926 MESZ	80	49195	31.202.130.9	192.168.1.16
Aug 18, 2017 19:25:38.935600996 MESZ	49195	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:25:38.935619116 MESZ	80	49195	31.202.130.9	192.168.1.16
Aug 18, 2017 19:26:08.941122055 MESZ	49195	80	192.168.1.16	31.202.130.9
Aug 18, 2017 19:26:08.945365906 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:08.945444107 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:08.945549011 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:08.946029902 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:08.946052074 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:08.946202993 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:08.946219921 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:14.715092897 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:14.715153933 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:14.715284109 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:14.724219084 MESZ	49196	80	192.168.1.16	91.234.35.106
Aug 18, 2017 19:26:14.724261999 MESZ	80	49196	91.234.35.106	192.168.1.16
Aug 18, 2017 19:26:14.727550030 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:14.727632046 MESZ	80	49197	83.217.8.61	192.168.1.16
Aug 18, 2017 19:26:14.728049040 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:14.728591919 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:14.728610039 MESZ	80	49197	83.217.8.61	192.168.1.16
Aug 18, 2017 19:26:14.728718996 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:14.728732109 MESZ	80	49197	83.217.8.61	192.168.1.16
Aug 18, 2017 19:26:16.087783098 MESZ	80	49197	83.217.8.61	192.168.1.16
Aug 18, 2017 19:26:16.088030100 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:16.088217020 MESZ	49197	80	192.168.1.16	83.217.8.61
Aug 18, 2017 19:26:16.088237047 MESZ	80	49197	83.217.8.61	192.168.1.16
Aug 18, 2017 19:27:03.788678885 MESZ	56587	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.816102028 MESZ	56657	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.842835903 MESZ	64336	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.908545971 MESZ	53	56587	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:03.959247112 MESZ	53	56657	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:04.026984930 MESZ	53	64336	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:05.726686954 MESZ	57618	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:05.733896017 MESZ	55120	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:05.850924015 MESZ	53	57618	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:05.962412119 MESZ	53	55120	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.291136980 MESZ	55885	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.300983906 MESZ	62228	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.641016006 MESZ	53	62228	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.641091108 MESZ	53	55885	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.656748056 MESZ	60304	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.661111116 MESZ	65253	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.841973066 MESZ	53	60304	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.941395998 MESZ	53	65253	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:09.771264076 MESZ	50518	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:09.995475054 MESZ	53	50518	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:10.002386093 MESZ	52888	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:10.195143938 MESZ	53	52888	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:10.910228968 MESZ	62136	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:11.173126936 MESZ	53	62136	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:11.182228088 MESZ	57533	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:11.323652029 MESZ	53	57533	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:13.335038900 MESZ	60624	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:13.507211924 MESZ	53	60624	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:18.062499046 MESZ	54225	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:18.251791954 MESZ	53	54225	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:18.283586025 MESZ	62651	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:18.466002941 MESZ	53	62651	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:26.977869034 MESZ	49254	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:26.987895966 MESZ	58101	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:27.213047981 MESZ	53	49254	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:27.285654068 MESZ	53	58101	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:30.226064920 MESZ	56632	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:30.410820961 MESZ	53	56632	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:30.421411991 MESZ	51219	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:30.619086027 MESZ	53	51219	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:39.958245993 MESZ	65506	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:40.204829931 MESZ	53	65506	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:40.211920023 MESZ	63142	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:40.424962044 MESZ	53	63142	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:41.075092077 MESZ	54716	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:41.369510889 MESZ	53	54716	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:41.396049976 MESZ	64148	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:41.568135023 MESZ	53	64148	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:58.046792030 MESZ	64815	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:58.188836098 MESZ	53	64815	8.8.8.8	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2017 19:27:03.788678885 MESZ	56587	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.816102028 MESZ	56657	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.842835903 MESZ	64336	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:03.908545971 MESZ	53	56587	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:03.959247112 MESZ	53	56657	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:04.026984930 MESZ	53	64336	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:05.726686954 MESZ	57618	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:05.733896017 MESZ	55120	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:05.850924015 MESZ	53	57618	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:05.962412119 MESZ	53	55120	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.291136980 MESZ	55885	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.300983906 MESZ	62228	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.641016006 MESZ	53	62228	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.641091108 MESZ	53	55885	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.656748056 MESZ	60304	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.661111116 MESZ	65253	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:08.841973066 MESZ	53	60304	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:08.941395998 MESZ	53	65253	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:09.771264076 MESZ	50518	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:09.995475054 MESZ	53	50518	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:10.002386093 MESZ	52888	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:10.195143938 MESZ	53	52888	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:10.910228968 MESZ	62136	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:11.173126936 MESZ	53	62136	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:11.182228088 MESZ	57533	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:11.323652029 MESZ	53	57533	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:13.335038900 MESZ	60624	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:13.507211924 MESZ	53	60624	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:18.062499046 MESZ	54225	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:18.251791954 MESZ	53	54225	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:18.283586025 MESZ	62651	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:18.466002941 MESZ	53	62651	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:26.977869034 MESZ	49254	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:26.987895966 MESZ	58101	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:27.213047981 MESZ	53	49254	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:27.285654068 MESZ	53	58101	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:30.226064920 MESZ	56632	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:30.410820961 MESZ	53	56632	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:30.421411991 MESZ	51219	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:30.619086027 MESZ	53	51219	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:39.958245993 MESZ	65506	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:40.204829931 MESZ	53	65506	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:40.211920023 MESZ	63142	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:40.424962044 MESZ	53	63142	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:41.075092077 MESZ	54716	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:41.369510889 MESZ	53	54716	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:41.396049976 MESZ	64148	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:41.568135023 MESZ	53	64148	8.8.8.8	192.168.1.16
Aug 18, 2017 19:27:58.046792030 MESZ	64815	53	192.168.1.16	8.8.8.8
Aug 18, 2017 19:27:58.188836098 MESZ	53	64815	8.8.8.8	192.168.1.16

HTTP Request Dependency Graph

83.217.8.61

31.202.130.9

91.234.35.106

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Aug 18, 2017 19:24:53.874548912 MESZ	49191	80	192.168.1.16	83.217.8.61	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://83.217.8.61/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 83.217.8.61 Content-Length: 602 Connection: Keep-Alive	0
Aug 18, 2017 19:24:53.874773026 MESZ	49191	80	192.168.1.16	83.217.8.61	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	1
Aug 18, 2017 19:24:54.247924089 MESZ	49192	80	192.168.1.16	31.202.130.9	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://31.202.130.9/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 31.202.130.9 Content-Length: 602 Connection: Keep-Alive	2
Aug 18, 2017 19:24:54.248117924 MESZ	49192	80	192.168.1.16	31.202.130.9	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	3
Aug 18, 2017 19:25:24.465642929 MESZ	49193	80	192.168.1.16	91.234.35.106	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://91.234.35.106/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.234.35.106 Content-Length: 602 Connection: Keep-Alive	3
Aug 18, 2017 19:25:24.465823889 MESZ	49193	80	192.168.1.16	91.234.35.106	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	4
Aug 18, 2017 19:25:38.765259981 MESZ	49194	80	192.168.1.16	83.217.8.61	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://83.217.8.61/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 83.217.8.61 Content-Length: 602 Connection: Keep-Alive	5
Aug 18, 2017 19:25:38.765413046 MESZ	49194	80	192.168.1.16	83.217.8.61	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	6
Aug 18, 2017 19:25:38.935456991 MESZ	49195	80	192.168.1.16	31.202.130.9	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://31.202.130.9/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 31.202.130.9 Content-Length: 602 Connection: Keep-Alive	7
Aug 18, 2017 19:25:38.935600996 MESZ	49195	80	192.168.1.16	31.202.130.9	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	7
Aug 18, 2017 19:26:08.946029902 MESZ	49196	80	192.168.1.16	91.234.35.106	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://91.234.35.106/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.234.35.106 Content-Length: 602 Connection: Keep-Alive	8
Aug 18, 2017 19:26:08.946202993 MESZ	49196	80	192.168.1.16	91.234.35.106	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	9
Aug 18, 2017 19:26:14.715092897 MESZ	80	49196	91.234.35.106	192.168.1.16	HTTP/1.1 200 OK Server: nginx Date: Fri, 18 Aug 2017 17:26:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: no-cache Content-Encoding: gzip Data Raw: 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 25 cc 31 0e 80 20 0c 00 c0 dd 57 98 3e 80 ee 0a 3c c0 d5 17 d4 4a 80 80 60 a4 f8 7e 8d ae 37 9c 6e 7c c5 53 c6 4c c5 77 f2 ce c0 42 37 ad 1f 82 dd 2b f7 c3 15 51 b9 32 49 ac c5 40 10 39 db 84 b8 bd 94 72 6c a2 8a 13 d5 09 39 38 4e 08 b3 c6 bf b4 c3 03 99 4a dc 1a 5c 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 66%1 W><J`~7n\|SLwB7+Q2I@9rl98NJ\0	9
Aug 18, 2017 19:26:14.728591919 MESZ	49197	80	192.168.1.16	83.217.8.61	POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://83.217.8.61/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 83.217.8.61 Content-Length: 602 Connection: Keep-Alive	10
Aug 18, 2017 19:26:14.728718996 MESZ	49197	80	192.168.1.16	83.217.8.61	Data Raw: 59 51 75 4f 3d 59 25 31 34 57 25 39 30 25 31 33 25 30 42 25 31 35 4c 25 30 42 4a 78 25 46 44 78 25 31 39 25 42 37 51 25 46 31 4b 25 30 41 31 25 43 43 25 44 41 25 46 39 25 43 41 26 54 43 41 44 79 79 3d 79 25 42 42 25 37 43 25 32 33 25 35 42 25 31 Data Ascii: YQuO=Y%14W%90%13%0B%15L%0BJx%FDx%19%B7Q%F1K%0A1%CC%DA%F9%CA&TCADyy=y%BB%7C%23%5B%1A%A83%BF%40%40l%CE%DC%C9JW%C2%DA%23%F7%91%94%05%13%5E%1A%C0%DD%85%D7%99%94%FAQk0L%BA&vyVVDc=1%F0%5D%9C%85O2B%F5%3A%00%E8%12%E4%F933%B1C%DE%BA%2B%B4%01n%2C%93%B4z	11

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: y872ff2.exe PID: 3536 Parent PID: 2820

General

Start time:	19:24:11
Start date:	18/08/2017
Path:	C:\Users\user\Desktop\y872ff2.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\y872ff2.exe'
Imagebase:	0x400000
File size:	620544 bytes
MD5 hash:	544BC1C6ECD95D89D96B5E75C3121FEA
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 1836 Parent PID: 3536

General

Start time:	19:26:44
Start date:	18/08/2017
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\diablo6.htm
Imagebase:	0x1360000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2436 Parent PID: 3536

General

Start time:	19:26:46
Start date:	18/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C del /Q /F 'C:\Users\LUKETA~1\AppData\Local\Temp\sys3FA5.tmp'
Imagebase:	0x4a9f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 2428 Parent PID: 1836

General

Start time:	19:26:46
Start date:	18/08/2017
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1836 CREDAT:275457 /prefetch:2
Imagebase:	0x726f0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: y872ff2.exe PID: 3536 Parent PID: 2820

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.5%
Total number of Nodes:	466
Total number of Limit Nodes:	29

Executed Functions

Function 0042D950, Relevance: 3.1, APIs: 2, Instructions: 134

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 0042D9EC
FindClose.KERNEL32(00000000), ref: 0042DA62

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00415270, Relevance: 3.1, APIs: 2, Instructions: 117

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?), ref: 004152D5

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,?,?), ref: 00415321

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004152E6, Relevance: 3.1, APIs: 2, Instructions: 61

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?), ref: 004152D5

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,?,?), ref: 00415321

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00405F08, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005EC6), ref: 00405F0D

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00407C81, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 237

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85
HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407D44, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402B0A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98

APIs

GetStartupInfoW.KERNEL32(?,0047CFB8,00000058), ref: 00402B1A
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402B2F

Part of subcall function 00405823: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402B83), ref: 0040582C

Part of subcall function 00403D74: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00402B94), ref: 00403D7C
Part of subcall function 00403D74: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00402B94), ref: 00403D9E
Part of subcall function 00403D74: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00402B94), ref: 00403DAB
Part of subcall function 00403D74: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00402B94), ref: 00403DB8
Part of subcall function 00403D74: GetProcAddress.KERNEL32(00000000,FlsFree,?,00402B94), ref: 00403DC5
Part of subcall function 00403D74: TlsAlloc.KERNEL32(?,00402B94), ref: 00403E15
Part of subcall function 00403D74: TlsSetValue.KERNEL32(00000000,?,00402B94), ref: 00403E30
Part of subcall function 00403D74: GetCurrentThreadId.KERNEL32(?,00402B94), ref: 00403ED4

__RTC_Initialize.LIBCMT ref: 00402BA0

Part of subcall function 00406487: GetStartupInfoW.KERNEL32(?), ref: 00406494
Part of subcall function 00406487: GetFileType.KERNEL32(?), ref: 004065C7
Part of subcall function 00406487: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 004065FD
Part of subcall function 00406487: GetStdHandle.KERNEL32(-000000F6), ref: 00406651
Part of subcall function 00406487: GetFileType.KERNEL32(00000000), ref: 00406663
Part of subcall function 00406487: InitializeCriticalSectionAndSpinCount.KERNEL32(-004828D4,00000FA0), ref: 00406691
Part of subcall function 00406487: SetHandleCount.KERNEL32 ref: 004066BA

__amsg_exit.LIBCMT ref: 00402BB3
GetCommandLineA.KERNEL32 ref: 00402BB9

Part of subcall function 004063F0: GetEnvironmentStringsW.KERNEL32 ref: 004063FA
Part of subcall function 004063F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00406438
Part of subcall function 004063F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040645B
Part of subcall function 004063F0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040646E
Part of subcall function 004063F0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040647A

Part of subcall function 00406335: GetModuleFileNameA.KERNEL32(00000000,C:\Users\luketaylor\Desktop\y872ff2.exe,00000104), ref: 00406361
Part of subcall function 00406335: _parse_cmdline.LIBCMT ref: 0040638C
Part of subcall function 00406335: _parse_cmdline.LIBCMT ref: 004063CD

__amsg_exit.LIBCMT ref: 00402BD9

Part of subcall function 004060BF: _strlen.LIBCMT ref: 004060E9
Part of subcall function 004060BF: _strlen.LIBCMT ref: 0040611A

__amsg_exit.LIBCMT ref: 00402BEA

Part of subcall function 00404480: __initterm_e.LIBCMT ref: 004044B6

__amsg_exit.LIBCMT ref: 00402BFD

Part of subcall function 0042BB10: ExitProcess.KERNEL32 ref: 0042BB28
Part of subcall function 0042BB10: GetModuleHandleA.KERNEL32(00000000,00402C24,00400000,00000000,00000000,0000000A), ref: 0042BB54

Strings

.$, xrefs: 00402B67

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00405A0A, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 285

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405A5C, 00405A7A, 00409274, 00409351, 0040937D, 0040C205, 0040C224

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407573, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 285

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040758C, 004075CD, 00409274, 004095E9, 0040BE8F, 0040BEBF, 0040BEDE, 0040CE8E

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401CF1, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 272

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00401D0D, 00401D2B, 00401D4A, 00404D8A, 00404DA8, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040525C, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 269

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040529C, 00408F8F, 00408FEA, 00409274, 0040D24B

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406119, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 268

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004082A4, 004082D3, 0040903C, 00409070, 004090A4, 00409274, 0040AEFE, 0040AF2E, 0040AF63

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402D78, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 267

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402DB0, 00402DE5, 0040300C, 0040302B, 00409274, 0040C69E

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402CDF, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 266

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402D52, 00408CDF, 00408CFE, 00409274, 0040C2F2, 0040C311

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004050BB, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 263

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004052E6, 00405312, 00405354, 00405373, 0040720E, 00409274, 0040B524, 0040B559

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040259F, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 261

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004025C0, 004025DF, 00409274, 00409C09, 00409C46, 00409C73

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402736, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 257

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402741, 00402760, 00408313, 00408358, 00409274, 0040B1C9

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040596A, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 255

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004059A7, 004059C5, 004059E4, 00409274, 0040A7C7, 0040A7E6

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004044EC, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 251

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408432, 00408462, 00409274, 00409AA1, 0040BBD7

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004023B1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 250

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004023BC, 004023E8, 00407DC5, 00409274, 0040CCF2

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402530, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 249

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402576, 004027E2, 00402800, 0040284A, 00405EF0, 00405F1C, 00409274, 0040C178, 0040C1A7

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407AAA, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 248

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407ACB, 00407AEA, 00407B09, 00407B4B, 00409274, 0040AE4B, 0040AE69, 0040AEC9

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405CA2, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 243

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040588D, 004058C2, 004058E1, 00405CE7, 00405D05, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402185, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 243

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004021AC, 00409274, 0040B3F7, 0040B438

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404A86, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 242

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404AA2, 00404B10, 00407430, 0040745D, 004074A3, 00409274, 0040B069, 0040B096

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040AD9D, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 241

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040ADB9, 0040AE0C, 0040B236, 0040B255, 0040B2B6

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409621, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 240

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 00409642, 00409672, 004096A2, 0040B7A9

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403F61, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 240

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403F7B, 00403FAB, 00409274, 0040945A

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040640B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 239

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406416, 0040647D, 0040649B, 00406EEC, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404DDC, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 239

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404DE7, 00406974, 004069AE, 004069CC, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406AF2, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 239

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406B1C, 00406B50, 00406B7D, 00409274, 004093DF, 0040940B

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404307, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 238

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404339, 004068BF, 004068DD, 00406912, 00409274, 0040C3BF

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406774, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 238

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406790, 004067AF, 004067F4, 00409274, 0040B5B0, 0040B5FF

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004039D0, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 237

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403A23, 00404E7E, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401F2B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 237

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00401F94, 00401FB3, 00409274, 0040CF74, 0040CFA8, 0040D43A, 0040D47D

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004037B4, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 237

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004037BF, 004037DE, 004037FD, 0040383D, 00408245, 00409274, 0040B840

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403939, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 236

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040399B, 00408134, 00408153, 00409274, 0040BA18, 0040BA36

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403251, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 236

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040325C, 00403288, 004032A7, 004032C6, 004032F6, 00409274, 0040A941

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040269F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004026B8, 004026D7, 00409274, 0040C010

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407376, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040738F, 004073AD, 004073F3, 00409274, 0040C4F5, 0040C532

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402E80, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 234

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402EA1, 00402EC0, 00408AB1, 00408B02, 00409274, 0040B8C7, 0040B8E5, 0040B922

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404439, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 234

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040445A, 00404489, 004044A7, 004062AC, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040A718, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 234

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040A782, 0040BA90, 0040BAE9, 0040CB53, 0040CB72

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401FCD, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 234

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040200E, 0040204F, 004085C7, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040568B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 233

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405696, 004056DC, 00408C61, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406A6D, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 233

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406ACF, 00409274, 004098B9, 00409909, 00409927

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040473A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 233

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404753, 00404787, 004047B4, 00409274, 0040C757

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403EAF, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 233

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403ED0, 00403EFC, 00403F1B, 00409274, 0040ACCE, 0040ACFE, 0040C580

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401830, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 232

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401886, 00401A5F, 00401B0C, 00402916, 00402935, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004031BA, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004031E4, 00403203, 00409274, 00409A3E, 0040AA9A, 0040AAC6, 0040AAE4

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040331C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403327, 00403346, 0040339A, 00409274, 0040D2EE

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402435, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 230

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402465, 004072BD, 004072DC, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004086B3, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 230

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004086E0, 004086FE, 00409274, 0040CAA8, 0040CAEA

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407166, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 230

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004071BF, 00409274, 004092EF, 0040930D

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040538E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 229

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004053C5, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402271, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 229

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040228D, 004022D2, 00408881, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406D28, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 229

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406D33, 004083A2, 004083E5, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040311F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 229

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040312A, 00403159, 00409274, 0040CEDC

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405FBE, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 228

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405FE8, 00406831, 0040686E, 0040688C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040C5D4, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 228

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040C5DF, 0040C649, 0040D587

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405132, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 228

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405169, 00405198, 004074EE, 00407523, 00409274, 0040A85C, 0040A888

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404C21, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 227

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404C53, 00404C7F, 00407E39, 00409274, 0040A29F

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407E69, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 227

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407E74, 00407E93, 00409274, 0040B4AB

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004033BB, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 227

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004033E2, 00404879, 004048A5, 00409274, 0040CC04, 0040CC22

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404B2D, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 227

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404B38, 00404B83, 00409274, 0040A4CB, 0040A4FB, 0040B36C

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408D25, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 226

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408D3E, 00409274, 00409F44, 00409F87

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406201, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 226

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406222, 00406260, 00407C12, 004091B2, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040456B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 225

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004045E2, 004064DA, 00409274, 0040B98F

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040408A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 225

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004040E3, 00404101, 00409274, 0040A052, 0040A081, 0040A0D0

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403C6B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 225

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040C90B, 0040C956

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401EAC, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00401ECD, 00401EFA, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406E18, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406E23, 00406E61, 00409274, 0040B0EB

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403B53, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403B6F, 0040850C, 00409274, 0040A3B1, 0040A3E5

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404205, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404210, 0040425A, 00404BE7, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401E25, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00401E72, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00404CBC, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 222

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404CC7, 0040761D, 0040764D, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405DC2, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 222

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405E15, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401DA0, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 222

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040A641

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406C3C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 221

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406C89, 00406CA8, 00409274, 0040BDDE

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408D8E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 221

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408DC6, 00409274, 0040BD63, 0040BD82, 0040BDB1

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402BD5, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 220

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402C0C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004096D0, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 220

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040D505, 0040D523, 0040D5ED

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405E3B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 218

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405E6D, 00409274, 0040AA5A

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405BC2, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 217

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405BCD, 00405C08, 00409274, 00409748

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004058FB, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 217

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405938, 00409274, 0040C052, 0040C0CB, 0040C0E9, 0040C118

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004030A0, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 216

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004030EE, 00409274, 0040950D

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402F8A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402FB1, 0040802B, 00409274, 0040B6FF, 0040B72E, 0040B76C

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004055BE, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 212

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004055C9, 00405606, 00405625, 00405644, 00405663, 00409274, 0040C7A6

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405002, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 212

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040500D, 0040502C, 00405069, 00405088, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040A57B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 211

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040A5BE, 0040A5DC, 0040A5FA, 0040A618

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403FD3, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 208

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404005, 00404050, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040AB18, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 207

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040AB23, 0040AB7A, 0040ABA6

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040193C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 207

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401969, 004019BE, 00401A5F, 00401B0C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004048C3, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004048DF, 004048FE, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403440, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403459, 00403488, 004034C2, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040B636, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 205

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040B657, 0040B69D, 0040BC43, 0040BC77

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403BBE, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 205

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403BC9, 00403BE7, 00409274, 0040D3DD

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004035E1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403650, 00409274, 0040A6EC

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405D29, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405D58, 00405D77, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406B9B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406BDE, 0040882D, 0040884C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408738, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408743, 00408778, 00408797, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403682, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004036B1, 00403705, 0040549F, 004054CE, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004077CF, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004077F0, 00407846, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040439E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004043A9, 004043F3, 00404412, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004097AA, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 004097D4, 00409812

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401C52, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00401CC9, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040785F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004078A0, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004029F1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402A12, 00402A3E, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004051BF, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040520D, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407A19, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407A24, 00407A6A, 00407A88, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004076A1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004076CB, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004070D5, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004070E0, 0040711D, 0040713C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040354E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403578, 004035BE, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040A0E9, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040A111, 0040A12F

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040B12D, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040B14E, 0040B1A5, 0040C86C, 0040C8D1

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040BB10, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040BB29, 0040BB55, 0040BB74, 0040C496

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409953, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 004099C8

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004018AD, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 004018B8, 004018E7, 00401A5F, 00401B0C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00407732, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040778E, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004078F3, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407936, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403D99, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403DD9, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040798A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004079BC, 004079F9, 00409274, 0040BF1C, 0040BF62

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409B06, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 199

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 00409B53, 00409B71, 0040D076, 0040D095

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004062F5, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 199

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040632C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403729, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 199

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403745, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004020FC, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 199

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402107, 00402151, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040411B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040417A, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402974, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004029BC, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040A420, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040A43C, 0040A470

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403E30, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403E57, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040660F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406628, 00406647, 00406677, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040BCC1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 0040BCE2, 0040D156, 0040D186, 0040D1A4

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040817A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004081B8, 004081D6, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403A67, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403A99, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004090D2, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 198

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409101, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409E33, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 00409E4C, 00409E79

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040617C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004061BF, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00405738, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405754, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408A1B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408A26, 00408A44, 00408A7F, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408EEB, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408EF6, 00408F15, 00408F50, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406D98, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00406DC3, 00406DF0, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040428E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00404299, 004042EA, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406487, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196

APIs

GetStartupInfoW.KERNEL32(?), ref: 00406494

Part of subcall function 00404307: Sleep.KERNEL32(00000000), ref: 0040432F

GetFileType.KERNEL32(?), ref: 004065C7
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 004065FD
GetStdHandle.KERNEL32(-000000F6), ref: 00406651
GetFileType.KERNEL32(00000000), ref: 00406663
InitializeCriticalSectionAndSpinCount.KERNEL32(-004828D4,00000FA0), ref: 00406691
SetHandleCount.KERNEL32 ref: 004066BA

Strings

(H, xrefs: 00406537

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00406595, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004065AF, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040553F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00405595, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004072F7, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00407348, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402E03, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402E4B, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00408911, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 194

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408940, 00408B6F, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00402AFD, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 194

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00402B19, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00403AE6, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 194

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00403B1E, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00406533, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 193

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 0040654F, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040419A, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 192

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 004041A5, 00404F11, 00404F68, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409B8F, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 192

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 00409B9A, 0040A9DB

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00409D04, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 191

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274, 00409D4D

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 0040852E, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 189

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00408563, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 004017D3, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 188

APIs

LoadLibraryA.KERNEL32(?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb,0041317E,0000000F,00000000,0041318D,00413195,0000000C), ref: 00401A8F
LoadLibraryA.KERNEL32(?,0000000C,00413199,0000000C,00413199,00000000,?,0041317E,0000000F,00000000,00000000,?,00000000,?,?,ggqfslmb), ref: 00401AD7
GetProcAddress.KERNEL32(0000000F), ref: 00401B6E
WriteProcessMemory.KERNELBASE(000000FF,00413104,00000008,00000000), ref: 00401B85

Part of subcall function 00407C81: HeapCreate.KERNELBASE(00040000,00000688,00000688,00401BD6), ref: 00407C95

Strings

Crea, xrefs: 00401A3E
0N, xrefs: 00401AEB
zM, xrefs: 00401B6E, 00401BB1
ggqfslmb, xrefs: 00401A5F, 00401B0C, 00409274

Memory Dump Source

Source File: 00000000.00000001.290571276.00401000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.290564442.00400000.00000002.sdmp
Associated: 00000000.00000001.290577521.0040E000.00000080.sdmp
Associated: 00000000.00000001.290598777.00496000.00000004.sdmp
Associated: 00000000.00000001.290610711.004D6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_y872ff2.jbxd

Function 00401946, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30

APIs

KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Strings

m7@, xrefs: 00401982
csm, xrefs: 0040197B, 0040197E
csm, xrefs: 00401963

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040347F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42

APIs

_UnwindNestedFrames.LIBCMT ref: 004034A9

Part of subcall function 00401460: RtlUnwind.KERNEL32(0040148B,0040148B,?,00000000), ref: 00401486

Part of subcall function 00402E74: __getptd.LIBCMT ref: 00402E9B
Part of subcall function 00402E74: __CallSettingFrame@12.LIBVCRUNTIME ref: 00402EE7

Part of subcall function 004030D2: __CreateFrameInfo.LIBCMT ref: 004030FA
Part of subcall function 004030D2: __getptd.LIBCMT ref: 00403104
Part of subcall function 004030D2: __getptd.LIBCMT ref: 00403112
Part of subcall function 004030D2: __getptd.LIBCMT ref: 00403120
Part of subcall function 004030D2: __getptd.LIBCMT ref: 0040312B

Strings

csm, xrefs: 00403481
csm, xrefs: 0040348E, 004034A3, 004034B6, 004034D4, 004034E4

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004019EC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45

APIs

Part of subcall function 004025E9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

std::exception::exception.LIBCMT ref: 00401A3B

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Strings

bad allocation, xrefs: 00401A34

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0041F840, Relevance: 3.1, APIs: 2, Instructions: 124

APIs

AddAtomA.KERNEL32(00000000), ref: 0041F925
GlobalAddAtomA.KERNEL32(00000000), ref: 0041F965

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00415C00, Relevance: 3.1, APIs: 2, Instructions: 122

APIs

GetDIBits.GDI32(?,?,?,?,?,?,?), ref: 00415C95
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00415CC1

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00415D09, Relevance: 3.1, APIs: 2, Instructions: 119

APIs

GetDIBits.GDI32(?,?,?,?,?,?,?), ref: 00415C95
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00415CC1

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F3A0, Relevance: 3.1, APIs: 2, Instructions: 113

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040F3DB
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040F449

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F5D0, Relevance: 3.1, APIs: 2, Instructions: 99

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040F623
GetLastError.KERNEL32(?,?,?,?), ref: 0040F67A

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F2D0, Relevance: 3.1, APIs: 2, Instructions: 96

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040F331
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040F376

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00415D10, Relevance: 3.1, APIs: 2, Instructions: 96

APIs

GetLastError.KERNEL32(?,?,?,?,?), ref: 00415D24

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

DrawTextW.USER32(?,?,?,?,?), ref: 00415DC2

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F6A0, Relevance: 3.1, APIs: 2, Instructions: 93

APIs

SetFileTime.KERNELBASE(?,?,?,?), ref: 0040F6AC
GetLastError.KERNEL32(?,?,?,?), ref: 0040F73A

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042BB10, Relevance: 3.1, APIs: 2, Instructions: 74

APIs

ExitProcess.KERNEL32 ref: 0042BB28
GetModuleHandleA.KERNEL32(00000000,00402C24,00400000,00000000,00000000,0000000A), ref: 0042BB54

Part of subcall function 00429080: __EH_prolog.LIBCMT ref: 0042B17C

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00410A4E, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

CreateFileW.KERNEL32(?,?), ref: 00410ACB
GetLastError.KERNEL32(?,?), ref: 00410B4B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0041F8A1, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

AddAtomA.KERNEL32(00000000), ref: 0041F925
GlobalAddAtomA.KERNEL32(00000000), ref: 0041F965

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00414F90, Relevance: 1.6, APIs: 1, Instructions: 98

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,?), ref: 00414FD5

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00415050, Relevance: 1.6, APIs: 1, Instructions: 86

APIs

RegSetValueExA.KERNEL32(?,?,00000000,?,?,?), ref: 004150F0

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004201DB, Relevance: 1.6, APIs: 1, Instructions: 84

APIs

SHGetFolderPathW.SHELL32(?,?), ref: 0042028B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004201B4, Relevance: 1.6, APIs: 1, Instructions: 81

APIs

SHGetFolderPathW.SHELL32(?,?), ref: 0042028B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00420183, Relevance: 1.6, APIs: 1, Instructions: 79

APIs

SHGetFolderPathW.SHELL32(?,?), ref: 0042028B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042019E, Relevance: 1.6, APIs: 1, Instructions: 65

APIs

SHGetFolderPathW.SHELL32(?,?), ref: 0042028B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00410A76, Relevance: 1.6, APIs: 1, Instructions: 65

APIs

CreateFileW.KERNEL32(?,?), ref: 00410ACB
GetLastError.KERNEL32(?,?), ref: 00410B4B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004025E9, Relevance: 1.6, APIs: 1, Instructions: 58

APIs

Part of subcall function 0040563B: GetModuleFileNameW.KERNEL32(00000000,00481C4A,00000104,00000001,00000000,?), ref: 004056D7
Part of subcall function 0040563B: _wcslen.LIBCMT ref: 00405706
Part of subcall function 0040563B: _wcslen.LIBCMT ref: 00405713
Part of subcall function 0040563B: GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 00405789
Part of subcall function 0040563B: _strlen.LIBCMT ref: 004057C6
Part of subcall function 0040563B: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004057D5

Part of subcall function 004043FF: ExitProcess.KERNEL32 ref: 00404410

RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404480, Relevance: 1.6, APIs: 1, Instructions: 54

APIs

__initterm_e.LIBCMT ref: 004044B6

Part of subcall function 00406FD0: __FindPESection.LIBCMT ref: 0040702B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004058C5, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0040431D,?,?,00000000,00000000,00000000,?,00403BDD,00000001,00000214), ref: 00405908

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004196D9, Relevance: 1.5, APIs: 1, Instructions: 25

APIs

SetEntriesInAclA.ADVAPI32 ref: 004196D9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00406C12, Relevance: 1.5, APIs: 1, Instructions: 15

APIs

RtlUnwind.KERNEL32(00000001,00406C26,?,00000000,?,?,00000001,?,0040483E), ref: 00406C21

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042199F, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32 ref: 0042231B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040E5B7, Relevance: 1.5, APIs: 1, Instructions: 12

APIs

CoInitializeSecurity.OLE32 ref: 0040ED33

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00412CE2, Relevance: 1.5, APIs: 1, Instructions: 11

APIs

SetFileAttributesW.KERNELBASE ref: 0041471E

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00425792, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

SystemParametersInfoW.USER32(00000014), ref: 00425E18

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00405823, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402B83), ref: 0040582C

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00412242, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

MoveFileExW.KERNEL32 ref: 00412242

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00412544, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

DeleteFileW.KERNELBASE ref: 00412544

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00421932, Relevance: 1.5, APIs: 1, Instructions: 8

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32 ref: 0042231B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040E69B, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

CoInitializeEx.OLE32 ref: 0040E69B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00421025, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

GetSystemMetrics.USER32(00000059), ref: 00422232

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00412B2A, Relevance: 1.5, APIs: 1, Instructions: 6

APIs

MoveFileExW.KERNEL32 ref: 00412B2A

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042368B, Relevance: 1.5, APIs: 1, Instructions: 6

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32 ref: 0042368B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042535C, Relevance: 1.5, APIs: 1, Instructions: 5

APIs

ShellExecuteW.SHELL32 ref: 0042554D

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004138A9, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

CreateFileW.KERNEL32 ref: 004138A9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00425B00, Relevance: 1.5, APIs: 1, Instructions: 2

APIs

ShellExecuteW.SHELL32 ref: 00425B00

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404307, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 004058C5: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0040431D,?,?,00000000,00000000,00000000,?,00403BDD,00000001,00000214), ref: 00405908

Sleep.KERNEL32(00000000), ref: 0040432F

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040E6BD, Relevance: 1.3, APIs: 1, Instructions: 9

APIs

CoUninitialize.OLE32 ref: 0040E6BD

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Non-executed Functions

Function 00415390, Relevance: 4.7, APIs: 3, Instructions: 165

APIs

CryptDestroyKey.ADVAPI32 ref: 00415478

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

GetLastError.KERNEL32 ref: 00415423
CryptImportKey.ADVAPI32(?,?,?,00000000,?), ref: 00415430

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042EB20, Relevance: 3.1, APIs: 2, Instructions: 127

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 0042EB6C
GetLocaleInfoA.KERNEL32(?,00000059,?,00000020), ref: 0042EBD7

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040FBE0, Relevance: 3.1, APIs: 2, Instructions: 103

APIs

CryptEncrypt.ADVAPI32(?,00000000,?,?,?,?,?), ref: 0040FC28
GetLastError.KERNEL32(?,00000000,?,?,?,?,?), ref: 0040FC5E

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F9B0, Relevance: 3.1, APIs: 2, Instructions: 78

APIs

CryptGenRandom.ADVAPI32(?,?,?), ref: 0040FA00
GetLastError.KERNEL32(?,?,?), ref: 0040FA15

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00416140, Relevance: 3.1, APIs: 2, Instructions: 68

APIs

CryptDestroyKey.ADVAPI32(?), ref: 00416153
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0041619C

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F8E0, Relevance: 1.6, APIs: 1, Instructions: 106

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F939

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F91B, Relevance: 1.6, APIs: 1, Instructions: 94

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F939

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040FB40, Relevance: 1.6, APIs: 1, Instructions: 91

APIs

CryptDestroyKey.ADVAPI32 ref: 0040FB64

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040F8A0, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F8A9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040FB00, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

CryptDestroyKey.ADVAPI32 ref: 0040FB16

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040FB13, Relevance: 1.5, APIs: 1, Instructions: 15

APIs

CryptDestroyKey.ADVAPI32 ref: 0040FB16

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00419379, Relevance: 1.5, APIs: 1, Instructions: 12

APIs

CryptReleaseContext.ADVAPI32(?), ref: 004195AA

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0041968E, Relevance: 1.5, APIs: 1, Instructions: 12

APIs

SetSecurityDescriptorDacl.ADVAPI32 ref: 00419855

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00421A68, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

GetVersionExA.KERNEL32 ref: 004223F0

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040C879, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

CoCreateInstance.OLE32 ref: 0040D560

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00419762, Relevance: 1.5, APIs: 1, Instructions: 5

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 004199E2

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00413B0B, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00413B0B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00403D74, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 109

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00402B94), ref: 00403D7C
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00402B94), ref: 00403D9E
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00402B94), ref: 00403DAB
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00402B94), ref: 00403DB8
GetProcAddress.KERNEL32(00000000,FlsFree,?,00402B94), ref: 00403DC5
TlsAlloc.KERNEL32(?,00402B94), ref: 00403E15
TlsSetValue.KERNEL32(00000000,?,00402B94), ref: 00403E30

Part of subcall function 00406901: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00406929

GetCurrentThreadId.KERNEL32(?,00402B94), ref: 00403ED4

Part of subcall function 00403AC1: TlsFree.KERNEL32(0000001B,00403EEA,?,00402B94), ref: 00403AEC
Part of subcall function 00403AC1: DeleteCriticalSection.KERNEL32(00000000,00000000,Function_0006DF00,?,00403EEA,?,00402B94), ref: 00406968
Part of subcall function 00403AC1: DeleteCriticalSection.KERNEL32(0000001B,Function_0006DF00,?,00403EEA,?,00402B94), ref: 00406992

Part of subcall function 00404307: Sleep.KERNEL32(00000000), ref: 0040432F

Part of subcall function 00403AFE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0047D118,00000008,00403C06,00000000,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA), ref: 00403B0F
Part of subcall function 00403AFE: InterlockedIncrement.KERNEL32(0047F0C0), ref: 00403B50

Strings

FlsFree, xrefs: 00403DBA
FlsAlloc, xrefs: 00403D98
FlsSetValue, xrefs: 00403DAD
FlsGetValue, xrefs: 00403DA0
KERNEL32.DLL, xrefs: 00403D77

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00405B80, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 262

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00405C81
__FindPESection.LIBCMT ref: 00405C9B
VirtualQuery.KERNEL32(?,F4322256,0000001C,F4322256,?,?,?,?,?,00404720,0047D248,000000FE,?,00402A01,?), ref: 00405D81
__FindPESection.LIBCMT ref: 00405DD0
_ValidateScopeTableHandlers.LIBCMT ref: 00405DF4

Part of subcall function 00405AC0: __FindPESection.LIBCMT ref: 00405B03
Part of subcall function 00405AC0: __FindPESection.LIBCMT ref: 00405B41

__FindPESection.LIBCMT ref: 00405E0E

Strings

L"H, xrefs: 00405EA6
L"H, xrefs: 00405CBF
P"H, xrefs: 00405E6C
L"H, xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0040563B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,00481C4A,00000104,00000001,00000000,?), ref: 004056D7

Part of subcall function 004054BC: GetCurrentProcess.KERNEL32(C0000417), ref: 004054D2
Part of subcall function 004054BC: TerminateProcess.KERNEL32(00000000), ref: 004054D9

_wcslen.LIBCMT ref: 00405706
_wcslen.LIBCMT ref: 00405713

Part of subcall function 004079B0: LoadLibraryW.KERNEL32(USER32.DLL), ref: 004079EB
Part of subcall function 004079B0: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 00407A07
Part of subcall function 004079B0: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00407A25
Part of subcall function 004079B0: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00407A35
Part of subcall function 004079B0: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00407A45
Part of subcall function 004079B0: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00407A59

GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 00405789
_strlen.LIBCMT ref: 004057C6
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004057D5

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Strings

Runtime Error!Program: , xrefs: 004056A5
..., xrefs: 00405727
<program name unknown>, xrefs: 004056E6
Microsoft Visual C++ Runtime Library, xrefs: 0040576D

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004034ED, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 92

APIs

__getptd.LIBCMT ref: 00403506

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00403514
_CallSETranslator.LIBCMT ref: 0040354B

Part of subcall function 0040151D: __getptd.LIBCMT ref: 004015A8

_GetRangeOfTrysToCheck.LIBCMT ref: 00403579

Part of subcall function 0040347F: _UnwindNestedFrames.LIBCMT ref: 004034A9

Strings

csm, xrefs: 004035C7, 00403541
csm, xrefs: 0040356C, 00403584, 004035EA, 0040356F
csm, xrefs: 004035BC
MOC, xrefs: 0040352A
RCC, xrefs: 00403531

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004070AC, Relevance: 12.2, APIs: 8, Instructions: 190

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,00000000), ref: 0040711D
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 0040718B
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 004071A7
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 004071E0

Part of subcall function 004025E9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 00407246
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00407265
__freea.LIBCMT ref: 0040726F
__freea.LIBCMT ref: 00407278

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00405022, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(?), ref: 0040503C
InterlockedDecrement.KERNEL32(?), ref: 00405049
InterlockedDecrement.KERNEL32(?), ref: 00405056
InterlockedDecrement.KERNEL32(?), ref: 00405063
InterlockedDecrement.KERNEL32(?), ref: 00405070
InterlockedDecrement.KERNEL32(?), ref: 0040508C
InterlockedDecrement.KERNEL32(00000000), ref: 0040509C
InterlockedDecrement.KERNEL32(?), ref: 004050B2

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404F93, Relevance: 12.1, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(?), ref: 00404FA5
InterlockedIncrement.KERNEL32(?), ref: 00404FB2
InterlockedIncrement.KERNEL32(?), ref: 00404FBF
InterlockedIncrement.KERNEL32(?), ref: 00404FCC
InterlockedIncrement.KERNEL32(?), ref: 00404FD9
InterlockedIncrement.KERNEL32(?), ref: 00404FF5
InterlockedIncrement.KERNEL32(00000000), ref: 00405005
InterlockedIncrement.KERNEL32(?), ref: 0040501B

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004087C2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327

APIs

Part of subcall function 00401FE4: __getptd.LIBCMT ref: 00401FF7

__cftoe.LIBCMT ref: 00408879
_strrchr.LIBCMT ref: 004088C0
__alldvrm.INT64 ref: 00408ABE
__alldvrm.INT64 ref: 00408AE4
__alldvrm.INT64 ref: 00408B0A

Strings

0, xrefs: 004087DB

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004080D0, Relevance: 9.1, APIs: 6, Instructions: 117

APIs

lstrlenA.KERNEL32(?,F4322256), ref: 00408117
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 0040812D
GetLastError.KERNEL32 ref: 0040813C

Part of subcall function 004025E9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 004081CB
GetLastError.KERNEL32 ref: 004081E6
SysAllocString.OLEAUT32(00000000), ref: 00408201

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Part of subcall function 0040267D: HeapFree.KERNEL32(00000000,00000000), ref: 00402693
Part of subcall function 0040267D: GetLastError.KERNEL32(00000000,?,00403C1C,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA,?,?), ref: 004026A5

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00402E25, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23

APIs

__getptd.LIBCMT ref: 00402E46
__getptd.LIBCMT ref: 00402E57

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00402E65

Strings

MOC, xrefs: 00402E38
RCC, xrefs: 00402E31

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404DDB, Relevance: 7.6, APIs: 5, Instructions: 116

APIs

__getptd.LIBCMT ref: 00404DEB

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

Part of subcall function 00404AD2: __getptd.LIBCMT ref: 00404ADE
Part of subcall function 00404AD2: __amsg_exit.LIBCMT ref: 00404AFE
Part of subcall function 00404AD2: InterlockedDecrement.KERNEL32(?), ref: 00404B2B
Part of subcall function 00404AD2: InterlockedIncrement.KERNEL32(01821660), ref: 00404B56

Part of subcall function 00404B76: GetOEMCP.KERNEL32 ref: 00404B9F
Part of subcall function 00404B76: GetACP.KERNEL32 ref: 00404BC2

Part of subcall function 004042C2: Sleep.KERNEL32(00000000,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96,?,?,?,00403B48,0000000D), ref: 004042E3

Part of subcall function 00404BF2: setSBCS.LIBCMT ref: 00404C1F
Part of subcall function 00404BF2: IsValidCodePage.KERNEL32(-00000030), ref: 00404C65
Part of subcall function 00404BF2: GetCPInfo.KERNEL32(00000000,?), ref: 00404C78
Part of subcall function 00404BF2: setSBUpLow.LIBCMT ref: 00404D66

InterlockedDecrement.KERNEL32(?), ref: 00404E51
InterlockedIncrement.KERNEL32(00000000), ref: 00404E76

Part of subcall function 00406A7B: __amsg_exit.LIBCMT ref: 00406A9D
Part of subcall function 00406A7B: EnterCriticalSection.KERNEL32(?,?,?,00403B48,0000000D), ref: 00406AA5

InterlockedDecrement.KERNEL32 ref: 00404F08
InterlockedIncrement.KERNEL32(00000000), ref: 00404F2C

Part of subcall function 0040267D: HeapFree.KERNEL32(00000000,00000000), ref: 00402693
Part of subcall function 0040267D: GetLastError.KERNEL32(00000000,?,00403C1C,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA,?,?), ref: 004026A5

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004063F0, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004063FA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00406438
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040647A

Part of subcall function 004042C2: Sleep.KERNEL32(00000000,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96,?,?,?,00403B48,0000000D), ref: 004042E3

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040645B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040646E

Part of subcall function 0040267D: HeapFree.KERNEL32(00000000,00000000), ref: 00402693
Part of subcall function 0040267D: GetLastError.KERNEL32(00000000,?,00403C1C,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA,?,?), ref: 004026A5

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00406718, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0040674F
GetCurrentProcessId.KERNEL32 ref: 0040675B
GetCurrentThreadId.KERNEL32 ref: 00406763
GetTickCount.KERNEL32 ref: 0040676B
QueryPerformanceCounter.KERNEL32(?), ref: 00406777

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004030D2, Relevance: 7.5, APIs: 5, Instructions: 49

APIs

__CreateFrameInfo.LIBCMT ref: 004030FA

Part of subcall function 00401706: __getptd.LIBCMT ref: 00401714
Part of subcall function 00401706: __getptd.LIBCMT ref: 00401722

__getptd.LIBCMT ref: 00403104

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00403112
__getptd.LIBCMT ref: 00403120
__getptd.LIBCMT ref: 0040312B

Part of subcall function 004017AB: __CallSettingFrame@12.LIBVCRUNTIME ref: 004017F7

Part of subcall function 004031F8: __getptd.LIBCMT ref: 00403207
Part of subcall function 004031F8: __getptd.LIBCMT ref: 00403215

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00406335, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\luketaylor\Desktop\y872ff2.exe,00000104), ref: 00406361
_parse_cmdline.LIBCMT ref: 0040638C

Part of subcall function 004042C2: Sleep.KERNEL32(00000000,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96,?,?,?,00403B48,0000000D), ref: 004042E3

_parse_cmdline.LIBCMT ref: 004063CD

Strings

C:\Users\luketaylor\Desktop\y872ff2.exe, xrefs: 00406354, 00406359

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004043D4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,?,0040440C,?,?,00402618,000000FF,0000001E,00000001,00000000,00000000,?,004042D3,?,00000001,?), ref: 004043DE
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,0040440C,?,?,00402618,000000FF,0000001E,00000001,00000000,00000000,?,004042D3,?,00000001), ref: 004043EE

Strings

mscoree.dll, xrefs: 004043D9
CorExitProcess, xrefs: 004043E8

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404BF2, Relevance: 6.2, APIs: 4, Instructions: 159

APIs

Part of subcall function 00404B76: GetOEMCP.KERNEL32 ref: 00404B9F
Part of subcall function 00404B76: GetACP.KERNEL32 ref: 00404BC2

IsValidCodePage.KERNEL32(-00000030), ref: 00404C65
GetCPInfo.KERNEL32(00000000,?), ref: 00404C78
setSBUpLow.LIBCMT ref: 00404D66

Part of subcall function 00404942: GetCPInfo.KERNEL32(?,?), ref: 00404963
Part of subcall function 00404942: ___crtGetStringTypeA.LIBCMT ref: 004049E0
Part of subcall function 00404942: ___crtLCMapStringA.LIBCMT ref: 00404A00
Part of subcall function 00404942: ___crtLCMapStringA.LIBCMT ref: 00404A25

setSBCS.LIBCMT ref: 00404C1F

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004072D9, Relevance: 6.1, APIs: 4, Instructions: 92

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,004073EE,00000000,00000000,00000000), ref: 00407323

Part of subcall function 004025E9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000001), ref: 0040738D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0040739B
__freea.LIBCMT ref: 004073A5

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00404AD2, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

__getptd.LIBCMT ref: 00404ADE

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__amsg_exit.LIBCMT ref: 00404AFE

Part of subcall function 00406A7B: __amsg_exit.LIBCMT ref: 00406A9D
Part of subcall function 00406A7B: EnterCriticalSection.KERNEL32(?,?,?,00403B48,0000000D), ref: 00406AA5

InterlockedDecrement.KERNEL32(?), ref: 00404B2B

Part of subcall function 0040267D: HeapFree.KERNEL32(00000000,00000000), ref: 00402693
Part of subcall function 0040267D: GetLastError.KERNEL32(00000000,?,00403C1C,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA,?,?), ref: 004026A5

InterlockedIncrement.KERNEL32(01821660), ref: 00404B56

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004060BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

APIs

_strlen.LIBCMT ref: 004060E9

Part of subcall function 00404307: Sleep.KERNEL32(00000000), ref: 0040432F

_strlen.LIBCMT ref: 0040611A

Part of subcall function 0040267D: HeapFree.KERNEL32(00000000,00000000), ref: 00402693
Part of subcall function 0040267D: GetLastError.KERNEL32(00000000,?,00403C1C,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA,?,?), ref: 004026A5

Part of subcall function 004054BC: GetCurrentProcess.KERNEL32(C0000417), ref: 004054D2
Part of subcall function 004054BC: TerminateProcess.KERNEL32(00000000), ref: 004054D9

Part of subcall function 00407D8E: x_ismbbtype_l.LIBCMT ref: 00407D9C

Strings

, xrefs: 0040621D

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00408CFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97

APIs

Part of subcall function 004086DB: __fltout2.LIBCMT ref: 0040870A

__fltout2.LIBCMT ref: 00408D27

Part of subcall function 00409222: ___dtold.LIBCMT ref: 00409248
Part of subcall function 00409222: _$I10_OUTPUT.LIBCMT ref: 00409263

Part of subcall function 004090BC: _strlen.LIBCMT ref: 00409157

__cftof2_l.LIBCMT ref: 00408DB4

Part of subcall function 00408B38: _strlen.LIBCMT ref: 00408BB6
Part of subcall function 00408B38: _strlen.LIBCMT ref: 00408BDA

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Strings

-, xrefs: 00408D54

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0042C470, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Processkernel32.dll), ref: 0042C5DC

Strings

.dll, xrefs: 0042C497
IsWow64Processkernel32.dll, xrefs: 0042C4A4, 0042C525

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004086DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84

APIs

__fltout2.LIBCMT ref: 0040870A

Part of subcall function 00409222: ___dtold.LIBCMT ref: 00409248
Part of subcall function 00409222: _$I10_OUTPUT.LIBCMT ref: 00409263

Part of subcall function 004090BC: _strlen.LIBCMT ref: 00409157

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Strings

e+000, xrefs: 00408647
-, xrefs: 00408755

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00408C3B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80

APIs

__fltout2.LIBCMT ref: 00408C66

Part of subcall function 00409222: ___dtold.LIBCMT ref: 00409248
Part of subcall function 00409222: _$I10_OUTPUT.LIBCMT ref: 00409263

Part of subcall function 004090BC: _strlen.LIBCMT ref: 00409157

__cftof2_l.LIBCMT ref: 00408CE5

Part of subcall function 00408B38: _strlen.LIBCMT ref: 00408BB6
Part of subcall function 00408B38: _strlen.LIBCMT ref: 00408BDA

Part of subcall function 00403A6C: IsDebuggerPresent.KERNEL32 ref: 004068B6
Part of subcall function 00403A6C: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
Part of subcall function 00403A6C: UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
Part of subcall function 00403A6C: GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
Part of subcall function 00403A6C: TerminateProcess.KERNEL32(00000000), ref: 004068F9

Strings

-, xrefs: 00408CBE

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 0041E9D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44

APIs

GetModuleFileNameW.KERNEL32 ref: 0041E9D3
GetLastError.KERNEL32(0047CD64,0047A6B8), ref: 0041EA71

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

Strings

z, xrefs: 0041EAB4

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 00403AFE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0047D118,00000008,00403C06,00000000,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA), ref: 00403B0F

Part of subcall function 00406A7B: __amsg_exit.LIBCMT ref: 00406A9D
Part of subcall function 00406A7B: EnterCriticalSection.KERNEL32(?,?,?,00403B48,0000000D), ref: 00406AA5

InterlockedIncrement.KERNEL32(0047F0C0), ref: 00403B50

Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FA5
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FB2
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FBF
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FCC
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FD9
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 00404FF5
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(00000000), ref: 00405005
Part of subcall function 00404F93: InterlockedIncrement.KERNEL32(?), ref: 0040501B

Strings

KERNEL32.DLL, xrefs: 00403B0A

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Function 004031F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37

APIs

Part of subcall function 00401759: __getptd.LIBCMT ref: 0040175F
Part of subcall function 00401759: __getptd.LIBCMT ref: 0040176F
Part of subcall function 00401759: __getptd.LIBCMT ref: 00401780

__getptd.LIBCMT ref: 00403207

Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00403215

Part of subcall function 00401732: __getptd.LIBCMT ref: 00401737

Strings

csm, xrefs: 00403223

Memory Dump Source

Source File: 00000000.00000002.654728317.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654717984.00400000.00000002.sdmp
Associated: 00000000.00000002.654798037.00478000.00000002.sdmp
Associated: 00000000.00000002.654807897.0047F000.00000004.sdmp
Associated: 00000000.00000002.654822955.00483000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y872ff2.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Networking:

Stealing of Sensitive Information:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\diablo6-3952.htm

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\diablo6-6706.htm

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\diablo6-83a4.htm

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-1F0721B1-AB42ECBD9D9E.diablo6

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-48BF6EC1-442DB5B8A4A0.diablo6

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\DX1KWDRT-SWHS-3N44-4E518D26-7A155DC82EBB.diablo6