Analysis Report

Overview

General Information

Joe Sandbox Version:	19.0.0
Analysis ID:	289272
Start time:	15:37:15
Joe Sandbox Product:	Cloud
Start date:	09.06.2017
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	g8F53.tmp.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal60.evad.adwa.winEXE@1/4@1/2
HCA Information:	Successful, ratio: 98% Number of executed functions: 43 Number of non-executed functions: 39
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	60	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\g8F53.tmp.exe

File written: C:\Windows\System32\drivers\etc\hosts

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,

0_2_000000013FC44890

Downloads files

Show sources

Source: C:\g8F53.tmp.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /iavs9x/servers.def HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: files.avast.comConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: g8F53.tmp.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: g8F53.tmp.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: g8F53.tmp.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: files.avast.com

Urls found in memory or binary data

Show sources

Source: g8F53.tmp.exe	String found in binary or memory: file:///c:/users/user/appdata/local/microsoft/windows/temporary%20internet%20files/content.ie5/
Source: g8F53.tmp.exe	String found in binary or memory: http://cacerts.digicert.com/digicertassuredidcodesigningca-1.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://cacerts.digicert.com/digicertevcodesigningca-sha2.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://cacerts.digicert.com/digicertevcodesigningca.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://cacerts.digicert.com/digicerthighassurancecodesigningca-1.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://cacerts.digicert.com/digicertsha2assuredidcodesigningca.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: g8F53.tmp.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: g8F53.tmp.exe	String found in binary or memory: http://cj
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.com
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comn
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodo.net/utn-useqr
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodoca.com
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodoca.com/comodocodesigningca2.crl0r
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodoca.com/comodorsaextendedvalidationcodesigningca.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.entrust.net/2048ca.c
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.godaddy.com/gds5-16.crl0s
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/evcodesigni
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/evcodesigning-g1.crl03
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/evcodesigningsha2-g1.crl07
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: g8F53.tmp.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: g8F53.tmp.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0l
Source: g8F53.tmp.exe	String found in binary or memory: http://crl4.digicert.com/evcodesigning-g1.crl0k
Source: g8F53.tmp.exe	String found in binary or memory: http://crl4.digicert.com/evcodesigningsha2-g1.crl0k
Source: g8F53.tmp.exe	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0l
Source: g8F53.tmp.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0b
Source: g8F53.tmp.exe	String found in binary or memory: http://crt.como
Source: g8F53.tmp.exe	String found in binary or memory: http://crt.comodoca.com/comodocodesigningca2.crt0$
Source: g8F53.tmp.exe	String found in binary or memory: http://crt.comodoca.com/comodorsaextendedvalidationcodesigningca.crt0$
Source: g8F53.tmp.exe	String found in binary or memory: http://crt.comodoca.com/utnaddt
Source: g8F53.tmp.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: g8F53.tmp.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://d0211227.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://d3116203.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://f5136535.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://f6761140.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://f7031642.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://files.avast.com/iavs9x/servers.def
Source: g8F53.tmp.exe	String found in binary or memory: http://files.avast.com/iavs9x/servers.def&
Source: g8F53.tmp.exe	String found in binary or memory: http://files.avast.com/iavs9x/servers.def011
Source: g8F53.tmp.exe	String found in binary or memory: http://files.avast.com/iavs9x/servers.defc:
Source: g8F53.tmp.exe	String found in binary or memory: http://files.avast.com/iavs9x/servers.defppc:
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://g0511470.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://geoip.avast.com/geoip/geoip.php
Source: g8F53.tmp.exe	String found in binary or memory: http://gf.tools.avast.com/tools/gf/
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://h0637628.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://h1874089.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://j8087387.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://k6375621.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://l5978727.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoc
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0.
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.digicert.com0c
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.digicert.com0h
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.digicert.com0l
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.digicert.com0n
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.digicert.com0p
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp.godaddy.com/0j
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: g8F53.tmp.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30v
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://p3713387.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://p4085325.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://r5525652.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://s
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://s4705686.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://s7284151.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: g8F53.tmp.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: g8F53.tmp.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: g8F53.tmp.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: g8F53.tmp.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: g8F53.tmp.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: g8F53.tmp.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://sf.symcd.com0&
Source: g8F53.tmp.exe	String found in binary or memory: http://sm00.avast.com/cgi-bin/iavsup2.cgi
Source: g8F53.tmp.exe	String found in binary or memory: http://submit5.avast.com/cgi-bin/submit50.cgi
Source: g8F53.tmp.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: g8F53.tmp.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: g8F53.tmp.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0w
Source: g8F53.tmp.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://sv.symcd.com0&
Source: g8F53.tmp.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0f
Source: g8F53.tmp.exe	String found in binary or memory: http://sw.symcd.com0
Source: g8F53.tmp.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://t3036159.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://t5730298.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://v4618535.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://v6834318.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v7.stats.avast.com/cgi-bin/iavs4stats.cgi
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://v7630928.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://w6607332.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://w9448963.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://ww
Source: g8F53.tmp.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: g8F53.tmp.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: g8F53.tmp.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: g8F53.tmp.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdz
Source: g8F53.tmp.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: g8F53.tmp.exe	String found in binary or memory: http://www.usertrust.com1
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://x6055396.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://y9663457.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://z2217299.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://z2461313.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://z9743321.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exe	String found in binary or memory: http://z9820048.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exe	String found in binary or memory: https://d.symcb
Source: g8F53.tmp.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: g8F53.tmp.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: g8F53.tmp.exe	String found in binary or memory: https://d1o
Source: g8F53.tmp.exe	String found in binary or memory: https://id.avast.com/inavastium
Source: g8F53.tmp.exe	String found in binary or memory: https://ipm-provider.ff.avast.com/
Source: g8F53.tmp.exe	String found in binary or memory: https://pair.ff.avast.com
Source: g8F53.tmp.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: g8F53.tmp.exe	String found in binary or memory: https://secure.comodo.com/cps0u
Source: g8F53.tmp.exe	String found in binary or memory: https://secure.comodo.net/cps0a
Source: g8F53.tmp.exe	String found in binary or memory: https://www.digicert.com/cps0
Source: g8F53.tmp.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\g8F53.tmp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639

Creates autostart registry keys with suspicious names

Show sources

Source: C:\g8F53.tmp.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,

0_2_000000013FC44890

PE file contains an invalid checksum

Show sources

Source: g8F53.tmp.exe

Static PE information: real checksum: 0x0 should be: 0x4c4d6

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC62DA8 FindFirstFileExA,		0_2_000000013FC62DA8
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC62DA8 FindFirstFileExA,		0_1_000000013FC62DA8

System Summary:

PE file has a high image base, often used for DLLs

Show sources

Source: g8F53.tmp.exe

Static PE information: Image base 0x140000000L > 0x60000000

PE file contains a mix of data directories often seen in goodware

Show sources

Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: g8F53.tmp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: g8F53.tmp.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

PE file contains a debug data directory

Show sources

Source: g8F53.tmp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Show sources

Source: g8F53.tmp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: g8F53.tmp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: g8F53.tmp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: g8F53.tmp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: g8F53.tmp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Classification label

Show sources

Source: classification engine

Classification label: mal60.evad.adwa.winEXE@1/4@1/2

Contains functionality to enum processes or threads

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,

0_2_000000013FC42DC0

Creates temporary files

Show sources

Source: C:\g8F53.tmp.exe

File created: C:\Users\HANSPE~1\AppData\Local\Temp\s284.0

PE file has an executable .text section and no other executable section

Show sources

Source: g8F53.tmp.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\g8F53.tmp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Uses an in-process (OLE) Automation server

Show sources

Source: C:\g8F53.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Contains functionality to call native functions

Show sources

Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,		0_2_000000013FC42DC0
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,		0_1_000000013FC42DC0

Found potential string decryption / allocating functions

Show sources

Source: C:\g8F53.tmp.exe

Code function: String function: 000000013FC5B61C appears 34 times

Reads the hosts file

Show sources

Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: g8F53.tmp.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs g8F53.tmp.exe
Source: g8F53.tmp.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs g8F53.tmp.exe

Tries to load missing DLLs

Show sources

Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-synch-l1-2-0.dll
Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-synch-l1-2-0.dll
Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-localization-l1-2-1.dll
Source: C:\g8F53.tmp.exe	Section loaded: api-ms-win-core-sysinfo-l1-2-1.dll

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: g8F53.tmp.exe	Binary or memory string: Progman
Source: g8F53.tmp.exe	Binary or memory string: Program Manager
Source: g8F53.tmp.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Show sources

Source: C:\g8F53.tmp.exe	Code function: LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle, c:\windows\explorer.exe		0_2_000000013FC42DC0
Source: C:\g8F53.tmp.exe	Code function: LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle, :\windows\explorer.exe		0_2_000000013FC42DC0

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\g8F53.tmp.exe	Memory protected: unknown base: 7FFFFFDF000 protect: page read and write
Source: C:\g8F53.tmp.exe	Memory protected: unknown base: 2C1DC0 protect: page read and write

Creates new 'disallowed' certificate (very likely to block AV)

Show sources

Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 Blob
Source: C:\g8F53.tmp.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 Blob

Modifies the hosts file

Show sources

Source: C:\g8F53.tmp.exe

File written: C:\Windows\System32\drivers\etc\hosts

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC46028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000013FC46028
Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013FC5C06C
Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC4649C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013FC4649C
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC46028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_1_000000013FC46028
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_000000013FC5C06C
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC4649C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_000000013FC4649C

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\g8F53.tmp.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000013FC5C06C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\g8F53.tmp.exe

0_2_000000013FC42DC0

Contains functionality to dynamically determine API calls

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,

0_2_000000013FC44890

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC641FC GetProcessHeap,

0_2_000000013FC641FC

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\g8F53.tmp.exe	Code function: 0_2_000000013FC62DA8 FindFirstFileExA,		0_2_000000013FC62DA8
Source: C:\g8F53.tmp.exe	Code function: 0_1_000000013FC62DA8 FindFirstFileExA,		0_1_000000013FC62DA8

Queries a list of all running processes

Show sources

Source: C:\g8F53.tmp.exe

Process information queried: ProcessInformation

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\g8F53.tmp.exe

0_2_000000013FC42DC0

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\g8F53.tmp.exe TID: 3012	Thread sleep time: -100s >= -60s
Source: C:\g8F53.tmp.exe TID: 2616	Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: tmp.exe

Static PE information: g8F53.tmp.exe

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\g8F53.tmp.exe

File written: C:\Windows\System32\drivers\etc\hosts

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC5BBA8 GetSystemTimeAsFileTime,

0_2_000000013FC5BBA8

Contains functionality to query time zone information

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC60BFC GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000000013FC60BFC

Queries the cryptographic machine GUID

Show sources

Source: C:\g8F53.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000000013FC67760
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_2_000000013FC67338
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000013FC67948
Source: C:\g8F53.tmp.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	0_2_000000013FC66F5C
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_2_000000013FC67810
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_2_000000013FC5BB10
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_2_000000013FC5B584
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_2_000000013FC67614
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000013FC673D0
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_2_000000013FC67268
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_1_000000013FC67760
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_1_000000013FC67338
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_1_000000013FC67948
Source: C:\g8F53.tmp.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	0_1_000000013FC66F5C
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_1_000000013FC67810
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_1_000000013FC5BB10
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_1_000000013FC5B584
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,	0_1_000000013FC67614
Source: C:\g8F53.tmp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_1_000000013FC673D0
Source: C:\g8F53.tmp.exe	Code function: EnumSystemLocalesW,	0_1_000000013FC67268

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\g8F53.tmp.exe

Code function: 0_2_000000013FC69F60 cpuid

0_2_000000013FC69F60

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Yara Overview

No Yara matches

Startup

system is w7x64

g8F53.tmp.exe (PID: 2884 cmdline: 'C:\g8F53.tmp.exe' MD5: 679A54233089BD649B01BC70905E22CD)

cleanup

Created / dropped Files

File Path	Type and Hashes	Malicious
C:\760639	Type: data MD5: CF5BB3B4D6A3ADE6041C1D333FA8C273 SHA: BD4B5146484AB02E926C61E161C1E6093B892BD7 SHA-256: 7063BCCF89B09F51EE70A47B6170AE07914DCA26648B7441C2F9EB7BD6A04397 SHA-512: F7A7475133880CB5E79ADA4999D5E9037841509A2C03EC726094F18A2AD0132009B7F3A5C585B31B52C0CCDF7C9C1F080628669B5F2DB7A694B9DCB3DD34E072	false
C:\Users\HANSPE~1\AppData\Local\Temp\s284.0	Type: ASCII text, with CRLF line terminators MD5: 195CDCAAED78D2B59ABC94F8C0D441F5 SHA: 3D9C75B738762E574B072163661C0F1B9A7C962D SHA-256: 6DB1CBEFDC21B46405E404C868B4E76383AB1B34B81AE29BAE8CF06FD81587CF SHA-512: 4F5FE41184D923C09C3202D29C35E9B74FEE579D1E668C076F6BE9251109183C303CF3C6C2C35D5EFAE80B21CC3215605A4087D70B1813A7E006925E5C0E127B	false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2\servers[1].def	Type: ASCII text, with CRLF line terminators MD5: 195CDCAAED78D2B59ABC94F8C0D441F5 SHA: 3D9C75B738762E574B072163661C0F1B9A7C962D SHA-256: 6DB1CBEFDC21B46405E404C868B4E76383AB1B34B81AE29BAE8CF06FD81587CF SHA-512: 4F5FE41184D923C09C3202D29C35E9B74FEE579D1E668C076F6BE9251109183C303CF3C6C2C35D5EFAE80B21CC3215605A4087D70B1813A7E006925E5C0E127B	false
C:\Windows\System32\drivers\etc\hosts	Type: ASCII text, with CRLF line terminators MD5: C93D6BDCE002C97896DAC3FFA6544683 SHA: EF35EC9D4BB99A09854DA521A48F3412DB1717E1 SHA-256: 374A299BEF7E31243B9D9F8F19E9832293567B265F44066917CF8F20AD29BA65 SHA-512: B3E55F7C8A3BF731F6AF35AE718391E1C85790D49FDBA562E9592960D11717CC59471363A91E1732D52DF563B111D39BF1C34BC2355E0C25A999D050DC1FA27B	true

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious
files.avast.com	2.17.214.122	true	false

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	United States		15169	GoogleInc	false
2.17.214.122	European Union		16625	AkamaiTechnologiesInc	false

Static File Info

General
File type:	PE32+ executable for MS Windows (GUI) Mono/.Net assembly
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	g8F53.tmp.exe
File size:	307200
MD5:	679a54233089bd649b01bc70905e22cd
SHA1:	a66197a6fdf6cde046a02ec10eb417bf125a63b1
SHA256:	b529ca4dd148fdfcee0c1f267bc6821cc5168c121363fa690536a72e0f447c19
SHA512:	f954b54a96caf2711ae79ca2bc76b633832ec1f504a3b7c3bf1c168e02df63cf206899bf483b5f400e1dacdd7281ac28b847346fcf33fcb89908dbadab563076
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..;I.R;I.R;I.R..;R2I.R..9R.I.R..8R4I.R...R:I.R.).S3I.R.).S'I.R.).S/I.R21YR6I.R;I.R.I.R.(.S:I.R.(5R:I.R.(.S:I.RRich;I.R.......

File Icon

Static PE Info

General
Entrypoint:	0x140006014L
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000L
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x59370A51 [Tue Jun 06 20:02:25 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ca74f2c2225045446ef176b0c9d468b6

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 100C484Ch
dec eax
add esp, 28h
jmp 100C4027h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00025237h]
dec eax
mov ecx, ebx
call dword ptr [00025236h]
call dword ptr [00025220h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00025204h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 100E85ECh
test eax, eax
je 100C41A9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000437BFh]
call 100C436Fh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [000438A6h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00043836h], eax
dec eax
mov eax, dword ptr [0004388Fh]
dec eax
mov dword ptr [00043700h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00043804h], eax
mov dword ptr [000436DAh], C0000409h
mov dword ptr [000436D4h], 00000001h
mov dword ptr [000436DEh], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36f1c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4b000	0x1ea8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x34fa0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34fc0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x760	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
.text	0x1000	0x29f00	0x2a000	False	0.534923735119	ump; data	6.50640221128	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xd82e	0xda00	False	0.444309059633	ump; data	5.15782030144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39000	0x11d70	0x10800	False	0.480513139205	fÔÿÿ2¢ß-	7.27336022663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x4b000	0x1ea8	0x2000	False	0.471923828125	ump; PEX Binary Archive	5.34032237763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x4d000	0x1e0	0x200	False	0.53125	ump; data	4.71377258295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0x758	0x800	False	0.55908203125	ump; data	5.2503088955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x4d060	0x17d	ump; XML document text	English	United States

Imports

DLL	Import
CRYPT32.dll	CertOpenStore, CertCloseStore, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext
KERNEL32.dll	RaiseException, FlushFileBuffers, GetFileType, ReadConsoleW, GetConsoleMode, SetFilePointerEx, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, HeapAlloc, HeapFree, GetACP, WriteFile, GetStdHandle, GetTempPathW, MultiByteToWideChar, GetStringTypeW, GetModuleHandleExW, ExitProcess, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, SetLastError, RtlUnwindEx, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, DeleteFileW, HeapReAlloc, GetTimeZoneInformation, GetCPInfo, MoveFileExW, GetFileAttributesExW, CreateFileW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, GetProcessHeap, CreateEventA, WideCharToMultiByte, GetCurrentProcessId, LocalFree, Beep, GetProcAddress, CloseHandle, DeleteFileA, LoadLibraryA, GetSystemDirectoryA, SetEvent, GetLastError, Sleep, GetModuleHandleA, GetCurrentThreadId, RegisterWaitForSingleObject, GetModuleFileNameA, ReadFile, SetStdHandle, HeapSize, SetEndOfFile, WriteConsoleW, GetConsoleCP
USER32.dll	BeginPaint, CheckDlgButton, BroadcastSystemMessageA, ChildWindowFromPoint, ChangeMenuA, DefDlgProcA, CascadeWindows, CharLowerA, CreateMenu, PostQuitMessage, CharNextA, CharLowerBuffA, DeferWindowPos, CloseWindow, AdjustWindowRectEx, GetMessageA, CheckMenuRadioItem, CreateIconFromResourceEx, DispatchMessageA, LoadCursorA, DeregisterShellHookWindow, CloseWindowStation, CheckRadioButton, CopyImage, CopyIcon, CharPrevA, DeleteMenu, CreateWindowStationA, CallNextHookEx, ArrangeIconicWindows, CreatePopupMenu, ChildWindowFromPointEx, DestroyCursor, AnyPopup, BeginDeferWindowPos, CloseDesktop, SetTimer, CopyAcceleratorTableA, PostThreadMessageA, ChangeClipboardChain, CopyRect, CreateIconIndirect, ClientToScreen, FindWindowExA, CallWindowProcA, DestroyAcceleratorTable, DefMDIChildProcA, CharUpperBuffA, CreateAcceleratorTableA, CreateCaret, CountClipboardFormats, CharToOemBuffA, CreateCursor, AttachThreadInput, CreateIconFromResource, DefFrameProcA, CreateIcon, CharToOemA, AdjustWindowRect, RegisterClassA, DefWindowProcA, DestroyMenu, CreateWindowExA, BringWindowToTop, TranslateMessage, ClipCursor, SendMessageA, DestroyCaret, CallMsgFilterA, CreateDialogParamA, LoadIconA, CharUpperA, CreateDialogIndirectParamA, AppendMenuA, CheckMenuItem, CreateMDIWindowA, ActivateKeyboardLayout, DestroyIcon
ADVAPI32.dll	RegReplaceKeyA, RegSaveKeyA, IsValidAcl, RegConnectRegistryA, RegDeleteValueA, RegRestoreKeyA, RegCreateKeyA, RegNotifyChangeKeyValue, RegEnumKeyA, RegGetKeySecurity, RegCloseKey, RegOpenKeyA, RegEnumValueA, RegSetValueA, RegDeleteKeyA, RegQueryValueExA, RegQueryMultipleValuesA, RegCreateKeyExA, RegFlushKey, RegQueryValueA, RegUnLoadKeyA, RegSetKeySecurity, RegSetValueExA, IsValidSecurityDescriptor, RegLoadKeyA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA
SHELL32.dll	CommandLineToArgvW
ole32.dll	CoRegisterMessageFilter, CoFileTimeNow, CoRevokeClassObject, CoDisconnectObject, CoInitializeEx, CoGetStdMarshalEx, CLSIDFromString, CoMarshalHresult, CoDosDateTimeToFileTime, CoFreeLibrary, CoTaskMemRealloc, CoFreeUnusedLibraries, IIDFromString, CoRegisterMallocSpy, CoLockObjectExternal, CoFreeAllLibraries, CoLoadLibrary, CoUnmarshalHresult, CoGetMalloc, CoFileTimeToDosDateTime, CoReleaseMarshalData, CLSIDFromProgID, CoCreateFreeThreadedMarshaler, CoCreateGuid, CoTaskMemAlloc, CoIsHandlerConnected, CoRevokeMallocSpy, CoGetCurrentProcess, CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP:	Network PCAP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2017 15:40:08.834712029 MESZ	53908	53	192.168.1.13	8.8.8.8
Jun 9, 2017 15:40:09.292851925 MESZ	53	53908	8.8.8.8	192.168.1.13
Jun 9, 2017 15:40:09.324213028 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.324254036 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.324376106 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.325232983 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.325249910 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.665602922 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.665976048 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.678288937 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.678308010 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.678334951 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.678390980 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.680398941 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.680412054 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.680449963 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.680536985 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.684830904 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.684849977 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.684875965 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.684973955 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.696362019 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.696468115 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.699193954 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.699223042 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.699230909 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.699306011 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.702703953 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.702785969 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.713334084 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.713362932 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.713375092 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.716732979 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.723906994 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.724067926 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.726281881 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.726310968 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.726325989 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.726592064 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:40:09.730989933 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.731014967 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:40:09.732007027 MESZ	49235	80	192.168.1.13	2.17.214.122
Jun 9, 2017 15:41:12.149789095 MESZ	80	49235	2.17.214.122	192.168.1.13
Jun 9, 2017 15:41:12.149885893 MESZ	49235	80	192.168.1.13	2.17.214.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2017 15:40:08.834712029 MESZ	53908	53	192.168.1.13	8.8.8.8
Jun 9, 2017 15:40:09.292851925 MESZ	53	53908	8.8.8.8	192.168.1.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2017 15:40:08.834712029 MESZ	192.168.1.13	8.8.8.8	0xaa62	Standard query (0)	files.avast.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Jun 9, 2017 15:40:09.292851925 MESZ	8.8.8.8	192.168.1.13	0xaa62	No error (0)	files.avast.com		2.17.214.122	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

files.avast.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Jun 9, 2017 15:40:09.325232983 MESZ	49235	80	192.168.1.13	2.17.214.122	GET /iavs9x/servers.def HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: files.avast.com Connection: Keep-Alive	0
Jun 9, 2017 15:40:09.665602922 MESZ	80	49235	2.17.214.122	192.168.1.13	HTTP/1.1 200 OK Last-Modified: Thu, 20 Apr 2017 07:39:25 GMT ETag: "58f865ad-6183" Server: nginx Content-Type: text/plain Content-Length: 24963 Accept-Ranges: bytes Cache-Control: max-age=56 Expires: Fri, 09 Jun 2017 13:41:05 GMT Date: Fri, 09 Jun 2017 13:40:09 GMT Connection: keep-alive Data Raw: 5b 73 65 72 76 65 72 73 5d 0d 0a 63 6f 75 6e 74 3d 32 39 0d 0a 52 65 70 6f 49 44 3d 69 61 76 73 39 78 0d 0a 4c 61 74 65 73 74 50 72 6f 67 72 61 6d 56 65 72 73 69 6f 6e 3d 31 36 37 39 36 38 37 36 38 0d 0a 4c 61 74 65 73 74 42 75 73 69 6e 65 73 73 56 65 72 73 69 6f 6e 3d 31 36 37 39 36 38 37 36 38 0d 0a 53 65 6e 64 53 74 61 74 73 46 69 6c 74 65 72 3d 32 0d 0a 53 65 6e 64 44 72 6f 70 70 65 72 46 69 6c 74 65 72 3d 38 0d 0a 53 65 6e 64 44 72 6f 70 70 65 72 46 69 6c 74 65 72 32 3d 38 0d 0a 53 65 6e 64 43 72 61 73 68 64 75 6d 70 46 69 6c 74 65 72 3d 33 32 0d 0a 57 72 63 54 72 61 66 66 69 Data Ascii: [servers]count=29RepoID=iavs9xLatestProgramVersion=167968768LatestBusinessVersion=167968768SendStatsFilter=2SendDropperFilter=8SendDropperFilter2=8SendCrashdumpFilter=32WrcTraffi	1
Jun 9, 2017 15:40:09.678288937 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 63 54 6f 3d 30 0d 0a 53 68 65 70 68 65 72 64 55 72 6c 3d 73 68 65 70 68 65 72 64 2e 66 66 2e 61 76 61 73 74 2e 63 6f 6d 0d 0a 50 72 6f 67 55 70 64 61 74 65 43 6f 6e 63 65 61 6c 48 6f 75 72 73 3d 31 36 38 0d 0a 56 36 5f 50 72 6f 67 55 70 64 61 74 Data Ascii: cTo=0ShepherdUrl=shepherd.ff.avast.comProgUpdateConcealHours=168V6_ProgUpdateConcealHours=168V7_ProgUpdateConcealHours=168V8_ProgUpdateConcealHours=168V9_ProgUpdateConcealHours=168V10_ProgUpdateConcealHours=168V5_UpdateScreenEl	3
Jun 9, 2017 15:40:09.678308010 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 31 32 2c 31 3b 2d 33 2c 31 32 2c 31 3b 2d 37 2c 32 34 2c 31 3b 2d 38 2c 32 34 2c 31 3b 2d 39 2c 32 34 2c 31 3b 2d 31 32 2c 32 34 2c 31 0d 0a 53 4c 45 78 70 54 6f 61 73 74 65 72 54 69 6d 69 6e 67 59 65 61 72 4c 69 63 3d 33 30 2c 32 34 2c 30 3b 32 Data Ascii: 12,1;-3,12,1;-7,24,1;-8,24,1;-9,24,1;-12,24,1SLExpToasterTimingYearLic=30,24,0;23,12,0;15,12,0;12,12,1;9,12,1;7,12,1;6,12,1;5,12,1;4,12,1;3,6,1;2,6,1;1,6,1;0,6,1;-1,6,1;-2,6,1;-3,6,1;-4,6,1;-5,6,1;-6,6,1;-7,6,1;-8,12,1;-9,12,1;-10,12,1;-11,1	4
Jun 9, 2017 15:40:09.678334951 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 31 34 34 30 0d 0a 49 70 6d 50 72 6f 74 6f 63 6f 6c 48 74 74 70 32 30 31 35 3d 0d 0a 45 78 70 54 6f 61 73 74 65 72 54 69 6d 69 6e 67 54 72 69 61 6c 53 75 62 5f 74 34 39 33 6f 66 66 62 3d 37 2c 32 34 2c 31 3b 36 2c 32 34 2c 31 3b 35 2c 32 34 2c 31 Data Ascii: 1440IpmProtocolHttp2015=ExpToasterTimingTrialSub_t493offb=7,24,1;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1,6,1;0,6,1;-1,6,1;-2,6,1;-3,6,1;-4,6,1;-5,6,1;-6,6,1;-7,24,1ExpToasterTimingTrialSub_t493onb=7,24,1;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1	5
Jun 9, 2017 15:40:09.680398941 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 3b 36 2c 32 34 2c 31 3b 35 2c 32 34 2c 31 3b 34 2c 31 32 2c 31 3b 33 2c 31 32 2c 31 3b 32 2c 31 32 2c 31 3b 31 2c 31 32 2c 31 3b 30 2c 31 32 2c 31 3b 2d 31 2c 31 32 2c 31 3b 2d 32 2c 31 32 2c 31 3b 2d 33 2c 31 32 2c 31 3b 2d 37 2c 32 34 2c 31 3b Data Ascii: ;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1,12,1;0,12,1;-1,12,1;-2,12,1;-3,12,1;-7,24,1;-8,24,1;-9,24,1;-12,24,1[server0]name=Download v4618535 AVAST9 Serverurlpgm=http://v4618535.iavs9x.u.avast.com/iavs9xurlvps=http://v4618535.ivps9x.u.av	6
Jun 9, 2017 15:40:09.680412054 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 3a 2f 2f 73 75 62 6d 69 74 35 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 73 75 62 6d 69 74 35 30 2e 63 67 69 0d 0a 67 65 6f 49 50 3d 68 74 74 70 3a 2f 2f 67 65 6f 69 70 2e 61 76 61 73 74 2e 63 6f 6d 2f 67 65 6f 69 70 2f 67 65 6f 69 Data Ascii: ://submit5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server2]name=Download v7630928 AVAST9 Serverurlpgm=http://v7630928.iavs9x.u.avast.com/iavs9xurlvps=http://v7630928.ivps9x.u.avast.com/	8
Jun 9, 2017 15:40:09.680449963 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 74 35 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 73 75 62 6d 69 74 35 30 2e 63 67 69 0d 0a 67 65 6f 49 50 3d 68 74 74 70 3a 2f 2f 67 65 6f 69 70 2e 61 76 61 73 74 2e 63 6f 6d 2f 67 65 6f 69 70 2f 67 65 6f 69 70 2e 70 68 70 0d 0a 77 Data Ascii: t5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server4]name=Download z9743321 AVAST9 Serverurlpgm=http://z9743321.iavs9x.u.avast.com/iavs9xurlvps=http://z9743321.ivps9x.u.avast.com/ivps9x	8
Jun 9, 2017 15:40:09.684830904 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 3a 2f 2f 7a 39 37 34 33 33 32 31 2e 76 70 73 6e 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 7a 39 37 34 33 33 32 31 2e 69 61 76 73 35 78 2e 75 2e 61 76 Data Ascii: ://z9743321.vpsnitrotiny.u.avast.com/vpsnitrotinyurl=http://z9743321.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.ava	10
Jun 9, 2017 15:40:09.684849977 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 31 35 39 2e 76 70 73 6e 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 74 33 30 33 36 31 35 39 2e 69 61 76 73 35 78 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f Data Ascii: 159.vpsnitrotiny.u.avast.com/vpsnitrotinyurl=http://t3036159.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.avast.com/c	11
Jun 9, 2017 15:40:09.684875965 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 70 34 30 38 35 33 32 35 2e 69 61 76 73 35 78 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 69 61 76 73 35 78 0d 0a Data Ascii: itrotiny.u.avast.com/vpsnitrotinyurl=http://p4085325.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.avast.com/cgi-bin/i	12
Jun 9, 2017 15:40:09.696362019 MESZ	80	49235	2.17.214.122	192.168.1.13	Data Raw: 65 76 65 6e 74 73 2e 63 67 69 0d 0a 73 75 62 6d 69 74 3d 68 74 74 70 3a 2f 2f 73 6d 30 30 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 69 61 76 73 75 70 32 2e 63 67 69 0d 0a 73 75 62 6d 69 74 35 3d 68 74 74 70 3a 2f 2f 73 75 62 6d 69 Data Ascii: events.cgisubmit=http://sm00.avast.com/cgi-bin/iavsup2.cgisubmit5=http://submit5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server10]name=Download k6375621 AVAST9 Serverurlpgm=http://k63	13

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: g8F53.tmp.exe PID: 2884 Parent PID: 1484

General

Start time:	15:39:31
Start date:	09/06/2017
Path:	C:\g8F53.tmp.exe
Wow64 process (32bit):	false
Commandline:	'C:\g8F53.tmp.exe'
Imagebase:	0x13fc40000
File size:	307200 bytes
MD5 hash:	679A54233089BD649B01BC70905E22CD
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: g8F53.tmp.exe PID: 2884 Parent PID: 1484

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.9%
Total number of Nodes:	1143
Total number of Limit Nodes:	69

Executed Functions

Function 000000013FC42DC0, Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 820

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000013FC432A2
Process32First.KERNEL32 ref: 000000013FC432C3
Process32Next.KERNEL32 ref: 000000013FC43322
OpenProcess.KERNELBASE ref: 000000013FC434B9
NtQueryInformationProcess.NTDLL ref: 000000013FC4395F
VirtualProtectEx.KERNEL32 ref: 000000013FC43982
ReadProcessMemory.KERNEL32 ref: 000000013FC439A5
VirtualProtectEx.KERNEL32 ref: 000000013FC439CF
ReadProcessMemory.KERNEL32 ref: 000000013FC439F0
ReadProcessMemory.KERNEL32 ref: 000000013FC43A36

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

uyq-, xrefs: 000000013FC431A1
c:\windows\explorer.exe, xrefs: 000000013FC43A95
S|h, xrefs: 000000013FC43197
b`|z, xrefs: 000000013FC42E12
67r9, xrefs: 000000013FC43559
sm`a, xrefs: 000000013FC434EA
;9,=, xrefs: 000000013FC4354F
<\~p, xrefs: 000000013FC42E08
hWzf, xrefs: 000000013FC4334F

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC42DC0, Relevance: 32.3, APIs: 10, Strings: 8, Instructions: 820

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000013FC432A2
Process32First.KERNEL32 ref: 000000013FC432C3
Process32Next.KERNEL32 ref: 000000013FC43322
OpenProcess.KERNELBASE ref: 000000013FC434B9
NtQueryInformationProcess.NTDLL ref: 000000013FC4395F
VirtualProtectEx.KERNEL32 ref: 000000013FC43982
ReadProcessMemory.KERNEL32 ref: 000000013FC439A5
VirtualProtectEx.KERNEL32 ref: 000000013FC439CF
ReadProcessMemory.KERNEL32 ref: 000000013FC439F0
ReadProcessMemory.KERNEL32 ref: 000000013FC43A36

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

<\~p, xrefs: 000000013FC42E08
uyq-, xrefs: 000000013FC431A1
sm`a, xrefs: 000000013FC434EA
67r9, xrefs: 000000013FC43559
;9,=, xrefs: 000000013FC4354F
b`|z, xrefs: 000000013FC42E12
hWzf, xrefs: 000000013FC4334F
S|h, xrefs: 000000013FC43197

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC44890, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 357

APIs

LoadLibraryA.KERNEL32 ref: 000000013FC449C0
URLDownloadToFileA.URLMON ref: 000000013FC44A77

Part of subcall function 000000013FC48FB8: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC48F17

_fread_nolock.LIBCMT ref: 000000013FC44B3C

Part of subcall function 000000013FC54C74: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54C9D

DeleteFileA.KERNELBASE ref: 000000013FC44B50

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

.Q, xrefs: 000000013FC44BC8

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC5BBA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23

APIs

Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
Part of subcall function 000000013FC5B61C: GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
Part of subcall function 000000013FC5B61C: FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
Part of subcall function 000000013FC5B61C: GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

GetSystemTimeAsFileTime.KERNEL32(?,?,?,000000013FC581C0,?,?,?,000000013FC5823D), ref: 000000013FC5BBEF

Strings

GetSystemTimePreciseAsFileTime, xrefs: 000000013FC5BBC8

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC451FD, Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 455

APIs

CreateWindowExA.USER32 ref: 000000013FC455C1
RegisterWaitForSingleObject.KERNEL32 ref: 000000013FC457F7
GetProcAddress.KERNEL32 ref: 000000013FC4591B
GetMessageA.USER32 ref: 000000013FC45A8A

Part of subcall function 000000013FC42DC0: CreateToolhelp32Snapshot.KERNEL32 ref: 000000013FC432A2
Part of subcall function 000000013FC42DC0: Process32First.KERNEL32 ref: 000000013FC432C3
Part of subcall function 000000013FC42DC0: Process32Next.KERNEL32 ref: 000000013FC43322
Part of subcall function 000000013FC42DC0: OpenProcess.KERNELBASE ref: 000000013FC434B9
Part of subcall function 000000013FC42DC0: NtQueryInformationProcess.NTDLL ref: 000000013FC4395F
Part of subcall function 000000013FC42DC0: VirtualProtectEx.KERNEL32 ref: 000000013FC43982
Part of subcall function 000000013FC42DC0: ReadProcessMemory.KERNEL32 ref: 000000013FC439A5
Part of subcall function 000000013FC42DC0: VirtualProtectEx.KERNEL32 ref: 000000013FC439CF
Part of subcall function 000000013FC42DC0: ReadProcessMemory.KERNEL32 ref: 000000013FC439F0
Part of subcall function 000000013FC42DC0: ReadProcessMemory.KERNEL32 ref: 000000013FC43A36

Part of subcall function 000000013FC429D0: RegCreateKeyExA.ADVAPI32 ref: 000000013FC42D34
Part of subcall function 000000013FC429D0: RegSetValueExA.ADVAPI32 ref: 000000013FC42D95

Part of subcall function 000000013FC446A0: CertOpenStore.CRYPT32 ref: 000000013FC446C0
Part of subcall function 000000013FC446A0: CertCreateCertificateContext.CRYPT32 ref: 000000013FC44712
Part of subcall function 000000013FC446A0: CertAddCertificateContextToStore.CRYPT32 ref: 000000013FC44730
Part of subcall function 000000013FC446A0: CertFreeCertificateContext.CRYPT32 ref: 000000013FC44739
Part of subcall function 000000013FC446A0: CertCloseStore.CRYPT32 ref: 000000013FC44759

Part of subcall function 000000013FC44E20: GetSystemDirectoryA.KERNEL32 ref: 000000013FC44E5A
Part of subcall function 000000013FC44E20: _fread_nolock.LIBCMT ref: 000000013FC44FAE

TranslateMessage.USER32 ref: 000000013FC45A45
DispatchMessageA.USER32 ref: 000000013FC45A5C

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

0lx, xrefs: 000000013FC45200
+9, xrefs: 000000013FC4562A
d, xrefs: 000000013FC459BD

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC6249C, Relevance: 13.8, APIs: 9, Instructions: 272

APIs

Part of subcall function 000000013FC62108: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC62149
Part of subcall function 000000013FC62108: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC621C6
Part of subcall function 000000013FC62108: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC62217

Part of subcall function 000000013FC64790: EnterCriticalSection.KERNEL32(?,?,?,?,?,000000013FC6252C), ref: 000000013FC6483D
Part of subcall function 000000013FC64790: LeaveCriticalSection.KERNEL32(?,?,?,?,?,000000013FC6252C), ref: 000000013FC6484C

CreateFileW.KERNEL32 ref: 000000013FC6259D
CreateFileW.KERNEL32 ref: 000000013FC625F9
GetLastError.KERNEL32 ref: 000000013FC6262D
GetFileType.KERNEL32 ref: 000000013FC62642
GetLastError.KERNEL32 ref: 000000013FC6264C
CloseHandle.KERNEL32 ref: 000000013FC6267F

Part of subcall function 000000013FC646AC: SetStdHandle.KERNEL32 ref: 000000013FC64727

CloseHandle.KERNEL32 ref: 000000013FC627D8
CreateFileW.KERNEL32 ref: 000000013FC62810
GetLastError.KERNEL32 ref: 000000013FC6281F

Part of subcall function 000000013FC648C0: SetStdHandle.KERNEL32 ref: 000000013FC6493A

Part of subcall function 000000013FC6023C: CloseHandle.KERNEL32 ref: 000000013FC6029F
Part of subcall function 000000013FC6023C: GetLastError.KERNEL32 ref: 000000013FC602A9

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC4724C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127

APIs

LoadLibraryExW.KERNELBASE(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472EF
GetLastError.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472FD
LoadLibraryExW.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC4733F
FreeLibrary.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC47378
GetProcAddress.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC473A4

Strings

ext-ms-, xrefs: 000000013FC47324
api-ms-, xrefs: 000000013FC47311

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5CDE4, Relevance: 10.8, APIs: 7, Instructions: 294

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5CF08

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Part of subcall function 000000013FC67F48: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC67F9B

GetConsoleMode.KERNEL32 ref: 000000013FC5D052
ReadConsoleW.KERNEL32 ref: 000000013FC5D081
GetLastError.KERNEL32 ref: 000000013FC5D08B
ReadFile.KERNEL32 ref: 000000013FC5D0D3

Part of subcall function 000000013FC5C79C: ReadFile.KERNEL32 ref: 000000013FC5C882

Part of subcall function 000000013FC5C9CC: ReadFile.KERNEL32 ref: 000000013FC5CAA3
Part of subcall function 000000013FC5C9CC: MultiByteToWideChar.KERNEL32 ref: 000000013FC5CC74
Part of subcall function 000000013FC5C9CC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC5CC80

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC62396), ref: 000000013FC5D1DD
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5D229

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC44E20, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131

APIs

GetSystemDirectoryA.KERNEL32 ref: 000000013FC44E5A

Part of subcall function 000000013FC48FB8: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC48F17

_fread_nolock.LIBCMT ref: 000000013FC44FAE

Part of subcall function 000000013FC44890: LoadLibraryA.KERNEL32 ref: 000000013FC449C0
Part of subcall function 000000013FC44890: URLDownloadToFileA.URLMON ref: 000000013FC44A77
Part of subcall function 000000013FC44890: _fread_nolock.LIBCMT ref: 000000013FC44B3C
Part of subcall function 000000013FC44890: DeleteFileA.KERNELBASE ref: 000000013FC44B50

Part of subcall function 000000013FC54C74: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54C9D

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

^^, xrefs: 000000013FC44FDD
|db, xrefs: 000000013FC44E70
UW, xrefs: 000000013FC44FE5
M[\N, xrefs: 000000013FC44FCF

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC446A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51

APIs

CertOpenStore.CRYPT32 ref: 000000013FC446C0
CertCreateCertificateContext.CRYPT32 ref: 000000013FC44712
CertAddCertificateContextToStore.CRYPT32 ref: 000000013FC44730
CertFreeCertificateContext.CRYPT32 ref: 000000013FC44739
CertCloseStore.CRYPT32 ref: 000000013FC44759

Strings

Disallowed, xrefs: 000000013FC446A8

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC429D0, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211

APIs

RegCreateKeyExA.ADVAPI32 ref: 000000013FC42D34
RegSetValueExA.ADVAPI32 ref: 000000013FC42D95

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

?, xrefs: 000000013FC42D13
K8), xrefs: 000000013FC42A06
, xrefs: 000000013FC42C29

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5FC70, Relevance: 7.7, APIs: 5, Instructions: 203

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5FCB5

Part of subcall function 000000013FC67F48: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC67F9B

GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,00001000,?,00000000,000000013FC6862E), ref: 000000013FC5FEAA

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

GetConsoleMode.KERNEL32 ref: 000000013FC5FD78
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,00001000,?,00000000,000000013FC6862E), ref: 000000013FC5FDF3

Part of subcall function 000000013FC5F5E4: GetConsoleCP.KERNEL32 ref: 000000013FC5F641
Part of subcall function 000000013FC5F5E4: WideCharToMultiByte.KERNEL32 ref: 000000013FC5F71D
Part of subcall function 000000013FC5F5E4: WriteFile.KERNEL32 ref: 000000013FC5F743
Part of subcall function 000000013FC5F5E4: WriteFile.KERNEL32 ref: 000000013FC5F782
Part of subcall function 000000013FC5F5E4: GetLastError.KERNEL32 ref: 000000013FC5F7BA

Part of subcall function 000000013FC6837C: WriteConsoleW.KERNEL32 ref: 000000013FC683C1

Part of subcall function 000000013FC5FA10: WideCharToMultiByte.KERNEL32 ref: 000000013FC5FAF6
Part of subcall function 000000013FC5FA10: WriteFile.KERNEL32 ref: 000000013FC5FB29
Part of subcall function 000000013FC5FA10: GetLastError.KERNEL32 ref: 000000013FC5FB4B

Part of subcall function 000000013FC5F8F4: WriteFile.KERNEL32 ref: 000000013FC5F9C1
Part of subcall function 000000013FC5F8F4: GetLastError.KERNEL32 ref: 000000013FC5F9DD

Part of subcall function 000000013FC5F7EC: WriteFile.KERNEL32 ref: 000000013FC5F8A2
Part of subcall function 000000013FC5F7EC: GetLastError.KERNEL32 ref: 000000013FC5F8BE

WriteFile.KERNEL32 ref: 000000013FC5FEA0

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5B61C, Relevance: 7.6, APIs: 5, Instructions: 114

APIs

LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC63C74, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,000000013FC592AF,?,?,?,000000013FC5926A), ref: 000000013FC63C8D
WideCharToMultiByte.KERNEL32 ref: 000000013FC63CEF

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

WideCharToMultiByte.KERNEL32 ref: 000000013FC63D29

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013FC592AF,?,?,?,000000013FC5926A), ref: 000000013FC63D53

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC43D90, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192

APIs

GetComputerNameA.KERNEL32 ref: 000000013FC44053

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

, xrefs: 000000013FC44047
C:\760639, xrefs: 000000013FC43E01

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC68854, Relevance: 4.7, APIs: 3, Instructions: 237

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013FC688DB
MultiByteToWideChar.KERNEL32 ref: 000000013FC689A0

Part of subcall function 000000013FC5BDE0: LCMapStringW.KERNEL32 ref: 000000013FC5BEAE

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

WideCharToMultiByte.KERNEL32 ref: 000000013FC68B30

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC43D90, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192

APIs

GetComputerNameA.KERNEL32 ref: 000000013FC44053

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

, xrefs: 000000013FC44047

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC63494, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126

APIs

GetCPInfo.KERNEL32 ref: 000000013FC634CA

Part of subcall function 000000013FC66130: MultiByteToWideChar.KERNEL32 ref: 000000013FC661A3
Part of subcall function 000000013FC66130: MultiByteToWideChar.KERNEL32 ref: 000000013FC6626C
Part of subcall function 000000013FC66130: GetStringTypeW.KERNEL32 ref: 000000013FC66286

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

, xrefs: 000000013FC6350F

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5BDE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56

APIs

Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
Part of subcall function 000000013FC5B61C: GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
Part of subcall function 000000013FC5B61C: FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
Part of subcall function 000000013FC5B61C: GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

LCMapStringW.KERNEL32 ref: 000000013FC5BEAE

Strings

LCMapStringEx, xrefs: 000000013FC5BE01, 000000013FC5BE12

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5BC74, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32

APIs

Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
Part of subcall function 000000013FC5B61C: GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
Part of subcall function 000000013FC5B61C: FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
Part of subcall function 000000013FC5B61C: GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000030,000000013FC64533,?,?,?,000000013FC647E1,?,?,?,?,?,000000013FC6252C), ref: 000000013FC5BCD1

Strings

InitializeCriticalSectionEx, xrefs: 000000013FC5BC9E

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC47534, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32

APIs

Part of subcall function 000000013FC4724C: LoadLibraryExW.KERNELBASE(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472EF
Part of subcall function 000000013FC4724C: GetLastError.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472FD
Part of subcall function 000000013FC4724C: LoadLibraryExW.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC4733F
Part of subcall function 000000013FC4724C: FreeLibrary.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC47378
Part of subcall function 000000013FC4724C: GetProcAddress.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC473A4

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93,?,?,?,?,000000013FC45B67), ref: 000000013FC47590

Strings

InitializeCriticalSectionEx, xrefs: 000000013FC4754B, 000000013FC4755E

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC47424, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22

APIs

Part of subcall function 000000013FC4724C: LoadLibraryExW.KERNELBASE(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472EF
Part of subcall function 000000013FC4724C: GetLastError.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC472FD
Part of subcall function 000000013FC4724C: LoadLibraryExW.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC4733F
Part of subcall function 000000013FC4724C: FreeLibrary.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC47378
Part of subcall function 000000013FC4724C: GetProcAddress.KERNEL32(?,?,?,000000013FC4756F,?,?,?,000000013FC471F0,?,?,00000001,000000013FC46E93), ref: 000000013FC473A4

TlsAlloc.KERNEL32(?,?,?,000000013FC47178,?,?,?,?,000000013FC46EA0,?,?,?,?,000000013FC45B67), ref: 000000013FC47464

Strings

FlsAlloc, xrefs: 000000013FC47431, 000000013FC47441

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5B9A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22

APIs

Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
Part of subcall function 000000013FC5B61C: GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
Part of subcall function 000000013FC5B61C: FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
Part of subcall function 000000013FC5B61C: GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

TlsAlloc.KERNEL32 ref: 000000013FC5B9E4

Strings

FlsAlloc, xrefs: 000000013FC5B9C0

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC58928, Relevance: 3.2, APIs: 2, Instructions: 187

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC58964
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC58A9A

Part of subcall function 000000013FC5C774: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5C788

Part of subcall function 000000013FC5CDE4: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5CF08
Part of subcall function 000000013FC5CDE4: GetConsoleMode.KERNEL32 ref: 000000013FC5D052
Part of subcall function 000000013FC5CDE4: ReadConsoleW.KERNEL32 ref: 000000013FC5D081
Part of subcall function 000000013FC5CDE4: GetLastError.KERNEL32 ref: 000000013FC5D08B
Part of subcall function 000000013FC5CDE4: ReadFile.KERNEL32 ref: 000000013FC5D0D3
Part of subcall function 000000013FC5CDE4: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC62396), ref: 000000013FC5D1DD
Part of subcall function 000000013FC5CDE4: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5D229

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC63918, Relevance: 3.2, APIs: 2, Instructions: 186

APIs

Part of subcall function 000000013FC63384: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000000013FC636A1,?,?,?,?,?,?,?,000000013FC63849), ref: 000000013FC633AE
Part of subcall function 000000013FC63384: GetACP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000000013FC636A1,?,?,?,?,?,?,?,000000013FC63849), ref: 000000013FC633C5

IsValidCodePage.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013FC63754,?,?,?,?,?,?,?,000000013FC63849), ref: 000000013FC63992
GetCPInfo.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013FC63754,?,?,?,?,?,?,?,000000013FC63849), ref: 000000013FC639A7

Part of subcall function 000000013FC63494: GetCPInfo.KERNEL32 ref: 000000013FC634CA

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC45EA8, Relevance: 3.1, APIs: 2, Instructions: 89

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 000000013FC45ED3

Part of subcall function 000000013FC465E4: GetStartupInfoW.KERNEL32 ref: 000000013FC46600

__scrt_is_managed_app.LIBCMT ref: 000000013FC45FC1

Part of subcall function 000000013FC46620: GetModuleHandleW.KERNEL32(?,?,?,?,000000013FC45FC6), ref: 000000013FC46626

Part of subcall function 000000013FC4649C: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC464B8
Part of subcall function 000000013FC4649C: RtlCaptureContext.KERNEL32 ref: 000000013FC464E1
Part of subcall function 000000013FC4649C: RtlLookupFunctionEntry.KERNEL32 ref: 000000013FC464FB
Part of subcall function 000000013FC4649C: RtlVirtualUnwind.KERNEL32 ref: 000000013FC4653C
Part of subcall function 000000013FC4649C: IsDebuggerPresent.KERNEL32 ref: 000000013FC46590
Part of subcall function 000000013FC4649C: SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FC465B1
Part of subcall function 000000013FC4649C: UnhandledExceptionFilter.KERNEL32 ref: 000000013FC465BC

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5F7EC, Relevance: 3.1, APIs: 2, Instructions: 74

APIs

WriteFile.KERNEL32 ref: 000000013FC5F8A2
GetLastError.KERNEL32 ref: 000000013FC5F8BE

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5C610, Relevance: 3.0, APIs: 2, Instructions: 42

APIs

Part of subcall function 000000013FC6497C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC649E3

SetFilePointerEx.KERNEL32 ref: 000000013FC5C654
GetLastError.KERNEL32 ref: 000000013FC5C65E

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC45110, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38

APIs

Sleep.KERNELBASE ref: 000000013FC45195

Strings

@KL, xrefs: 000000013FC45129

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC56914, Relevance: 1.6, APIs: 1, Instructions: 128

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC56956

Part of subcall function 000000013FC5C774: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5C788

Part of subcall function 000000013FC5FB84: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5FC50

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC41F40, Relevance: 1.6, APIs: 1, Instructions: 102

APIs

FindWindowExA.USER32 ref: 000000013FC42025

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5FB84, Relevance: 1.6, APIs: 1, Instructions: 68

APIs

Part of subcall function 000000013FC5FC70: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5FCB5
Part of subcall function 000000013FC5FC70: GetConsoleMode.KERNEL32 ref: 000000013FC5FD78
Part of subcall function 000000013FC5FC70: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,00001000,?,00000000,000000013FC6862E), ref: 000000013FC5FDF3
Part of subcall function 000000013FC5FC70: WriteFile.KERNEL32 ref: 000000013FC5FEA0
Part of subcall function 000000013FC5FC70: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,00001000,?,00000000,000000013FC6862E), ref: 000000013FC5FEAA

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5FC50

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC61D94, Relevance: 1.6, APIs: 1, Instructions: 64

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC61DC4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC48FB8, Relevance: 1.6, APIs: 1, Instructions: 61

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC48F17

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC645D0, Relevance: 1.6, APIs: 1, Instructions: 51

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC64604

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC58BC8, Relevance: 1.5, APIs: 1, Instructions: 49

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC58C1C

Part of subcall function 000000013FC58928: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC58964
Part of subcall function 000000013FC58928: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC58A9A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC54BF0, Relevance: 1.5, APIs: 1, Instructions: 40

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC54C0D

Part of subcall function 000000013FC5C774: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5C788

Part of subcall function 000000013FC60198: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC6022C

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC58188, Relevance: 1.5, APIs: 1, Instructions: 38

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC581A1

Part of subcall function 000000013FC5BBA8: GetSystemTimeAsFileTime.KERNEL32(?,?,?,000000013FC581C0,?,?,?,000000013FC5823D), ref: 000000013FC5BBEF

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC56AB0, Relevance: 1.5, APIs: 1, Instructions: 37

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC56AE5

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC54C74, Relevance: 1.5, APIs: 1, Instructions: 33

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC54C9D

Part of subcall function 000000013FC54BF0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54C0D

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC45E8C, Relevance: 1.5, APIs: 1, Instructions: 18

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5B1CC

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5B38C, Relevance: 1.3, APIs: 1, Instructions: 36

APIs

HeapAlloc.KERNEL32(?,?,00000000,000000013FC5D8FC,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B3E1

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5B2CC, Relevance: 1.3, APIs: 1, Instructions: 29

APIs

HeapAlloc.KERNEL32 ref: 000000013FC5B30A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Non-executed Functions

Function 000000013FC4649C, Relevance: 10.6, APIs: 7, Instructions: 70

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC464B8
RtlCaptureContext.KERNEL32 ref: 000000013FC464E1
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FC464FB
RtlVirtualUnwind.KERNEL32 ref: 000000013FC4653C
IsDebuggerPresent.KERNEL32 ref: 000000013FC46590
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FC465B1
UnhandledExceptionFilter.KERNEL32 ref: 000000013FC465BC

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC66F5C, Relevance: 9.2, APIs: 6, Instructions: 208

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

TranslateName.LIBCMT ref: 000000013FC66FC6
TranslateName.LIBCMT ref: 000000013FC67001

Part of subcall function 000000013FC66DA4: GetACP.KERNEL32(?,?,000000A0,000000013FC67042,?,?,?,00000000,?,000000013FC5A6AC), ref: 000000013FC66E42

IsValidCodePage.KERNEL32(?,?,?,00000000,?,000000013FC5A6AC), ref: 000000013FC6705E

Part of subcall function 000000013FC64404: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC6442F

Part of subcall function 000000013FC5BB10: GetLocaleInfoW.KERNEL32(?,?,00000000,000000013FC5A733), ref: 000000013FC5BB87

wcschr.LIBVCRUNTIME ref: 000000013FC670F1
wcschr.LIBVCRUNTIME ref: 000000013FC67101

Part of subcall function 000000013FC5C298: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FC5C276), ref: 000000013FC5C2C5

GetLocaleInfoW.KERNEL32 ref: 000000013FC671E9

Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC6912B
Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC691C9

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67948, Relevance: 9.2, APIs: 6, Instructions: 174

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

Part of subcall function 000000013FC67338: EnumSystemLocalesW.KERNEL32(?,?,?,000000013FC67A07,?,00000000,?,00000000,00000001,00000000,?,000000013FC5A6A5), ref: 000000013FC673B8

Part of subcall function 000000013FC67268: EnumSystemLocalesW.KERNEL32(?,?,?,000000013FC67A4B,?,00000000,?,00000000,00000001,00000000,?,000000013FC5A6A5), ref: 000000013FC67306

EnumSystemLocalesW.KERNEL32(?,00000000,?,00000000,00000001,00000000,?,000000013FC5A6A5), ref: 000000013FC67A9F
GetUserDefaultLCID.KERNEL32(?,00000000,?,00000000), ref: 000000013FC67AB8
IsValidCodePage.KERNEL32 ref: 000000013FC67B03
IsValidLocale.KERNEL32 ref: 000000013FC67B19
GetLocaleInfoW.KERNEL32 ref: 000000013FC67B75
GetLocaleInfoW.KERNEL32 ref: 000000013FC67B91

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Part of subcall function 000000013FC67760: GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677B5
Part of subcall function 000000013FC67760: GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677E2
Part of subcall function 000000013FC67760: GetACP.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677F8

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67760, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677B5
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677E2
GetACP.KERNEL32(?,?,?,?,?,?,?,000000013FC67AE7), ref: 000000013FC677F8

Strings

OCP, xrefs: 000000013FC67791
ACP, xrefs: 000000013FC67781

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC60BFC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155

Strings

?, xrefs: 000000013FC60D3D

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC673D0, Relevance: 4.7, APIs: 3, Instructions: 165

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

GetLocaleInfoW.KERNEL32 ref: 000000013FC6743D

Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC6912B
Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC691C9

GetLocaleInfoW.KERNEL32 ref: 000000013FC6748F

Part of subcall function 000000013FC67FA8: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC67FD4
Part of subcall function 000000013FC67FA8: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC68085

GetLocaleInfoW.KERNEL32 ref: 000000013FC67554

Part of subcall function 000000013FC67810: GetLocaleInfoW.KERNEL32(?,?,?,000000013FC675D0), ref: 000000013FC67847

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC62DA8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97

APIs

Part of subcall function 000000013FC5B38C: HeapAlloc.KERNEL32(?,?,00000000,000000013FC5D8FC,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B3E1

Part of subcall function 000000013FC62AB4: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC62ADF

Part of subcall function 000000013FC5C298: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FC5C276), ref: 000000013FC5C2C5

FindFirstFileExA.KERNEL32 ref: 000000013FC62F88

Strings

., xrefs: 000000013FC62FEC

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC5BB10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42

APIs

Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNELBASE(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6B8
Part of subcall function 000000013FC5B61C: GetLastError.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6C6
Part of subcall function 000000013FC5B61C: LoadLibraryExW.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B6D9
Part of subcall function 000000013FC5B61C: FreeLibrary.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B712
Part of subcall function 000000013FC5B61C: GetProcAddress.KERNEL32(?,?,00000004,000000013FC5BADB,?,?,00000000,000000013FC5D91B,?,?,?,000000013FC5C3A1), ref: 000000013FC5B73E

GetLocaleInfoW.KERNEL32(?,?,00000000,000000013FC5A733), ref: 000000013FC5BB87

Strings

GetLocaleInfoEx, xrefs: 000000013FC5BB31, 000000013FC5BB42

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67614, Relevance: 1.6, APIs: 1, Instructions: 69

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

GetLocaleInfoW.KERNEL32 ref: 000000013FC6767D

Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC6912B
Part of subcall function 000000013FC69104: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC691C9

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Part of subcall function 000000013FC67810: GetLocaleInfoW.KERNEL32(?,?,?,000000013FC675D0), ref: 000000013FC67847

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67268, Relevance: 1.6, APIs: 1, Instructions: 61

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

EnumSystemLocalesW.KERNEL32(?,?,?,000000013FC67A4B,?,00000000,?,00000000,00000001,00000000,?,000000013FC5A6A5), ref: 000000013FC67306

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67810, Relevance: 1.6, APIs: 1, Instructions: 50

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

GetLocaleInfoW.KERNEL32(?,?,?,000000013FC675D0), ref: 000000013FC67847

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC67338, Relevance: 1.5, APIs: 1, Instructions: 42

APIs

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

EnumSystemLocalesW.KERNEL32(?,?,?,000000013FC67A07,?,00000000,?,00000000,00000001,00000000,?,000000013FC5A6A5), ref: 000000013FC673B8

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC5B584, Relevance: 1.5, APIs: 1, Instructions: 42

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,000000013FC5B989,?,?,?,?,?,?,00000000,000000013FC6683A), ref: 000000013FC5B5D8

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC641FC, Relevance: 1.3, APIs: 1, Instructions: 7

APIs

GetProcessHeap.KERNEL32 ref: 000000013FC64200

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC69F60, Relevance: .0, Instructions: 32

Memory Dump Source

Source File: 00000000.00000002.2183454693.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000002.2183443066.000000013FC40000.00000002.sdmp
Associated: 00000000.00000002.2183469850.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000002.2183481721.000000013FC79000.00000004.sdmp
Associated: 00000000.00000002.2183491818.000000013FC7A000.00000008.sdmp
Associated: 00000000.00000002.2183500702.000000013FC89000.00000004.sdmp
Associated: 00000000.00000002.2183508841.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc40000_g8F53.jbxd

Function 000000013FC5DED8, Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197

APIs

Part of subcall function 000000013FC68238: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC68256

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5E160

Strings

, xrefs: 000000013FC5E14B
=, xrefs: 000000013FC5E0D2
, xrefs: 000000013FC5E08B
, xrefs: 000000013FC5E0CD
, xrefs: 000000013FC5DF0D
UTF-8, xrefs: 000000013FC5E0E5
ccs, xrefs: 000000013FC5E0AD
a, xrefs: 000000013FC5DF12
, xrefs: 000000013FC5E0DA
UTF-16LEUNICODE, xrefs: 000000013FC5E108
r, xrefs: 000000013FC5DF17
w, xrefs: 000000013FC5DF1C

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC57940, Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5797B

Part of subcall function 000000013FC54DEC: GetStringTypeW.KERNEL32(?,?,00000000,000000013FC4F0E0,?,?,00000000,000000013FC51E69,?,?,00000000,000000013FC4ED92), ref: 000000013FC54E3D

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC57D4C
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC57FED

Strings

f, xrefs: 000000013FC57A80
-, xrefs: 000000013FC579F5
p, xrefs: 000000013FC57A88
+, xrefs: 000000013FC57A00

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC42130, Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 443

APIs

Sleep.KERNEL32 ref: 000000013FC4297C

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

s`gb, xrefs: 000000013FC42857
ECK[, xrefs: 000000013FC421F9
ro&/, xrefs: 000000013FC4257B
~CE, xrefs: 000000013FC421EF
q{^, xrefs: 000000013FC423A4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5E53C, Relevance: 9.2, APIs: 6, Instructions: 223

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5E598
WideCharToMultiByte.KERNEL32 ref: 000000013FC5E669
WideCharToMultiByte.KERNEL32 ref: 000000013FC5E6B5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,?,000000013FC5E8D3), ref: 000000013FC5E6DF
WideCharToMultiByte.KERNEL32 ref: 000000013FC5E732
WideCharToMultiByte.KERNEL32 ref: 000000013FC5E80D

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC47898, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29

APIs

GetModuleHandleExW.KERNEL32 ref: 000000013FC478B8
GetProcAddress.KERNEL32 ref: 000000013FC478CE
FreeLibrary.KERNEL32 ref: 000000013FC478F3

Strings

CorExitProcess, xrefs: 000000013FC478C7
mscoree.dll, xrefs: 000000013FC478AF

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC60F44, Relevance: 7.8, APIs: 5, Instructions: 265

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000013FC6101A
MultiByteToWideChar.KERNEL32 ref: 000000013FC6109F
MultiByteToWideChar.KERNEL32 ref: 000000013FC61164
MultiByteToWideChar.KERNEL32 ref: 000000013FC6118B

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

MultiByteToWideChar.KERNEL32 ref: 000000013FC61249

Part of subcall function 000000013FC5B808: CompareStringW.KERNEL32 ref: 000000013FC5B8D6

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5F5E4, Relevance: 7.6, APIs: 5, Instructions: 142

APIs

GetConsoleCP.KERNEL32 ref: 000000013FC5F641
WideCharToMultiByte.KERNEL32 ref: 000000013FC5F71D
WriteFile.KERNEL32 ref: 000000013FC5F743
WriteFile.KERNEL32 ref: 000000013FC5F782
GetLastError.KERNEL32 ref: 000000013FC5F7BA

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5E210, Relevance: 7.6, APIs: 5, Instructions: 133

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5E261
MultiByteToWideChar.KERNEL32 ref: 000000013FC5E2D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000013FC5E490), ref: 000000013FC5E2E9
MultiByteToWideChar.KERNEL32 ref: 000000013FC5E346
MultiByteToWideChar.KERNEL32 ref: 000000013FC5E399

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC56050, Relevance: 7.6, APIs: 6, Instructions: 88

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013FC56097
MultiByteToWideChar.KERNEL32 ref: 000000013FC560C9
GetLastError.KERNEL32 ref: 000000013FC560A4

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

MultiByteToWideChar.KERNEL32 ref: 000000013FC56104
MultiByteToWideChar.KERNEL32 ref: 000000013FC56122

Part of subcall function 000000013FC618EC: MoveFileExW.KERNEL32 ref: 000000013FC618F6
Part of subcall function 000000013FC618EC: GetLastError.KERNEL32(?,?,?,?,000000013FC56137), ref: 000000013FC61900

GetLastError.KERNEL32 ref: 000000013FC5613B

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC602F8, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC60328
MultiByteToWideChar.KERNEL32 ref: 000000013FC6035F
GetLastError.KERNEL32(?,?,?,?,?,000000013FC62406), ref: 000000013FC6036C

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

MultiByteToWideChar.KERNEL32 ref: 000000013FC603A4
GetLastError.KERNEL32(?,?,?,?,?,000000013FC62406), ref: 000000013FC603AE

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC609AC, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 366

Strings

?, xrefs: 000000013FC60D3D

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC590CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC590F6
GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000013FC45E16), ref: 000000013FC59117

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Strings

`.1, xrefs: 000000013FC5911D
C:\g8F53.tmp.exe, xrefs: 000000013FC59105

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5FA10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100

APIs

WideCharToMultiByte.KERNEL32 ref: 000000013FC5FAF6
WriteFile.KERNEL32 ref: 000000013FC5FB29
GetLastError.KERNEL32 ref: 000000013FC5FB4B

Part of subcall function 000000013FC45AE0: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FC4606A

Strings

U, xrefs: 000000013FC5FAD4

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC54358, Relevance: 6.4, APIs: 4, Instructions: 425

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC54392
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5448D
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5461C

Part of subcall function 000000013FC54B80: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54BAB

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC54791

Part of subcall function 000000013FC5495C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC549D0
Part of subcall function 000000013FC5495C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54A50
Part of subcall function 000000013FC5495C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC54A89

Part of subcall function 000000013FC54844: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC548BE
Part of subcall function 000000013FC54844: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5491A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC483C0, Relevance: 6.2, APIs: 4, Instructions: 191

APIs

_Wcsftime.LIBCMT ref: 000000013FC48410

Part of subcall function 000000013FC5E51C: _mbstowcs_s_l.LIBCMT ref: 000000013FC5E530

_Wcsftime.LIBCMT ref: 000000013FC48449

Part of subcall function 000000013FC5A964: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5A98F

Part of subcall function 000000013FC5C298: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FC5C276), ref: 000000013FC5C2C5

Part of subcall function 000000013FC5D828: GetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D832
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D89A
Part of subcall function 000000013FC5D828: SetLastError.KERNEL32(?,?,?,000000013FC486B4,?,?,?,000000013FC4ED1D), ref: 000000013FC5D8B0

_wcstombs_s_l.LIBCMT ref: 000000013FC4851E

Part of subcall function 000000013FC5E870: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC5E8FB

Part of subcall function 000000013FC5B2CC: HeapAlloc.KERNEL32 ref: 000000013FC5B30A

_wcstombs_s_l.LIBCMT ref: 000000013FC48570

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Part of subcall function 000000013FC5B38C: HeapAlloc.KERNEL32(?,?,00000000,000000013FC5D8FC,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B3E1

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5EDE0, Relevance: 6.1, APIs: 4, Instructions: 104

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5EE33
WideCharToMultiByte.KERNEL32 ref: 000000013FC5EF05
GetLastError.KERNEL32 ref: 000000013FC5EF28
_invalid_parameter_noinfo.LIBCMT ref: 000000013FC5EF5A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5C6AC, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

SetFilePointerEx.KERNEL32 ref: 000000013FC5C6DC
GetLastError.KERNEL32 ref: 000000013FC5C6E6
SetFilePointerEx.KERNEL32 ref: 000000013FC5C711
SetFilePointerEx.KERNEL32 ref: 000000013FC5C734

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC466C4, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000013FC466F0
GetCurrentThreadId.KERNEL32 ref: 000000013FC466FE
GetCurrentProcessId.KERNEL32 ref: 000000013FC4670A
QueryPerformanceCounter.KERNEL32 ref: 000000013FC4671A

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC62B9C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC62BCC

Part of subcall function 000000013FC62AB4: _invalid_parameter_noinfo.LIBCMT ref: 000000013FC62ADF

Part of subcall function 000000013FC5B28C: HeapFree.KERNEL32 ref: 000000013FC5B2A2
Part of subcall function 000000013FC5B28C: GetLastError.KERNEL32(?,?,00000000,000000013FC5D90B,?,?,?,000000013FC5C3A1,?,?,?,?,000000013FC53C2F), ref: 000000013FC5B2B4

Part of subcall function 000000013FC5C298: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FC5C276), ref: 000000013FC5C2C5

Part of subcall function 000000013FC62DA8: FindFirstFileExA.KERNEL32 ref: 000000013FC62F88

Strings

., xrefs: 000000013FC62FEC
*?, xrefs: 000000013FC62BF3

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC47EC8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FC480CE

Strings

JanFebMarAprMayJunJulAugSepOctNovDec, xrefs: 000000013FC47FE5
SunMonTueWedThuFriSat, xrefs: 000000013FC47F9D

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC5D338, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70

APIs

GetStdHandle.KERNEL32 ref: 000000013FC5D3AA
GetFileType.KERNEL32 ref: 000000013FC5D3C0

Strings

@, xrefs: 000000013FC5D3EB

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Function 000000013FC66DA4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50

APIs

Part of subcall function 000000013FC5BB10: GetLocaleInfoW.KERNEL32(?,?,00000000,000000013FC5A733), ref: 000000013FC5BB87

GetACP.KERNEL32(?,?,000000A0,000000013FC67042,?,?,?,00000000,?,000000013FC5A6AC), ref: 000000013FC66E42

Strings

OCP, xrefs: 000000013FC66DD5
ACP, xrefs: 000000013FC66DC5

Memory Dump Source

Source File: 00000000.00000001.1876404701.000000013FC41000.00000020.sdmp, Offset: 000000013FC40000, based on PE: true

Associated: 00000000.00000001.1876396507.000000013FC40000.00000002.sdmp
Associated: 00000000.00000001.1876417269.000000013FC6B000.00000002.sdmp
Associated: 00000000.00000001.1876426795.000000013FC79000.00000008.sdmp
Associated: 00000000.00000001.1876552225.000000013FC8A000.00000004.sdmp
Associated: 00000000.00000001.1876556861.000000013FC8B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_13fc40000_g8F53.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:

Networking:

Boot Survival:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: g8F53.tmp.exe PID: 2884 Parent PID: 1484

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: g8F53.tmp.exe PID: 2884 Parent PID: 1484

Execution Graph

Graph

Executed Functions

Function 000000013FC42DC0, Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 820

Function 000000013FC42DC0, Relevance: 32.3, APIs: 10, Strings: 8, Instructions: 820

Function 000000013FC44890, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 357

Function 000000013FC5BBA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23

Function 000000013FC451FD, Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 455

Function 000000013FC6249C, Relevance: 13.8, APIs: 9, Instructions: 272

Function 000000013FC4724C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127

Function 000000013FC5CDE4, Relevance: 10.8, APIs: 7, Instructions: 294

Function 000000013FC44E20, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131

Function 000000013FC446A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51

Function 000000013FC429D0, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211