Analysis Report

Overview

General Information

Analysis ID:	9281
Start time:	12:01:53
Start date:	06/05/2015
Overall analysis duration:	0h 5m 10s
Report type:	full
Sample file name:	FRUK22.exe
Cookbook file name:	default.jbs
Analysis system description:	W7 Native, up to date 12.12.2013 physical Machine for testing VM-aware malware (Acrobat Reader 11.0.04, Flash 11.9.900.170, Internet Explorer 11, Firefox 26, Java 1.7 Update 45)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
HCA enabled:	true
HCA success:	true, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, igfxsrvc.exe Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	84	0 - 100	Report FP / FN

Signature Overview

DDOS:

Contains functionality to access network services in a loop (often DDOS functionality)

Show sources

Source: C:\Windows\explorer.exe

Code function: 4_2_02D311C5 WSAStartup,GetLastError,WSACreateEvent,shutdown,closesocket,Sleep,WSASocketW,inet_addr,htons,WSAConnect,Sleep,WSAConnect,WSASend,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,WSARecv,WSAGetLastError,GetTickCount,GetTickCount,GetTickCount,shutdown,closesocket,WSACloseEvent,CloseHandle,

4_2_02D311C5

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\FRUK22.exe	Code function: 1_2_00401520 CryptAcquireContextW,CryptCreateHash,VirtualAlloc,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,VirtualFree,CryptDestroyHash,CryptReleaseContext,	1_2_00401520
Source: C:\Windows\explorer.exe	Code function: 4_2_02D39C8C BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptGetProperty,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptVerifySignature,BCryptCloseAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptDestroyHash,	4_2_02D39C8C
Source: C:\Windows\explorer.exe	Code function: 4_2_02D39BA0 CryptAcquireContextW,CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	4_2_02D39BA0

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Windows\explorer.exe	Code function: 4_2_02D39C8C BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptGetProperty,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptVerifySignature,BCryptCloseAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptDestroyHash,		4_2_02D39C8C
Source: C:\Windows\explorer.exe	Code function: 4_2_02D39BA0 CryptAcquireContextW,CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,		4_2_02D39BA0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\FRUK22.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Checks if browser processes are running

Show sources

Source: C:\Windows\explorer.exe	Code function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, chrome.exe	4_2_02D3DE9A
Source: C:\Windows\explorer.exe	Code function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, firefox.exe	4_2_02D3DE9A
Source: C:\Windows\explorer.exe	Code function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, iexplore.exe	4_2_02D3DE9A

Networking:

Urls found in memory or binary data

Show sources

Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/common%20files/java/java%20update/jusched.exe
Source: explorer.exe	String found in binary or memory: file:///c:/users/john/appdata/local/microsoft/windows/wer/erc/responsecache/15467.xml
Source: explorer.exe	String found in binary or memory: file:///c:/users/john/appdata/local/microsoft/windows/wer/erc/responsecache/8311.xml
Source: explorer.exe	String found in binary or memory: file:///c:/users/john/appdata/local/microsoft/windows/wer/erc/responsestatecache.xml
Source: explorer.exe	String found in binary or memory: file:///c:/windows/system32/hkcmd.exe
Source: explorer.exe	String found in binary or memory: file:///c:/windows/system32/igfxpers.exe
Source: explorer.exe	String found in binary or memory: file:///c:/windows/system32/igfxtray.exe
Source: explorer.exe	String found in binary or memory: file://c:
Source: explorer.exe	String found in binary or memory: ftp://
Source: WerFault.exe	String found in binary or memory: http://
Source: explorer.exe	String found in binary or memory: http://ftp.us.dell.com/chipset/r188776.exe
Source: explorer.exe	String found in binary or memory: http://ftp.us.dell.com/control%20poi
Source: explorer.exe	String found in binary or memory: http://ftp.us.dell.com/control%20point/dell_controlpoint-security-d_a12_r230283.exe
Source: explorer.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: explorer.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=3448&clcid=%#04lx
Source: explorer.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: gNLgAaLjeJfBoaJ.exe, explorer.exe	String found in binary or memory: http://icanhazip.com
Source: explorer.exe	String found in binary or memory: http://java.com
Source: explorer.exe	String found in binary or memory: http://java.com/
Source: explorer.exe	String found in binary or memory: http://java.com/help
Source: explorer.exe	String found in binary or memory: http://ns.adobe.com/tiff/1.0/
Source: explorer.exe	String found in binary or memory: http://ns.adobe.com/xap/1.0/
Source: explorer.exe	String found in binary or memory: http://ns.adobe.com/xap/1.0/rights/
Source: explorer.exe	String found in binary or memory: http://purl.org/dc/elements/1.1/
Source: WerFault.exe	String found in binary or memory: http://schemas.microsoft.com/smi/2005/windowssettings
Source: explorer.exe	String found in binary or memory: http://schemas.microsoft.com/win/2004/08/events/event
Source: explorer.exe	String found in binary or memory: http://www.%s.com
Source: explorer.exe	String found in binary or memory: http://www.adobe.com
Source: explorer.exe	String found in binary or memory: http://www.adobe.com/go/getflashplayer/
Source: explorer.exe	String found in binary or memory: http://www.adobe.com/products/acrobat/readstep.html
Source: explorer.exe	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe	String found in binary or memory: http://www.avira.com/free-av
Source: explorer.exe	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe	String found in binary or memory: http://www.w3.org/1999/02/22-rdf-syntax-ns#
Source: WerFault.exe	String found in binary or memory: https://
Source: explorer.exe	String found in binary or memory: https://l
Source: explorer.exe	String found in binary or memory: https://wer.microsoft.com/responses/template_1690_9.xslt
Source: explorer.exe	String found in binary or memory: https://wer.microsoft.com/responses/template_4065_9.xslt

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\explorer.exe

Code function: 4_2_02D3A8B0 select,WSAGetLastError,recvfrom,

4_2_02D3A8B0

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: google.com

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.0.30:44719 -> 193.28.184.4:3478
Source: global traffic	TCP traffic: 192.168.0.30:44719 -> 27.111.14.93:3478

Uses STUN server to do NAT traversial

Show sources

Source: unknown

DNS query: name: stun.ipshka.com

Uses the I2P (Invisible Internet Project) to hide its network activities

Show sources

Source: gNLgAaLjeJfBoaJ.exe	String found in binary or memory: I2P_EVENT
Source: gNLgAaLjeJfBoaJ.exe	String found in binary or memory: I2P_NODESTAT
Source: explorer.exe	String found in binary or memory: I2P_EVENT
Source: explorer.exe	String found in binary or memory: I2P_NODESTAT

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\FRUK22.exe

Code function: 1_2_00403850 EntryPoint,GetModuleHandleA,GetProcAddress,WriteConsoleW,lstrcpy,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00403850

Creates an autostart registry key

Show sources

Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run GoogleUpdate
Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run GoogleUpdate

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Windows\explorer.exe	Code function: 4_2_02D3A7D2 htons,socket,bind,WSAGetLastError,closesocket,WSASetLastError,		4_2_02D3A7D2
Source: C:\Windows\explorer.exe	Code function: 4_2_02D3ABB6 WSASocketW,htons,bind,closesocket,		4_2_02D3ABB6

Contains strings which may be related to BOT commands

Show sources

Source: gNLgAaLjeJfBoaJ.exe	String found in binary or memory: cannot get config
Source: explorer.exe	String found in binary or memory: ==Users==
Source: explorer.exe	String found in binary or memory: ==General==
Source: explorer.exe	String found in binary or memory: ==Programs==
Source: explorer.exe	String found in binary or memory: cannot get config
Source: explorer.exe	String found in binary or memory: ==Services==
Source: explorer.exe	String found in binary or memory: ==Users==
Source: explorer.exe	String found in binary or memory: ==Programs==
Source: explorer.exe	String found in binary or memory: ==General==

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: gNLgAaLjeJfBoaJ.exe	String found in binary or memory: vnc32
Source: explorer.exe	String found in binary or memory: vnc32

Stealing of Sensitive Information:

OS version to string mapping found (often used in BOTs)

Show sources

Source: explorer.exe	Binary or memory string: Win_7_SP1
Source: explorer.exe	Binary or memory string: Win_8
Source: explorer.exe	Binary or memory string: Win_Server_2003
Source: explorer.exe	Binary or memory string: Win_Vista_SP2
Source: explorer.exe	Binary or memory string: Win_8.1
Source: explorer.exe	Binary or memory string: Win_Vista_SP1
Source: explorer.exe	Binary or memory string: Win_Vista
Source: explorer.exe	Binary or memory string: Win_XP
Source: explorer.exe	Binary or memory string: Win_7

Data Obfuscation:

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: AUTO entropy: 6.82719373769

Contains functionality to dynamically determine API calls

Show sources

Source: C:\FRUK22.exe

Code function: 1_1_00446A90 LoadLibraryA,GetProcAddress,

1_1_00446A90

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: AUTO

Generates new code (likely due to unpacking of malware or shellcode)

Show sources

Source: C:\FRUK22.exe	Code execution: Found new code
Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Code execution: Found new code

PE file contains an invalid checksum

Show sources

Source: initial sample

Static PE information: real checksum: 0x8ed9c should be: 0x8e291

PE file contains sections with non-standard names

Show sources

Source: initial sample	Static PE information: section name: AUTO
Source: initial sample	Static PE information: section name: DGROUP

System Summary:

Executable creates window controls seldom found in malware

Show sources

Source: C:\FRUK22.exe

Window found: window name: richedit

Uses Rich Edit Controls

Show sources

Source: C:\FRUK22.exe

File opened: C:\Windows\system32\riched32.dll

Binary contains paths to debug symbols

Show sources

Source:

Binary string: explorer.pdb source: WerFault.exe

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\FRUK22.exe	Code function: 1_2_004014B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,	1_2_004014B0
Source: C:\Windows\explorer.exe	Code function: 4_2_02D3529F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,	4_2_02D3529F
Source: C:\Windows\explorer.exe	Code function: 4_2_02D35303 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,	4_2_02D35303

Contains functionality to create services

Show sources

Source: C:\FRUK22.exe

Code function: OpenSCManagerW,WriteConsoleW,DeleteFileW,CreateServiceW,GetLastError,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00402900

Contains functionality to enum processes or threads

Show sources

Source: C:\FRUK22.exe

Code function: 1_2_00402B10 CreateToolhelp32Snapshot,Process32FirstW,CreateFileW,Process32NextW,StrStrIW,lstrcmpiW,lstrcmpiW,Process32NextW,CloseHandle,GetLastError,

1_2_00402B10

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\FRUK22.exe

Code function: 1_2_00402AA0 StrStrIW,GetModuleHandleW,FindResourceW,CreateFileW,LoadResource,SizeofResource,LockResource,

1_2_00402AA0

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\FRUK22.exe

Code function: 1_2_00403850 EntryPoint,GetModuleHandleA,GetProcAddress,WriteConsoleW,lstrcpy,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00403850

Creates files inside the user directory

Show sources

Source: C:\FRUK22.exe

File created: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe

Reads ini files

Show sources

Source: C:\FRUK22.exe

File read: C:\Windows\win.ini

Spawns processes

Show sources

Source: unknown	Process created: C:\FRUK22.exe
Source: unknown	Process created: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\WerFault.exe
Source: C:\FRUK22.exe	Process created: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe C:\FRUK22.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe werfault.exe /h /shared Global\1228dbc095bd4e0baaa8c8bc9211d447

PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)

Show sources

Source: initial sample

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 0.573529411765 > 0.5 instr diversity: 0.455882352941

Contains functionality to call native functions

Show sources

Source: C:\FRUK22.exe	Code function: 1_2_00402C20 lstrcatW,StrStrIW,GetLastError,GetProcessId,VirtualAlloc,NtQuerySystemInformation,OpenThread,CloseHandle,CloseHandle,Sleep,OpenMutexW,CloseHandle,VirtualFree,	1_2_00402C20
Source: C:\FRUK22.exe	Code function: 1_2_00402DE0 lstrcatW,StrStrIW,NtMapViewOfSection,GetModuleHandleW,GetProcAddress,GetProcessId,NtQuerySystemInformation,GetLastError,SetLastError,OpenThread,SetLastError,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,CloseHandle,CloseHandle,Sleep,OpenMutexW,CloseHandle,GetLastError,VirtualFree,	1_2_00402DE0
Source: C:\Windows\explorer.exe	Code function: 4_2_02D3D97E UnmapViewOfFile,NtUnmapViewOfSection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	4_2_02D3D97E
Source: C:\Windows\explorer.exe	Code function: 4_2_02D3DAA9 NtMapViewOfSection,	4_2_02D3DAA9

Contains functionality to delete services

Show sources

Source: C:\FRUK22.exe

Code function: 1_2_00402900 OpenSCManagerW,WriteConsoleW,DeleteFileW,CreateServiceW,GetLastError,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00402900

Contains functionality to launch a process as a different user

Show sources

Source: C:\Windows\explorer.exe

Code function: 4_2_02D35770 lstrlenW,CreateEnvironmentBlock,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,

4_2_02D35770

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Windows\explorer.exe

Code function: ShellExecuteW, C:\windows\system32\shutdown.exe

4_2_02D35A57

Creates mutexes

Show sources

Source: C:\Windows\explorer.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pen3j3832h

One or more processes crash

Show sources

Source: unknown

Process created: C:\Windows\System32\WerFault.exe

PE file contains strange resources

Show sources

Source: initial sample

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Windows\System32\drivers\etc\hosts

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe	Binary or memory string: Progman(0X0002004A)
Source: explorer.exe, WerFault.exe	Binary or memory string: Progman
Source: explorer.exe	Binary or memory string: Program Manager
Source: explorer.exe, WerFault.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Show sources

Source: C:\FRUK22.exe	Code function: SetLastError,GetLastError,OpenProcess,CloseHandle,GetModuleHandleW, svchost.exe		1_2_00403150
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,Process32NextW,CloseHandle,CloseHandle, explorer.exe		4_2_02D35649

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe

Section loaded: unknown target pid: 1972 protection: execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe

Thread APC queued: target process: 1972

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\FRUK22.exe	Code function: 1_1_00446F90 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		1_1_00446F90
Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Code function: 3_1_00446F90 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		3_1_00446F90

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\FRUK22.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Show sources

Source: C:\Windows\System32\WerFault.exe

Process queried: DebugPort

Contains functionality to dynamically determine API calls

Show sources

Source: C:\FRUK22.exe

Code function: 1_1_00446A90 LoadLibraryA,GetProcAddress,

1_1_00446A90

Contains functionality to read the PEB

Show sources

Source: C:\FRUK22.exe	Code function: 1_2_00403850 mov eax, dword ptr fs:[00000030h]	1_2_00403850
Source: C:\FRUK22.exe	Code function: 1_2_00390117 mov eax, dword ptr fs:[00000030h]	1_2_00390117
Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Code function: 3_2_00230117 mov eax, dword ptr fs:[00000030h]	3_2_00230117

Found API chain indicative of debugger detection

Show sources

Source: C:\FRUK22.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\FRUK22.exe

Process information queried: ProcessInformation

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\FRUK22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\FRUK22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\FRUK22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Deletes itself after installation

Show sources

Source: C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe

File deleted: c:\fruk22.exe

Language, Device and Operating System Detection:

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\explorer.exe

Code function: 4_2_02D36C58 CreateNamedPipeW,ConnectNamedPipe,GetLastError,CreateThread,SetThreadPriority,CloseHandle,

4_2_02D36C58

Contains functionality to query local / system time

Show sources

Source: C:\Windows\explorer.exe

Code function: 4_2_02D354CF GetLocalTime,

4_2_02D354CF

Contains functionality to query windows version

Show sources

Source: C:\FRUK22.exe

Code function: 1_1_00445930 GetEnvironmentStringsA,GetVersion,GetModuleFileNameA,GetCommandLineA,GetCommandLineW,GetModuleFileNameA,

1_1_00445930

Queries the cryptographic machine GUID

Show sources

Source: C:\FRUK22.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara Overview

No Yara matches

Screenshot

Startup

system is w7native

FRUK22.exe (PID: 2004 MD5: CBDDA646A20D95F078393506ECDC0796)

gNLgAaLjeJfBoaJ.exe (PID: 3164 MD5: CBDDA646A20D95F078393506ECDC0796)

explorer.exe (PID: 1972 MD5: 8B88EBBB05A0E56B7DCC708498C02B3E)

svchost.exe (PID: 1104 MD5: 54A47F6B5E09A77E61649109C6A08866)

WerFault.exe (PID: 3524 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe	Type: data MD5: A79B28AB81ECC70D666EEC16D1939813 SHA: 0DD3ECBCCECD25260625002575AF00B61F1DB2D6 SHA-256: F6F289FB908AA6C7EA6D11E9555415517D8EECC0B50BD8FA4D6BE72FBCB86296 SHA-512: 58B514E2F7201B5AD966317FBD380025D81834644EF5A15A8A94F9B46CDFB8ECB60A8A233073D8E94824573F853EC00D5209FD7CF178ACF940F8956C48122C13
C:\Users\john\AppData\Local\ne9bzef6m8.dll	Type: data MD5: BF5B7892C37BC682DD82C68B2BC630D3 SHA: 61EC74B58577B8BC6646F13662A1B724C49F8763 SHA-256: EEADBA186FB223C2128BB9F5A82E89BA1FF79F665EB958F94D2D3540A40C14FF SHA-512: 0269D5C691E82CCAE5155E392AB9B77C04D8C388514E3D30FB76511B08D341C88DE0AF0108F82DFCBA335939F67DF533A2044CC5F87CE21E8D498E74A2921C7B

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
google.com	216.58.209.110	unknown	true	unknown	unknown
stun.ipshka.com	193.28.184.4	unknown	true	unknown	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Pingable	Open Ports
216.58.209.110	United States	unknown	unknown
193.28.184.4	Ukraine	unknown	unknown
8.8.8.8	United States	unknown	unknown
27.111.14.93	New Zealand	unknown	unknown

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
TrID:	Win32 Executable (generic) (4510/7) 42.44% Win16/32 Executable Delphi generic (2074/23) 19.51% Generic Win/DOS Executable (2004/3) 18.86% DOS Executable Generic (2002/1) 18.84% VXD Driver (31/22) 0.29%
File name:	FRUK22.exe
File size:	574464
MD5:	cbdda646a20d95f078393506ecdc0796
SHA1:	daa9a55fd946361f216248b563d01c5e16d44644
SHA256:	10b5975b40f45ba153d91be5a2d6b1ad5c5a359ad5c385c426e39460a9c60c4b
SHA512:	e2b5cf5a7f648df83b704885c9782806589a4d4aca2e95c588d144a0181da895bb0cc74016a176f404769d96a91793b8880b74ae9b80732dfb8f41e9fd06510b

File Icon

Static PE Info

General
Entrypoint:	0x4456d4
Entrypoint Section:	AUTO
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui 111
Image File Characteristics:	32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE
DLL Characteristics:
Time Stamp:	0x55309EA0 [Fri Apr 17 05:48:16 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	11
File Version Major:	1
File Version Minor:	11
Subsystem Version Major:	1
Subsystem Version Minor:	11

Entrypoint Preview

Instruction
jmp 00007F2F44A9FFCCh
add edx, dword ptr [eax]
inc eax
add byte ptr [edi+70h], cl
outsb
and byte ptr [edi+61h], dl
je 00007F2F44A9FFD5h
outsd
insd
and byte ptr [ebx+2Fh], al
inc ebx
and byte ptr [eax], ah
xor esi, dword ptr [edx]
and byte ptr [edx+75h], dl
outsb
sub eax, 656D6954h
and byte ptr [ebx+79h], dh
jnc 00007F2F44A9FFE6h
insd
and byte ptr [eax+6Fh], dl
jc 00007F2F44A9FFE6h
imul ebp, dword ptr [edi+6Eh], 6F432073h
jo 00007F2F44A9FFEBh
jc 00007F2F44A9FFDBh
push 43282074h
sub dword ptr [eax], esp
push ebx
jns 00007F2F44A9FFD4h
popad
jnc 00007F2F44A9FFD7h
sub al, 20h
dec ecx
outsb
arpl word ptr [esi], bp
and byte ptr [ecx], dh
cmp dword ptr [eax], edi
cmp byte ptr [32303032h], ch
push ebx
push ecx
push edx
push ebp
mov ebp, esp
sub esp, 08h
mov eax, 00000001h
call 00007F2F44AA0022h
mov eax, dword ptr [004561E0h]
add eax, 03h
and al, FCh
xor edx, edx
sub esp, eax
mov ecx, esp
mov ebx, dword ptr [004561E0h]
mov eax, ecx
call 00007F2F44AA00E5h
mov eax, dword ptr [004561E0h]
mov dword ptr [ecx+00000104h], eax
mov eax, ecx
mov edx, ecx
call 00007F2F44AA00A1h
lea eax, dword ptr [ebp-08h]
call 00007F2F44AA0369h
mov ecx, dword ptr [00456258h]
add ecx, 03h
and cl, FFFFFFFCh
call 00007F2F44AA0418h
cmp ecx, eax
jc 00007F2F44A9FFAAh
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a000	0x6ba	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x59000	0x37200
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0x594
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
AUTO	0x1000	0x48900	0x48a00	6.82719373769	False	0.632876371558	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.idata	0x4a000	0x6ba	0x800	4.69143665948	False	0.39306640625	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
DGROUP	0x4b000	0xcf70	0xb600	6.1835981847	False	0.574605082418	Targa image data - Map	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x58000	0x0	0x600	6.44460562783	False	0.83984375	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x59000	0x0	0x37200	6.45978587849	False	0.666706526361	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Xored PE
RT_BITMAP	0x59280	0xae	data	False
RT_BITMAP	0x59330	0xaa	data	False
RT_BITMAP	0x593dc	0xb6	data	False
RT_BITMAP	0x59494	0xa6	data	False
RT_BITMAP	0x5953c	0x1b0b0	data	False
RT_BITMAP	0x745ec	0x19d18	data	False
RT_ICON	0x8e304	0xea8	data	False
RT_ICON	0x8f1ac	0x8a8	data	False
RT_ICON	0x8fa54	0x568	GLS_BINARY_LSB_FIRST	False
RT_GROUP_ICON	0x8ffbc	0x30	MS Windows icon resource - 3 icons, 48x48, 256-colors	False
RT_MANIFEST	0x8ffec	0x18c	ASCII text, with CRLF line terminators	False

Imports

DLL

Import

KERNEL32.DLL

CloseHandle, CreateEventA, CreateFileA, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetCurrentThreadId, GetEnvironmentStringsA, GetFileType, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetOEMCP, GetProcAddress, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetVersion, LoadLibraryA, MultiByteToWideChar, SetConsoleCtrlHandler, SetEnvironmentVariableA, SetEnvironmentVariableW, SetStdHandle, SetUnhandledExceptionFilter, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile

USER32.DLL

BeginPaint, CharUpperA, CreateWindowExA, DefWindowProcA, DestroyWindow, DispatchMessageA, EndDialog, EndPaint, GetKeyboardState, GetMenu, GetMenuItemID, GetMessageA, GetParent, GetPropA, LoadAcceleratorsA, LoadIconA, LoadStringA, PostQuitMessage, RegisterClassExA, SendMessageA, SetParent, SetPropW, SetScrollInfo, SetScrollPos, SetScrollRange, ShowWindow, TranslateAcceleratorA, TranslateMessage, UpdateWindow, WindowFromPoint

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2015 12:04:47.321763039 CEST	56689	53	192.168.0.30	8.8.8.8
May 6, 2015 12:04:47.458939075 CEST	53	56689	8.8.8.8	192.168.0.30
May 6, 2015 12:04:47.469017029 CEST	49174	80	192.168.0.30	216.58.209.110
May 6, 2015 12:04:47.469038010 CEST	80	49174	216.58.209.110	192.168.0.30
May 6, 2015 12:04:47.469434977 CEST	49174	80	192.168.0.30	216.58.209.110
May 6, 2015 12:04:47.469624996 CEST	49174	80	192.168.0.30	216.58.209.110
May 6, 2015 12:04:47.469650030 CEST	80	49174	216.58.209.110	192.168.0.30
May 6, 2015 12:04:47.469760895 CEST	80	49174	216.58.209.110	192.168.0.30
May 6, 2015 12:04:47.470124006 CEST	49174	80	192.168.0.30	216.58.209.110
May 6, 2015 12:04:47.475708008 CEST	64916	53	192.168.0.30	8.8.8.8
May 6, 2015 12:04:47.666583061 CEST	53	64916	8.8.8.8	192.168.0.30
May 6, 2015 12:04:47.667903900 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:47.966063023 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:48.667948008 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:50.181401968 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:53.323299885 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:58.008397102 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:05:05.220022917 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:05.528678894 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:06.268353939 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:07.757616997 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:10.836292982 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:15.547976971 CEST	44719	3478	192.168.0.30	27.111.14.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2015 12:04:47.321763039 CEST	56689	53	192.168.0.30	8.8.8.8
May 6, 2015 12:04:47.458939075 CEST	53	56689	8.8.8.8	192.168.0.30
May 6, 2015 12:04:47.475708008 CEST	64916	53	192.168.0.30	8.8.8.8
May 6, 2015 12:04:47.666583061 CEST	53	64916	8.8.8.8	192.168.0.30
May 6, 2015 12:04:47.667903900 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:47.966063023 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:48.667948008 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:50.181401968 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:53.323299885 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:04:58.008397102 CEST	44719	3478	192.168.0.30	193.28.184.4
May 6, 2015 12:05:05.220022917 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:05.528678894 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:06.268353939 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:07.757616997 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:10.836292982 CEST	44719	3478	192.168.0.30	27.111.14.93
May 6, 2015 12:05:15.547976971 CEST	44719	3478	192.168.0.30	27.111.14.93

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 6, 2015 12:04:47.321763039 CEST	192.168.0.30	8.8.8.8	0xc9d5	Standard query (0)	google.com	A (IP address)	IN (0x0001)
May 6, 2015 12:04:47.475708008 CEST	192.168.0.30	8.8.8.8	0xce24	Standard query (0)	stun.ipshka.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
May 6, 2015 12:04:47.458939075 CEST	8.8.8.8	192.168.0.30	0xc9d5	No error (0)	google.com		216.58.209.110	A (IP address)	IN (0x0001)
May 6, 2015 12:04:47.666583061 CEST	8.8.8.8	192.168.0.30	0xce24	No error (0)	stun.ipshka.com		193.28.184.4	A (IP address)	IN (0x0001)

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: FRUK22.exe PID: 2004 Parent PID: 3980

General

Start time:	09:09:10
Start date:	03/04/2015
Path:	C:\FRUK22.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	574464 bytes
MD5 hash:	CBDDA646A20D95F078393506ECDC0796

Chronological Activities

Analysis Process: gNLgAaLjeJfBoaJ.exe PID: 3164 Parent PID: 2004

General

Start time:	09:09:20
Start date:	03/04/2015
Path:	C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe
Wow64 process (32bit):	false
Commandline:	C:\FRUK22.exe
Imagebase:	0x400000
File size:	574464 bytes
MD5 hash:	CBDDA646A20D95F078393506ECDC0796

Chronological Activities

Analysis Process: explorer.exe PID: 1972 Parent PID: 3164

General

Start time:	09:09:37
Start date:	03/04/2015
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xa10000
File size:	2616320 bytes
MD5 hash:	8B88EBBB05A0E56B7DCC708498C02B3E

Chronological Activities

Analysis Process: svchost.exe PID: 1104 Parent PID: 508

General

Start time:	09:10:48
Start date:	03/04/2015
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0xb00000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866

Chronological Activities

Analysis Process: WerFault.exe PID: 3524 Parent PID: 1104

General

Start time:	09:10:49
Start date:	03/04/2015
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	werfault.exe /h /shared Global\1228dbc095bd4e0baaa8c8bc9211d447
Imagebase:	0x756e0000
File size:	360448 bytes
MD5 hash:	5FEAB868CAEDBBD1B7A145CA8261E4AA

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FRUK22.exe PID: 2004 Parent PID: 3980

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.4%
Total number of Nodes:	452
Total number of Limit Nodes:	28

Executed Functions

Function 00403850, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000), ref: 00403881
GetProcAddress.KERNEL32(00000000), ref: 00403888
WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040389A

Part of subcall function 00401B60: GetModuleHandleW.KERNEL32(kernel32.dll,HeapCreate,?,?,?,004038B4), ref: 00401B78
Part of subcall function 00401B60: GetProcAddress.KERNEL32(00000000,?,?,?,004038B4), ref: 00401B7F
Part of subcall function 00401B60: HeapCreate.KERNELBASE ref: 00401BA4

lstrcpy.KERNEL32(?,qwererthwebfsdvjaf+), ref: 004038BE

Part of subcall function 00401520: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000008), ref: 00401540
Part of subcall function 00401520: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 00401560
Part of subcall function 00401520: VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000004,00000000), ref: 00401579
Part of subcall function 00401520: CryptHashData.ADVAPI32(?,00000000,00000014,00000013), ref: 004015B2
Part of subcall function 00401520: CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000013), ref: 004015D8
Part of subcall function 00401520: CryptGetHashParam.ADVAPI32(?,00000002,00000014,00000014,00000000), ref: 00401604
Part of subcall function 00401520: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401619
Part of subcall function 00401520: CryptDestroyHash.ADVAPI32(?), ref: 00401626
Part of subcall function 00401520: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00401633

Part of subcall function 004014B0: GetCurrentProcess.KERNEL32(00000020,?,00000000), ref: 004014BF
Part of subcall function 004014B0: OpenProcessToken.ADVAPI32(00000000), ref: 004014C6
Part of subcall function 004014B0: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004014E1
Part of subcall function 004014B0: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 004014FF
Part of subcall function 004014B0: CloseHandle.KERNEL32(?), ref: 0040150B

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 0040394D

Part of subcall function 004031D0: GetCommandLineW.KERNEL32(?,00000000), ref: 004031DC
Part of subcall function 004031D0: GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 004031F2
Part of subcall function 004031D0: GetWindowsDirectoryW.KERNEL32(?,00000168,?,00000000), ref: 00403204
Part of subcall function 004031D0: lstrcatW.KERNEL32(?,00401288), ref: 0040321C
Part of subcall function 004031D0: GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 00403222
Part of subcall function 004031D0: StrStrIW.SHLWAPI(?,?), ref: 0040323C
Part of subcall function 004031D0: lstrcatW.KERNEL32(?,?), ref: 0040325A
Part of subcall function 004031D0: lstrcatW.KERNEL32(?,.exe), ref: 00403268
Part of subcall function 004031D0: ExitProcess.KERNEL32 ref: 0040329B
Part of subcall function 004031D0: StrStrIW.SHLWAPI(00000000,?), ref: 004032A9
Part of subcall function 004031D0: DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004032B8
Part of subcall function 004031D0: Sleep.KERNEL32(00000064,?,00000000), ref: 004032CA
Part of subcall function 004031D0: DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004032D2
Part of subcall function 004031D0: OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,00000000), ref: 004032F3
Part of subcall function 004031D0: CloseHandle.KERNEL32(00000000), ref: 004032FE
Part of subcall function 004031D0: ExitProcess.KERNEL32 ref: 00403306

Part of subcall function 004033F0: GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 0040340A
Part of subcall function 004033F0: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040341F
Part of subcall function 004033F0: GetLastError.KERNEL32(?,00000000), ref: 00403425
Part of subcall function 004033F0: StrStrIW.SHLWAPI(?,Roaming), ref: 0040343D
Part of subcall function 004033F0: lstrcpyW.KERNEL32(00000000,Local), ref: 00403449
Part of subcall function 004033F0: lstrcatW.KERNEL32(?,00401288), ref: 00403461
Part of subcall function 004033F0: lstrlenW.KERNEL32(?,?,00000000), ref: 0040346A
Part of subcall function 004033F0: StrStrIW.SHLWAPI(?,?), ref: 00403488
Part of subcall function 004033F0: StrStrIW.SHLWAPI(?,temp), ref: 0040349E
Part of subcall function 004033F0: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004034B5
Part of subcall function 004033F0: GetCommandLineW.KERNEL32(?,00000000), ref: 004034B7
Part of subcall function 004033F0: StrStrIW.SHLWAPI(00000000,?), ref: 004034C7
Part of subcall function 004033F0: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004034D4
Part of subcall function 004033F0: DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004034DF
Part of subcall function 004033F0: Sleep.KERNEL32(00000064,?,00000000), ref: 004034EF
Part of subcall function 004033F0: DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004034F7
Part of subcall function 004033F0: OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,00000000), ref: 00403514
Part of subcall function 004033F0: CloseHandle.KERNEL32(00000000), ref: 0040351F
Part of subcall function 004033F0: ExitProcess.KERNEL32 ref: 00403527
Part of subcall function 004033F0: lstrcatW.KERNEL32(?,?), ref: 0040358F
Part of subcall function 004033F0: lstrcatW.KERNEL32(?,.exe), ref: 0040359D
Part of subcall function 004033F0: ExitProcess.KERNEL32 ref: 004035D0

ExitProcess.KERNEL32 ref: 00403965

Strings

kernel32.dll, xrefs: 0040387C
Google Update Service, xrefs: 0040392D
qwererthwebfsdvjaf+, xrefs: 004038B4

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00401520, Relevance: 13.6, APIs: 9, Instructions: 109

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000008), ref: 00401540
CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 00401560
VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000004,00000000), ref: 00401579
CryptHashData.ADVAPI32(?,00000000,00000014,00000013), ref: 004015B2
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000013), ref: 004015D8
CryptGetHashParam.ADVAPI32(?,00000002,00000014,00000014,00000000), ref: 00401604
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401619
CryptDestroyHash.ADVAPI32(?), ref: 00401626
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00401633

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00390117, Relevance: 11.1, APIs: 7, Instructions: 620

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0039014E
VirtualAlloc.KERNELBASE(?,?,00002000,00000001), ref: 00390275
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004), ref: 0039029A
VirtualAlloc.KERNELBASE(?,?,00001000,00000004,?,?,?), ref: 003902EE
LoadLibraryA.KERNEL32(?), ref: 00390339
VirtualProtect.KERNELBASE(?,00001000,00000002,?), ref: 0039043E
VirtualProtect.KERNELBASE(?,?,00000001,?,?), ref: 0039048D

Memory Dump Source

Source File: 00000001.00000002.4556403585.00390000.00000040.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_390000_FRUK22.jbxd

Function 004014B0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000000), ref: 004014BF
OpenProcessToken.ADVAPI32(00000000), ref: 004014C6
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004014E1
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 004014FF
CloseHandle.KERNEL32(?), ref: 0040150B

Strings

SeDebugPrivilege, xrefs: 004014D4

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402B10, Relevance: 9.0, APIs: 6, Instructions: 49

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00402B28
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00402B38
lstrcmpiW.KERNEL32(?,00000000,76DC46E9,757DE955), ref: 00402B5B
Process32NextW.KERNEL32(00000000,0000022C), ref: 00402B7A
CloseHandle.KERNEL32(00000000), ref: 00402B88
GetLastError.KERNEL32 ref: 00402B8E

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00446F90, Relevance: 3.0, APIs: 2, Instructions: 14

APIs

SetUnhandledExceptionFilter.KERNEL32(00446B40), ref: 00446F97
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00446FA5

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 004033F0, Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 160

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 0040340A
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040341F
GetLastError.KERNEL32(?,00000000), ref: 00403425
StrStrIW.SHLWAPI(?,Roaming), ref: 0040343D
lstrcpyW.KERNEL32(00000000,Local), ref: 00403449
lstrcatW.KERNEL32(?,00401288), ref: 00403461
lstrlenW.KERNEL32(?,?,00000000), ref: 0040346A
StrStrIW.SHLWAPI(?,?), ref: 00403488
StrStrIW.SHLWAPI(?,temp), ref: 0040349E
CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004034B5
GetCommandLineW.KERNEL32(?,00000000), ref: 004034B7
StrStrIW.SHLWAPI(00000000,?), ref: 004034C7
CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004034D4
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004034DF
Sleep.KERNEL32(00000064,?,00000000), ref: 004034EF
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004034F7

Part of subcall function 00403320: lstrlenW.KERNEL32(?,00000000), ref: 0040332B
Part of subcall function 00403320: lstrcpyW.KERNEL32(?,00401380), ref: 00403348
Part of subcall function 00403320: lstrcatW.KERNEL32(?,ftware\Mi), ref: 00403360
Part of subcall function 00403320: lstrcatW.KERNEL32(?,crosoft\Wi), ref: 0040336E
Part of subcall function 00403320: lstrcatW.KERNEL32(?,ndows\CurrentVers), ref: 0040337C
Part of subcall function 00403320: lstrcatW.KERNEL32(?,ion\Run), ref: 0040338A
Part of subcall function 00403320: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,0040128C,00000000,00000002,00000000,?,00000000), ref: 004033AB
Part of subcall function 00403320: RegSetValueExW.ADVAPI32(?,GoogleUpdate,00000000,00000001,?,00000002), ref: 004033C8
Part of subcall function 00403320: RegCloseKey.ADVAPI32(?), ref: 004033D2

OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,00000000), ref: 00403514
CloseHandle.KERNEL32(00000000), ref: 0040351F
ExitProcess.KERNEL32 ref: 00403527

Part of subcall function 004030A0: GetCurrentProcess.KERNEL32(0040503C,00000000,00403532,?,00000000), ref: 004030B5
Part of subcall function 004030A0: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004030BC
Part of subcall function 004030A0: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000,?,00000000), ref: 004030EE
Part of subcall function 004030A0: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000,?,00000000), ref: 00403106

Part of subcall function 00402B10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00402B28
Part of subcall function 00402B10: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00402B38
Part of subcall function 00402B10: lstrcmpiW.KERNEL32(?,00000000,76DC46E9,757DE955), ref: 00402B5B
Part of subcall function 00402B10: Process32NextW.KERNEL32(00000000,0000022C), ref: 00402B7A
Part of subcall function 00402B10: CloseHandle.KERNEL32(00000000), ref: 00402B88
Part of subcall function 00402B10: GetLastError.KERNEL32 ref: 00402B8E

Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(00000000,757F6774,?,?,?,0040357F,?,00000000), ref: 00401654
Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(0040357F,?,?,?,0040357F,?,00000000), ref: 0040168E
Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(?,?,?,?,0040357F,?,00000000), ref: 004016D8

lstrcatW.KERNEL32(?,?), ref: 0040358F
lstrcatW.KERNEL32(?,.exe), ref: 0040359D

Part of subcall function 004017D0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004017F4
Part of subcall function 004017D0: GetFileSize.KERNEL32(00000000,00000000), ref: 00401803
Part of subcall function 004017D0: CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401827
Part of subcall function 004017D0: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00401876
Part of subcall function 004017D0: SetFilePointer.KERNELBASE(00000000,-00000200,00000000,00000000), ref: 00401886
Part of subcall function 004017D0: ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004018AA
Part of subcall function 004017D0: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 004018D7
Part of subcall function 004017D0: CloseHandle.KERNEL32(00000000), ref: 00401907
Part of subcall function 004017D0: CloseHandle.KERNEL32(00000000), ref: 0040190E

ExitProcess.KERNEL32 ref: 004035D0

Part of subcall function 00401A00: GetCurrentThread.KERNEL32(?,757F6774), ref: 00401A0C
Part of subcall function 00401A00: lstrlenW.KERNEL32(?), ref: 00401A13
Part of subcall function 00401A00: RtlAllocateHeap.NTDLL(01730000,00000008,00000003), ref: 00401A2A
Part of subcall function 00401A00: lstrlenW.KERNEL32(004035CB), ref: 00401A81
Part of subcall function 00401A00: RtlAllocateHeap.NTDLL(01730000,00000008), ref: 00401A96
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401AAD
Part of subcall function 00401A00: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 00401B1F
Part of subcall function 00401A00: CloseHandle.KERNEL32(?), ref: 00401B33
Part of subcall function 00401A00: CloseHandle.KERNEL32(?), ref: 00401B39
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B4B
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B57

Strings

temp, xrefs: 00403492
.exe, xrefs: 00403591
Global\pen3j3832h, xrefs: 00403508
Roaming, xrefs: 00403431
Explorer.exe, xrefs: 00403544, 00403563
Local, xrefs: 00403443

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004453EC, Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 173

APIs

PostQuitMessage.USER32(00000000), ref: 0044543B
BeginPaint.USER32(?,?), ref: 0044544B
EndPaint.USER32(?,?), ref: 00445456
SendMessageA.USER32(000301BA,00000443,00000000,000010FF), ref: 00445473
SendMessageA.USER32(?,0000048E,00000000,0000048E), ref: 00445483
GetSystemDirectoryA.KERNEL32(?,00000200), ref: 004454A9
CreateWindowExA.USER32(00000000,static,Input,40000000,00000004,00000040,00000122,0000001E,?,00000000,00400000,00000000), ref: 004454D6
LoadLibraryA.KERNEL32(riched32.dll), ref: 004454E6
CreateWindowExA.USER32(00000000,edit,00000000,40000000,0000012C,00000040,0000012C,0000001E,?,00000000,00400000,00000000), ref: 00445514
CreateWindowExA.USER32(00000000,button,004561AE,40000000,00000194,00000194,00000062,0000001E,?,00000000,00400000,00000000), ref: 0044554A
CreateWindowExA.USER32(00000000,button,Close,40000000,000001F8,00000194,00000062,0000001E,?,00000000,00400000,00000000), ref: 00445580
CreateWindowExA.USER32(00000000,richedit,004561B7,40000004,00000004,0000005E,00000258,0000012C,?,00000000,00400000,00000000), ref: 004455B6
SendMessageA.USER32(?,00000469,00000000,00000000), ref: 004455CB
SendMessageA.USER32(000301BA,00000443,00000000,00003010), ref: 004455EF
DestroyWindow.USER32(000501CA), ref: 004455FF
DestroyWindow.USER32(?), ref: 00445627
EnumDesktopsW.USER32(?,?,?,?), ref: 00445636

Strings

richedit, xrefs: 004455AF
Input, xrefs: 004454CA
button, xrefs: 00445543, 00445579
edit, xrefs: 0044550D
static, xrefs: 004454CF
Close, xrefs: 00445574
h, xrefs: 0044561E
riched32.dll, xrefs: 004454E1

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00401A00, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 141

APIs

GetCurrentThread.KERNEL32(?,757F6774), ref: 00401A0C
lstrlenW.KERNEL32(?), ref: 00401A13
RtlAllocateHeap.NTDLL(01730000,00000008,00000003), ref: 00401A2A
lstrlenW.KERNEL32(004035CB), ref: 00401A81
RtlAllocateHeap.NTDLL(01730000,00000008), ref: 00401A96
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401AAD
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 00401B1F
CloseHandle.KERNEL32(?), ref: 00401B33
CloseHandle.KERNEL32(?), ref: 00401B39
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B4B
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B57

Strings

D, xrefs: 00401AEB

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004017D0, Relevance: 13.6, APIs: 9, Instructions: 122

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004017F4
GetFileSize.KERNEL32(00000000,00000000), ref: 00401803
CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401827
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00401876
SetFilePointer.KERNELBASE(00000000,-00000200,00000000,00000000), ref: 00401886
ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004018AA
WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 004018D7
CloseHandle.KERNEL32(00000000), ref: 00401907

Part of subcall function 00401740: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401756
Part of subcall function 00401740: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00401765
Part of subcall function 00401740: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401781
Part of subcall function 00401740: WriteFile.KERNEL32(00000000,?,00000000,00000000), ref: 004017A5

CloseHandle.KERNEL32(00000000), ref: 0040190E

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00401B60, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,HeapCreate,?,?,?,004038B4), ref: 00401B78
GetProcAddress.KERNEL32(00000000,?,?,?,004038B4), ref: 00401B7F
HeapCreate.KERNELBASE ref: 00401BA4

Strings

HeapCreate, xrefs: 00401B6E
kernel32.dll, xrefs: 00401B73

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 0044563E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,CClassApp,MainApp1,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0044566B
ShowWindow.USER32(00000000,00000000), ref: 0044567A
UpdateWindow.USER32(00000000), ref: 00445681

Strings

MainApp1, xrefs: 0044565F
CClassApp, xrefs: 00445664

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00401780, Relevance: 1.5, APIs: 1, Instructions: 38

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 0040174B, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00401778, Relevance: 1.5, APIs: 1, Instructions: 34

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00447F90, Relevance: 1.3, APIs: 1, Instructions: 51

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040,00000000,004473A7), ref: 00447FCB

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Non-executed Functions

Function 00402DE0, Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 186

APIs

NtMapViewOfSection.NTDLL ref: 00402E1D
GetModuleHandleW.KERNEL32 ref: 00402E7E
GetProcAddress.KERNEL32(00000000), ref: 00402E85
GetProcessId.KERNEL32(00000000), ref: 00402E8E
NtQuerySystemInformation.NTDLL ref: 00402EC6
SetLastError.KERNEL32(00000000), ref: 00402F1E
OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402F29
SetLastError.KERNEL32(00000000), ref: 00402F3B
GetLastError.KERNEL32 ref: 00402F41
GetModuleHandleW.KERNEL32(ntdll.dll,ZwQueueApcThread), ref: 00402F54
GetProcAddress.KERNEL32(00000000), ref: 00402F5B
GetLastError.KERNEL32 ref: 00402F78
CloseHandle.KERNEL32(00000000), ref: 00402F81
Sleep.KERNEL32(00001388), ref: 00402F9E
OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h), ref: 00402FB0
CloseHandle.KERNEL32(00000000), ref: 00402FDE
GetLastError.KERNEL32 ref: 00403001
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040300B

Strings

ntdll.dll, xrefs: 00402F4F
RirtualAlloc, xrefs: 00402E44
Global\pen3j3832h, xrefs: 00402FA4
ZwQueueApcThread, xrefs: 00402F4A
V, xrefs: 00402E79
kernel32.dll, xrefs: 00402E74

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402900, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,004032E4,?,?,00000000), ref: 0040290A
WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00402926
CreateServiceW.ADVAPI32(00000000,googleupdate,Google Update Service,000F01FF,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,757D17FF), ref: 00402954
GetLastError.KERNEL32(?,004032E4,?,?,00000000), ref: 0040295E
OpenServiceW.ADVAPI32(00000000,googleupdate,000F01FF,?,004032E4,?,?,00000000), ref: 00402976
DeleteService.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 00402983
CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 0040298C
CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 00402997
CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 004029AC
CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 004029AF

Strings

Google Update Service, xrefs: 00402949
googleupdate, xrefs: 0040294E, 00402970

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402C20, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140

APIs

GetLastError.KERNEL32(76DC46E9,00000000,757F6774,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402C4E

Part of subcall function 00402770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 004027D4

GetProcessId.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0040308F), ref: 00402C82
VirtualAlloc.KERNEL32(00000000,00020000,00003000,00000004,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402C99
NtQuerySystemInformation.NTDLL ref: 00402CBE
OpenThread.KERNEL32(00000010,00000000,00000000,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402D14

Part of subcall function 00402830: wsprintfW.USER32 ref: 004028E0
Part of subcall function 00402830: OutputDebugStringW.KERNEL32(?), ref: 004028F0

CloseHandle.KERNEL32(00000000), ref: 00402D52
Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402D5C
OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402D6E
CloseHandle.KERNEL32(00000000), ref: 00402D94
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,0040308F,?,00403197,00000000), ref: 00402DBC

Strings

Global\pen3j3832h, xrefs: 00402D62

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00445930, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137

APIs

Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F6,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 0044609E
Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F5,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004460BB
Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F4,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004460D3

GetEnvironmentStringsA.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445947
GetVersion.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445959
GetModuleFileNameA.KERNEL32(00000000,C:\FRUK22.exe,00000104,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004459C8

Part of subcall function 004461C0: GetVersion.KERNEL32(?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004461CA
Part of subcall function 004461C0: GetModuleFileNameW.KERNEL32(00000000,C:\FRUK22.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 004461F1
Part of subcall function 004461C0: GetModuleFileNameA.KERNEL32(00000000,00000000,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 00446203
Part of subcall function 004461C0: MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,000000FF,C:\FRUK22.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90), ref: 00446216

GetCommandLineA.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004459EE
GetCommandLineW.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445A48
GetModuleFileNameA.KERNEL32(00000000,00457B38,00000104,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445ADE

Strings

C:\FRUK22.exe, xrefs: 004459B1, 004459D5
C:\FRUK22.exe, xrefs: 004459CE, 004459E4

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00402AA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43

APIs

GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030DA,?,00000000), ref: 00402AA4
FindResourceW.KERNEL32(00000000,btze393ne,0000000A), ref: 00402AB4
LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 00402AC6
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00402AD8

Part of subcall function 00401440: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401447
Part of subcall function 00401440: FindResourceW.KERNEL32(00000000,00000000,0000000A), ref: 00401456
Part of subcall function 00401440: LoadResource.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401469
Part of subcall function 00401440: SizeofResource.KERNEL32(00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 0040147C
Part of subcall function 00401440: LockResource.KERNEL32(00000000,?,00000000), ref: 00401496

LockResource.KERNEL32(00000000,?,00000000), ref: 00402AF2

Strings

btze393ne, xrefs: 00402AAE

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00403150, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36

APIs

Part of subcall function 004030A0: GetCurrentProcess.KERNEL32(0040503C,00000000,00403532,?,00000000), ref: 004030B5
Part of subcall function 004030A0: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004030BC
Part of subcall function 004030A0: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000,?,00000000), ref: 004030EE
Part of subcall function 004030A0: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000,?,00000000), ref: 00403106

Part of subcall function 00402B10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00402B28
Part of subcall function 00402B10: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00402B38
Part of subcall function 00402B10: lstrcmpiW.KERNEL32(?,00000000,76DC46E9,757DE955), ref: 00402B5B
Part of subcall function 00402B10: Process32NextW.KERNEL32(00000000,0000022C), ref: 00402B7A
Part of subcall function 00402B10: CloseHandle.KERNEL32(00000000), ref: 00402B88
Part of subcall function 00402B10: GetLastError.KERNEL32 ref: 00402B8E

SetLastError.KERNEL32(00000000,00000000), ref: 0040318B

Part of subcall function 00403060: GetWindow.USER32(00000000,00000000), ref: 00403069
Part of subcall function 00403060: OpenProcess.KERNEL32(00000408,00000000,?,?,00403197,00000000), ref: 0040307A
Part of subcall function 00403060: CloseHandle.KERNEL32(00000000), ref: 00403092

GetLastError.KERNEL32(00000000), ref: 0040319C
OpenProcess.KERNEL32(00000408,00000000,00000000), ref: 004031AA
GetModuleHandleW.KERNEL32(00000000), ref: 004031C4

Part of subcall function 00402DE0: NtMapViewOfSection.NTDLL ref: 00402E1D
Part of subcall function 00402DE0: GetModuleHandleW.KERNEL32 ref: 00402E7E
Part of subcall function 00402DE0: GetProcAddress.KERNEL32(00000000), ref: 00402E85
Part of subcall function 00402DE0: GetProcessId.KERNEL32(00000000), ref: 00402E8E
Part of subcall function 00402DE0: NtQuerySystemInformation.NTDLL ref: 00402EC6
Part of subcall function 00402DE0: SetLastError.KERNEL32(00000000), ref: 00402F1E
Part of subcall function 00402DE0: OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402F29
Part of subcall function 00402DE0: SetLastError.KERNEL32(00000000), ref: 00402F3B
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402F41
Part of subcall function 00402DE0: GetModuleHandleW.KERNEL32(ntdll.dll,ZwQueueApcThread), ref: 00402F54
Part of subcall function 00402DE0: GetProcAddress.KERNEL32(00000000), ref: 00402F5B
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402F78
Part of subcall function 00402DE0: CloseHandle.KERNEL32(00000000), ref: 00402F81
Part of subcall function 00402DE0: Sleep.KERNEL32(00001388), ref: 00402F9E
Part of subcall function 00402DE0: OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h), ref: 00402FB0
Part of subcall function 00402DE0: CloseHandle.KERNEL32(00000000), ref: 00402FDE
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00403001
Part of subcall function 00402DE0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040300B

CloseHandle.KERNEL32(00000000), ref: 004031BC

Strings

svchost.exe, xrefs: 0040315F

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00446A90, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00446A98
GetProcAddress.KERNEL32(00000000,GetActiveWindow,?,?,?,00446B7B), ref: 00446AB8

Strings

USER32.DLL, xrefs: 00446A93
GetActiveWindow, xrefs: 00446AB2

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00446B40, Relevance: 80.8, APIs: 8, Strings: 38, Instructions: 291

APIs

Part of subcall function 00446A90: LoadLibraryA.KERNEL32(USER32.DLL), ref: 00446A98
Part of subcall function 00446A90: GetProcAddress.KERNEL32(00000000,GetActiveWindow,?,?,?,00446B7B), ref: 00446AB8

GetStdHandle.KERNEL32(000000F4,?,?,?,00000000), ref: 00446BDF
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446BEB
GetStdHandle.KERNEL32(000000F4,?,?,?,00000000,?,?,00000000), ref: 00446C21
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446C28
GetStdHandle.KERNEL32(000000F4,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00446D8D
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446D94
GetStdHandle.KERNEL32(000000F4,?,00000004,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00446E1E
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446E25

Strings

A stack overflow was encountered at address 0x00000000., xrefs: 00446F53
written., xrefs: 00446F3B
The instruction at 0x00000000 caused a denormal operand floating pointexception., xrefs: 00446F09
EDX=0x00000000, xrefs: 00446C71
The instruction at 0x00000000 caused a stack overflow floating pointexception., xrefs: 00446E74
EBX=0x00000000 , xrefs: 00446C4D
An integer divide by zero was encountered at address 0x00000000., xrefs: 00446EA5
FS =0x00000000 , xrefs: 00446D49
A privileged instruction was executed at address 0x00000000., xrefs: 00446F49
read., xrefs: 00446EF1
An illegal instruction was executed at address 0x00000000., xrefs: 00446BB0
ES =0x00000000 , xrefs: 00446D37
address 0x00000000 andcannot continue., xrefs: 00446F6B
The instruction at 0x00000000 caused a division by zero floating pointexception., xrefs: 00446F13
The instruction at 0x00000000 caused an invalid operation floating pointexception., xrefs: 00446F31
EFL=0x00000000 , xrefs: 00446CE6
CS =0x00000000 , xrefs: 00446CF8
EBP=0x00000000 , xrefs: 00446CB0
The program encountered exception 0x00000000 at , xrefs: 00446F5D
GS =0x00000000, xrefs: 00446D5B
SS =0x00000000, xrefs: 00446D0A
The instruction at 0x00000000 caused an underflow floating point exception., xrefs: 00446F27
The instruction at 0x00000000 caused an overflow floating point exception., xrefs: 00446F1D
The instruction at 0x00000000 referenced memory , xrefs: 00446ECD
ESI=0x00000000 , xrefs: 00446C83
-stack end, xrefs: 00446DD0
DS =0x00000000 , xrefs: 00446D25
Exception fielded by 0x00000000, xrefs: 00446BF1
The instruction at 0x00000000 caused an inexact value floating pointexception., xrefs: 00446EB8
ESP=0x00000000, xrefs: 00446CC2
at 0x00000000.The memory could not be , xrefs: 00446EDC
EDI=0x00000000 , xrefs: 00446C95
0x00000000 , xrefs: 00446F77
EIP=0x00000000 , xrefs: 00446CD4
EAX=0x00000000 , xrefs: 00446C3B
ECX=0x00000000 , xrefs: 00446C5F
The instruction at 0x00000000 caused a stack underflow floating pointexception., xrefs: 00446EFF
Stack dump (SS:ESP), xrefs: 00446DAB

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 004031D0, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 104

APIs

GetCommandLineW.KERNEL32(?,00000000), ref: 004031DC
GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 004031F2
GetWindowsDirectoryW.KERNEL32(?,00000168,?,00000000), ref: 00403204
lstrcatW.KERNEL32(?,00401288), ref: 0040321C
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 00403222
StrStrIW.SHLWAPI(?,?), ref: 0040323C
lstrcatW.KERNEL32(?,?), ref: 0040325A
lstrcatW.KERNEL32(?,.exe), ref: 00403268

Part of subcall function 004017D0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004017F4
Part of subcall function 004017D0: GetFileSize.KERNEL32(00000000,00000000), ref: 00401803
Part of subcall function 004017D0: CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401827
Part of subcall function 004017D0: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00401876
Part of subcall function 004017D0: SetFilePointer.KERNELBASE(00000000,-00000200,00000000,00000000), ref: 00401886
Part of subcall function 004017D0: ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004018AA
Part of subcall function 004017D0: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 004018D7
Part of subcall function 004017D0: CloseHandle.KERNEL32(00000000), ref: 00401907
Part of subcall function 004017D0: CloseHandle.KERNEL32(00000000), ref: 0040190E

ExitProcess.KERNEL32 ref: 0040329B

Part of subcall function 00401A00: GetCurrentThread.KERNEL32(?,757F6774), ref: 00401A0C
Part of subcall function 00401A00: lstrlenW.KERNEL32(?), ref: 00401A13
Part of subcall function 00401A00: RtlAllocateHeap.NTDLL(01730000,00000008,00000003), ref: 00401A2A
Part of subcall function 00401A00: lstrlenW.KERNEL32(004035CB), ref: 00401A81
Part of subcall function 00401A00: RtlAllocateHeap.NTDLL(01730000,00000008), ref: 00401A96
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401AAD
Part of subcall function 00401A00: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 00401B1F
Part of subcall function 00401A00: CloseHandle.KERNEL32(?), ref: 00401B33
Part of subcall function 00401A00: CloseHandle.KERNEL32(?), ref: 00401B39
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B4B
Part of subcall function 00401A00: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00401B57

StrStrIW.SHLWAPI(00000000,?), ref: 004032A9
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004032B8
Sleep.KERNEL32(00000064,?,00000000), ref: 004032CA
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 004032D2

Part of subcall function 00402900: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,004032E4,?,?,00000000), ref: 0040290A
Part of subcall function 00402900: WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00402926
Part of subcall function 00402900: CreateServiceW.ADVAPI32(00000000,googleupdate,Google Update Service,000F01FF,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,757D17FF), ref: 00402954
Part of subcall function 00402900: GetLastError.KERNEL32(?,004032E4,?,?,00000000), ref: 0040295E
Part of subcall function 00402900: OpenServiceW.ADVAPI32(00000000,googleupdate,000F01FF,?,004032E4,?,?,00000000), ref: 00402976
Part of subcall function 00402900: DeleteService.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 00402983
Part of subcall function 00402900: CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 0040298C
Part of subcall function 00402900: CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 00402997
Part of subcall function 00402900: CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 004029AC
Part of subcall function 00402900: CloseServiceHandle.ADVAPI32(00000000,?,004032E4,?,?,00000000), ref: 004029AF

OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,00000000), ref: 004032F3
CloseHandle.KERNEL32(00000000), ref: 004032FE
ExitProcess.KERNEL32 ref: 00403306

Part of subcall function 00403150: SetLastError.KERNEL32(00000000,00000000), ref: 0040318B
Part of subcall function 00403150: GetLastError.KERNEL32(00000000), ref: 0040319C
Part of subcall function 00403150: OpenProcess.KERNEL32(00000408,00000000,00000000), ref: 004031AA
Part of subcall function 00403150: CloseHandle.KERNEL32(00000000), ref: 004031BC
Part of subcall function 00403150: GetModuleHandleW.KERNEL32(00000000), ref: 004031C4

Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(00000000,757F6774,?,?,?,0040357F,?,00000000), ref: 00401654
Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(0040357F,?,?,?,0040357F,?,00000000), ref: 0040168E
Part of subcall function 00401640: QueryPerformanceCounter.KERNEL32(?,?,?,?,0040357F,?,00000000), ref: 004016D8

Strings

.exe, xrefs: 0040325C
Global\pen3j3832h, xrefs: 004032E7

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00403320, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 63

APIs

lstrlenW.KERNEL32(?,00000000), ref: 0040332B
lstrcpyW.KERNEL32(?,00401380), ref: 00403348
lstrcatW.KERNEL32(?,ftware\Mi), ref: 00403360
lstrcatW.KERNEL32(?,crosoft\Wi), ref: 0040336E
lstrcatW.KERNEL32(?,ndows\CurrentVers), ref: 0040337C
lstrcatW.KERNEL32(?,ion\Run), ref: 0040338A
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,0040128C,00000000,00000002,00000000,?,00000000), ref: 004033AB
RegSetValueExW.ADVAPI32(?,GoogleUpdate,00000000,00000001,?,00000002), ref: 004033C8
RegCloseKey.ADVAPI32(?), ref: 004033D2

Strings

ftware\Mi, xrefs: 00403354
ndows\CurrentVers, xrefs: 00403370
ion\Run, xrefs: 0040337E
crosoft\Wi, xrefs: 00403362
GoogleUpdate, xrefs: 004033C2

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004035E0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81

APIs

RegisterServiceCtrlHandlerW.ADVAPI32(Google Update Service,Function_00003720), ref: 004035EB
SetServiceStatus.ADVAPI32(00000000,00405014), ref: 0040364F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040365A
GetLastError.KERNEL32 ref: 00403675
SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403692
SetServiceStatus.ADVAPI32(00000000,00405014), ref: 004036C2
CreateThread.KERNEL32(00000000,00000000,Function_00003780,00000000,00000000,00000000), ref: 004036CE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004036D7
CloseHandle.KERNEL32(FFFFFFFF), ref: 004036E3
SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403711

Strings

Google Update Service, xrefs: 004035E6

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00401F52, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176

APIs

OpenSemaphoreW.KERNEL32 ref: 00402069
GetModuleHandleW.KERNEL32 ref: 004020F8
RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 004021E3
GetKeyboardType.USER32(00000000), ref: 0040227D
lstrcmpiW.KERNEL32(ntdll.dll,00000000), ref: 00402289
GetModuleHandleW.KERNEL32(00000000), ref: 00402295
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 004022A5
GetModuleHandleW.KERNEL32(00000000), ref: 004022D1
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 004022F8

Strings

ntdll.dll, xrefs: 00402284

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00401930, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,?,?), ref: 00401943
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00401963
GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?,00000000), ref: 00401983
GetLastError.KERNEL32 ref: 00401985
RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 0040199E
GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004019B9
EqualSid.ADVAPI32(00000000,?), ref: 004019C6
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 004019DF
CloseHandle.KERNEL32(?), ref: 004019EB

Strings

D, xrefs: 0040195C

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402310, Relevance: 15.3, APIs: 10, Instructions: 265

APIs

RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 004024F3
RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 00402538
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00402555
RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 0040259C
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 0040263E

Part of subcall function 00401C30: HeapFree.KERNEL32(01730000,00000000,?), ref: 00401C49

HeapFree.KERNEL32(01730000,00000000), ref: 00402612
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00402625
HeapFree.KERNEL32(01730000,00000000), ref: 00402671
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 00402684
HeapFree.KERNEL32(01730000,00000000,00000000), ref: 0040269D

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004452E0, Relevance: 10.6, APIs: 7, Instructions: 53

APIs

LoadAcceleratorsA.USER32(?,0000006A), ref: 004452EC
LoadStringA.USER32(?,00000069,00457794,00000064), ref: 004452FE
LoadStringA.USER32(?,0000006A,00457730,00000064), ref: 0044530E

Part of subcall function 00445372: LoadIconA.USER32(?,0000006B), ref: 004453A1
Part of subcall function 00445372: LoadIconA.USER32(?,0000006C), ref: 004453CE
Part of subcall function 00445372: RegisterClassExA.USER32 ref: 004453DB

Part of subcall function 0044563E: CreateWindowExA.USER32(00000000,CClassApp,MainApp1,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0044566B
Part of subcall function 0044563E: ShowWindow.USER32(00000000,00000000), ref: 0044567A
Part of subcall function 0044563E: UpdateWindow.USER32(00000000), ref: 00445681

GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00445335
TranslateAcceleratorA.USER32(00000000,00000000,?,?,?,?,00000108,004457BD,00000000), ref: 00445348
TranslateMessage.USER32 ref: 00445355
DispatchMessageA.USER32 ref: 0044535E

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 004029C0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43

APIs

GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030A8,00000000,00403532,?,00000000), ref: 004029C4
FindResourceW.KERNEL32(00000000,xfnpzpwm1,0000000A), ref: 004029D4
LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 004029E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 004029F8

Part of subcall function 00401440: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401447
Part of subcall function 00401440: FindResourceW.KERNEL32(00000000,00000000,0000000A), ref: 00401456
Part of subcall function 00401440: LoadResource.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401469
Part of subcall function 00401440: SizeofResource.KERNEL32(00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 0040147C
Part of subcall function 00401440: LockResource.KERNEL32(00000000,?,00000000), ref: 00401496

LockResource.KERNEL32(00000000,?,00000000), ref: 00402A12

Strings

xfnpzpwm1, xrefs: 004029CE

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402A30, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43

APIs

GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030D3,?,00000000), ref: 00402A34
FindResourceW.KERNEL32(00000000,pozd1f6e2,0000000A), ref: 00402A44
LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 00402A56
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00402A68

Part of subcall function 00401440: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401447
Part of subcall function 00401440: FindResourceW.KERNEL32(00000000,00000000,0000000A), ref: 00401456
Part of subcall function 00401440: LoadResource.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401469
Part of subcall function 00401440: SizeofResource.KERNEL32(00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 0040147C
Part of subcall function 00401440: LockResource.KERNEL32(00000000,?,00000000), ref: 00401496

LockResource.KERNEL32(00000000,?,00000000), ref: 00402A82

Strings

pozd1f6e2, xrefs: 00402A3E

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004479D0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37

APIs

CreateFileA.KERNEL32(conin$,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00447A0E
CreateFileA.KERNEL32(conout$,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00447A32

Strings

conin$, xrefs: 00447A09
YD, xrefs: 004479D4
YD, xrefs: 004479EE, 00447A3F
conout$, xrefs: 00447A2D

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00402830, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74

APIs

Part of subcall function 00401C60: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,00000040,00000000,00000000,?,00402C6A,00000000,00000000), ref: 00401D13

wsprintfW.USER32 ref: 004028E0
OutputDebugStringW.KERNEL32(?), ref: 004028F0

Strings

-ZwQueueApcThread: error code = %x, xrefs: 004028DA
ZwQueueApcThread, xrefs: 00402875
E-@, xrefs: 004028A3, 004028B1

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004461C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70

APIs

GetVersion.KERNEL32(?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004461CA
GetModuleFileNameW.KERNEL32(00000000,C:\FRUK22.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 004461F1
GetModuleFileNameA.KERNEL32(00000000,00000000,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 00446203
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,000000FF,C:\FRUK22.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90), ref: 00446216

Strings

C:\FRUK22.exe, xrefs: 004461EF, 0044620E

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00403780, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000168), ref: 00403799
CreateProcessW.KERNEL32(?,0040128C,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 004037EF
CloseHandle.KERNEL32(?), ref: 00403800
CloseHandle.KERNEL32(?), ref: 00403807

Strings

D, xrefs: 004037B9

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00445372, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34

APIs

LoadIconA.USER32(?,0000006B), ref: 004453A1
LoadIconA.USER32(?,0000006C), ref: 004453CE
RegisterClassExA.USER32 ref: 004453DB

Strings

j, xrefs: 004453B7
CClassApp, xrefs: 004453BF

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00401440, Relevance: 7.6, APIs: 5, Instructions: 51

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401447
FindResourceW.KERNEL32(00000000,00000000,0000000A), ref: 00401456
LoadResource.KERNEL32(00000000,00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 00401469
SizeofResource.KERNEL32(00000000,00000000,?,00402A0E,00000000,00000000,00000000,?,00000000), ref: 0040147C
LockResource.KERNEL32(00000000,?,00000000), ref: 00401496

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00445C42, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39

APIs

Part of subcall function 00445B10: FreeEnvironmentStringsA.KERNEL32(000C7650,?,?,?,?,00000108,00445BD7,?,?,004457C2,00000000), ref: 00445B59

ExitProcess.KERNEL32 ref: 00445BF2

Strings

YD, xrefs: 00445C18
A\D, xrefs: 00445C85
A\D, xrefs: 00445C46, 00445C7F

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Function 00401740, Relevance: 6.1, APIs: 4, Instructions: 63

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401756
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00401765
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401781
WriteFile.KERNEL32(00000000,?,00000000,00000000), ref: 004017A5

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 004030A0, Relevance: 6.1, APIs: 4, Instructions: 53

APIs

Part of subcall function 004029C0: GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030A8,00000000,00403532,?,00000000), ref: 004029C4
Part of subcall function 004029C0: FindResourceW.KERNEL32(00000000,xfnpzpwm1,0000000A), ref: 004029D4
Part of subcall function 004029C0: LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 004029E6
Part of subcall function 004029C0: SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 004029F8
Part of subcall function 004029C0: LockResource.KERNEL32(00000000,?,00000000), ref: 00402A12

GetCurrentProcess.KERNEL32(0040503C,00000000,00403532,?,00000000), ref: 004030B5
IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004030BC

Part of subcall function 00402AA0: GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030DA,?,00000000), ref: 00402AA4
Part of subcall function 00402AA0: FindResourceW.KERNEL32(00000000,btze393ne,0000000A), ref: 00402AB4
Part of subcall function 00402AA0: LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 00402AC6
Part of subcall function 00402AA0: SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00402AD8
Part of subcall function 00402AA0: LockResource.KERNEL32(00000000,?,00000000), ref: 00402AF2

CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000,?,00000000), ref: 004030EE
MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000,?,00000000), ref: 00403106

Part of subcall function 00402A30: GetModuleHandleW.KERNEL32(00000000,76DC46E9,00000000,004030D3,?,00000000), ref: 00402A34
Part of subcall function 00402A30: FindResourceW.KERNEL32(00000000,pozd1f6e2,0000000A), ref: 00402A44
Part of subcall function 00402A30: LoadResource.KERNEL32(00000000,00000000,757DE955,?,00000000), ref: 00402A56
Part of subcall function 00402A30: SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00402A68
Part of subcall function 00402A30: LockResource.KERNEL32(00000000,?,00000000), ref: 00402A82

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00402BA0, Relevance: 6.0, APIs: 4, Instructions: 31

APIs

GetLastError.KERNEL32 ref: 00402BA6
SetLastError.KERNEL32(00000000), ref: 00402BAE
OpenProcess.KERNEL32(00000400,00000000,?), ref: 00402BC0

Part of subcall function 00401930: OpenProcessToken.ADVAPI32(00000000,00000008,?,?), ref: 00401943
Part of subcall function 00401930: CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00401963
Part of subcall function 00401930: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?,00000000), ref: 00401983
Part of subcall function 00401930: GetLastError.KERNEL32 ref: 00401985
Part of subcall function 00401930: RtlAllocateHeap.NTDLL(01730000,00000008,?), ref: 0040199E
Part of subcall function 00401930: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 004019B9
Part of subcall function 00401930: EqualSid.ADVAPI32(00000000,?), ref: 004019C6
Part of subcall function 00401930: HeapFree.KERNEL32(01730000,00000000,00000000), ref: 004019DF
Part of subcall function 00401930: CloseHandle.KERNEL32(?), ref: 004019EB

CloseHandle.KERNEL32(00000000), ref: 00402BE0

Memory Dump Source

Source File: 00000001.00000002.4556478732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4556452282.00400000.00000002.sdmp
Associated: 00000001.00000002.4556518643.00405000.00000004.sdmp
Associated: 00000001.00000002.4556534895.00406000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FRUK22.jbxd

Function 00446020, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004460B4,?,?,00445947,?,?,?,00445B90), ref: 00446031

Strings

YD, xrefs: 0044604E, 00446084
YD, xrefs: 00446023

Memory Dump Source

Source File: 00000001.00000001.4529695137.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4529661806.00400000.00000002.sdmp
Associated: 00000001.00000001.4530288589.0044A000.00000004.sdmp
Associated: 00000001.00000001.4530309173.0044B000.00000008.sdmp
Associated: 00000001.00000001.4530351301.0044F000.00000004.sdmp
Associated: 00000001.00000001.4530371026.00450000.00000008.sdmp
Associated: 00000001.00000001.4530400003.00452000.00000004.sdmp
Associated: 00000001.00000001.4530419178.00453000.00000008.sdmp
Associated: 00000001.00000001.4530453284.00456000.00000004.sdmp
Associated: 00000001.00000001.4530483602.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_FRUK22.jbxd

Analysis Process: gNLgAaLjeJfBoaJ.exe PID: 3164 Parent PID: 2004

Execution Graph

Execution Coverage:	43.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	77.8%
Total number of Nodes:	45
Total number of Limit Nodes:	12

Executed Functions

Function 00230117, Relevance: 11.1, APIs: 7, Instructions: 620

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0023014E
VirtualAlloc.KERNELBASE(?,?,00002000,00000001), ref: 00230275
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004), ref: 0023029A
VirtualAlloc.KERNELBASE(?,?,00001000,00000004,?,?,?), ref: 002302EE
LoadLibraryA.KERNEL32(?), ref: 00230339
VirtualProtect.KERNELBASE(?,00001000,00000002,?), ref: 0023043E
VirtualProtect.KERNELBASE(?,?,00000001,?,?), ref: 0023048D

Memory Dump Source

Source File: 00000003.00000002.4782907626.00230000.00000040.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_230000_gNLgAaLjeJfBoaJ.jbxd

Function 00446F90, Relevance: 3.0, APIs: 2, Instructions: 14

APIs

SetUnhandledExceptionFilter.KERNEL32(00446B40), ref: 00446F97
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00446FA5

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 004453EC, Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 173

APIs

PostQuitMessage.USER32(00000000), ref: 0044543B
BeginPaint.USER32(?,?), ref: 0044544B
EndPaint.USER32(?,?), ref: 00445456
SendMessageA.USER32(00000000,00000443,00000000,000010FF), ref: 00445473
SendMessageA.USER32(?,0000048E,00000000,0000048E), ref: 00445483
GetSystemDirectoryA.KERNEL32(?,00000200), ref: 004454A9
CreateWindowExA.USER32(00000000,static,Input,40000000,00000004,00000040,00000122,0000001E,?,00000000,00400000,00000000), ref: 004454D6
LoadLibraryA.KERNEL32(riched32.dll), ref: 004454E6
CreateWindowExA.USER32(00000000,edit,00000000,40000000,0000012C,00000040,0000012C,0000001E,?,00000000,00400000,00000000), ref: 00445514
CreateWindowExA.USER32(00000000,button,004561AE,40000000,00000194,00000194,00000062,0000001E,?,00000000,00400000,00000000), ref: 0044554A
CreateWindowExA.USER32(00000000,button,Close,40000000,000001F8,00000194,00000062,0000001E,?,00000000,00400000,00000000), ref: 00445580
CreateWindowExA.USER32(00000000,richedit,004561B7,40000004,00000004,0000005E,00000258,0000012C,?,00000000,00400000,00000000), ref: 004455B6
SendMessageA.USER32(?,00000469,00000000,00000000), ref: 004455CB
SendMessageA.USER32(00000000,00000443,00000000,00003010), ref: 004455EF
DestroyWindow.USER32(000601CA), ref: 004455FF
DestroyWindow.USER32(?), ref: 00445627
EnumDesktopsW.USER32(?,?,?,?), ref: 00445636

Strings

button, xrefs: 00445543, 00445579
Close, xrefs: 00445574
riched32.dll, xrefs: 004454E1
edit, xrefs: 0044550D
h, xrefs: 0044561E
Input, xrefs: 004454CA
richedit, xrefs: 004455AF
static, xrefs: 004454CF

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 0044563E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,CClassApp,MainApp1,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0044566B
ShowWindow.USER32(00000000,00000000), ref: 0044567A
UpdateWindow.USER32(00000000), ref: 00445681

Strings

MainApp1, xrefs: 0044565F
CClassApp, xrefs: 00445664

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00401780, Relevance: 1.5, APIs: 1, Instructions: 38

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 0040174B, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00401778, Relevance: 1.5, APIs: 1, Instructions: 34

APIs

VirtualProtect.KERNELBASE(00401033,00000FE6,00000040,004527DE), ref: 004017BB

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00447F90, Relevance: 1.3, APIs: 1, Instructions: 51

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040,00000000,004473A7), ref: 00447FCB

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Non-executed Functions

Function 00446B40, Relevance: 80.8, APIs: 8, Strings: 38, Instructions: 291

APIs

Part of subcall function 00446A90: LoadLibraryA.KERNEL32(USER32.DLL), ref: 00446A98
Part of subcall function 00446A90: GetProcAddress.KERNEL32(00000000,GetActiveWindow,?,?,?,00446B7B), ref: 00446AB8

GetStdHandle.KERNEL32(000000F4,?,?,?,00000000), ref: 00446BDF
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446BEB
GetStdHandle.KERNEL32(000000F4,?,?,?,00000000,?,?,00000000), ref: 00446C21
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446C28
GetStdHandle.KERNEL32(000000F4,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00446D8D
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446D94
GetStdHandle.KERNEL32(000000F4,?,00000004,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00446E1E
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 00446E25

Strings

The instruction at 0x00000000 referenced memory , xrefs: 00446ECD
The program encountered exception 0x00000000 at , xrefs: 00446F5D
The instruction at 0x00000000 caused an invalid operation floating pointexception., xrefs: 00446F31
address 0x00000000 andcannot continue., xrefs: 00446F6B
EBX=0x00000000 , xrefs: 00446C4D
GS =0x00000000, xrefs: 00446D5B
Stack dump (SS:ESP), xrefs: 00446DAB
ES =0x00000000 , xrefs: 00446D37
EFL=0x00000000 , xrefs: 00446CE6
ECX=0x00000000 , xrefs: 00446C5F
An illegal instruction was executed at address 0x00000000., xrefs: 00446BB0
The instruction at 0x00000000 caused an inexact value floating pointexception., xrefs: 00446EB8
The instruction at 0x00000000 caused a denormal operand floating pointexception., xrefs: 00446F09
The instruction at 0x00000000 caused an underflow floating point exception., xrefs: 00446F27
EDX=0x00000000, xrefs: 00446C71
0x00000000 , xrefs: 00446F77
written., xrefs: 00446F3B
at 0x00000000.The memory could not be , xrefs: 00446EDC
DS =0x00000000 , xrefs: 00446D25
ESP=0x00000000, xrefs: 00446CC2
SS =0x00000000, xrefs: 00446D0A
EBP=0x00000000 , xrefs: 00446CB0
read., xrefs: 00446EF1
An integer divide by zero was encountered at address 0x00000000., xrefs: 00446EA5
EDI=0x00000000 , xrefs: 00446C95
ESI=0x00000000 , xrefs: 00446C83
CS =0x00000000 , xrefs: 00446CF8
A stack overflow was encountered at address 0x00000000., xrefs: 00446F53
A privileged instruction was executed at address 0x00000000., xrefs: 00446F49
EAX=0x00000000 , xrefs: 00446C3B
Exception fielded by 0x00000000, xrefs: 00446BF1
The instruction at 0x00000000 caused a stack underflow floating pointexception., xrefs: 00446EFF
FS =0x00000000 , xrefs: 00446D49
EIP=0x00000000 , xrefs: 00446CD4
The instruction at 0x00000000 caused an overflow floating point exception., xrefs: 00446F1D
-stack end, xrefs: 00446DD0
The instruction at 0x00000000 caused a division by zero floating pointexception., xrefs: 00446F13
The instruction at 0x00000000 caused a stack overflow floating pointexception., xrefs: 00446E74

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00445930, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137

APIs

Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F6,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 0044609E
Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F5,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004460BB
Part of subcall function 00446090: GetStdHandle.KERNEL32(000000F4,?,?,00445947,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004460D3

GetEnvironmentStringsA.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445947
GetVersion.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445959
GetModuleFileNameA.KERNEL32(00000000,C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe,00000104,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004459C8

Part of subcall function 004461C0: GetVersion.KERNEL32(?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004461CA
Part of subcall function 004461C0: GetModuleFileNameW.KERNEL32(00000000,C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 004461F1
Part of subcall function 004461C0: GetModuleFileNameA.KERNEL32(00000000,00000000,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 00446203
Part of subcall function 004461C0: MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,000000FF,C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90), ref: 00446216

GetCommandLineA.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004459EE
GetCommandLineW.KERNEL32(?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445A48
GetModuleFileNameA.KERNEL32(00000000,00457B38,00000104,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 00445ADE

Strings

C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe, xrefs: 004459B1, 004459D5
C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe, xrefs: 004459CE, 004459E4

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 004452E0, Relevance: 10.6, APIs: 7, Instructions: 53

APIs

LoadAcceleratorsA.USER32(?,0000006A), ref: 004452EC
LoadStringA.USER32(?,00000069,00457794,00000064), ref: 004452FE
LoadStringA.USER32(?,0000006A,00457730,00000064), ref: 0044530E

Part of subcall function 00445372: LoadIconA.USER32(?,0000006B), ref: 004453A1
Part of subcall function 00445372: LoadIconA.USER32(?,0000006C), ref: 004453CE
Part of subcall function 00445372: RegisterClassExA.USER32 ref: 004453DB

Part of subcall function 0044563E: CreateWindowExA.USER32(00000000,CClassApp,MainApp1,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0044566B
Part of subcall function 0044563E: ShowWindow.USER32(00000000,00000000), ref: 0044567A
Part of subcall function 0044563E: UpdateWindow.USER32(00000000), ref: 00445681

GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00445335
TranslateAcceleratorA.USER32(00000000,00000000,?,?,?,?,00000108,004457BD,00000000), ref: 00445348
TranslateMessage.USER32 ref: 00445355
DispatchMessageA.USER32 ref: 0044535E

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 004479D0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37

APIs

CreateFileA.KERNEL32(conin$,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00447A0E
CreateFileA.KERNEL32(conout$,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00447A32

Strings

YD, xrefs: 004479D4
conout$, xrefs: 00447A2D
YD, xrefs: 004479EE, 00447A3F
conin$, xrefs: 00447A09

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 004461C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70

APIs

GetVersion.KERNEL32(?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108,0044577C), ref: 004461CA
GetModuleFileNameW.KERNEL32(00000000,C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 004461F1
GetModuleFileNameA.KERNEL32(00000000,00000000,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90,?,?,?,00000108), ref: 00446203
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,000000FF,C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe,00000208,?,00000000,00000000,?,004459E4,?,?,?,00445B90), ref: 00446216

Strings

C:\Users\john\AppData\Local\gNLgAaLjeJfBoaJ.exe, xrefs: 004461EF, 0044620E

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00445372, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34

APIs

LoadIconA.USER32(?,0000006B), ref: 004453A1
LoadIconA.USER32(?,0000006C), ref: 004453CE
RegisterClassExA.USER32 ref: 004453DB

Strings

j, xrefs: 004453B7
CClassApp, xrefs: 004453BF

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00445C42, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39

APIs

Part of subcall function 00445B10: FreeEnvironmentStringsA.KERNEL32(000B7708,?,?,?,?,00000108,00445BD7,?,?,004457C2,00000000), ref: 00445B59

ExitProcess.KERNEL32 ref: 00445BF2

Strings

YD, xrefs: 00445C18
A\D, xrefs: 00445C46, 00445C7F
A\D, xrefs: 00445C85

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00446A90, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00446A98
GetProcAddress.KERNEL32(00000000,GetActiveWindow,?,?,?,00446B7B), ref: 00446AB8

Strings

GetActiveWindow, xrefs: 00446AB2
USER32.DLL, xrefs: 00446A93

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Function 00446020, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004460B4,?,?,00445947,?,?,?,00445B90), ref: 00446031

Strings

YD, xrefs: 0044604E, 00446084
YD, xrefs: 00446023

Memory Dump Source

Source File: 00000003.00000001.4553051395.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.4553034378.00400000.00000002.sdmp
Associated: 00000003.00000001.4553703094.0044A000.00000004.sdmp
Associated: 00000003.00000001.4553728543.0044B000.00000008.sdmp
Associated: 00000003.00000001.4553783523.0044F000.00000004.sdmp
Associated: 00000003.00000001.4553815665.00450000.00000008.sdmp
Associated: 00000003.00000001.4553871296.00456000.00000004.sdmp
Associated: 00000003.00000001.4554139850.00458000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_gNLgAaLjeJfBoaJ.jbxd

Analysis Process: explorer.exe PID: 1972 Parent PID: 3164

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	98.8%
Signature Coverage:	5.8%
Total number of Nodes:	1652
Total number of Limit Nodes:	85

Executed Functions

Function 02D39C8C, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 167

APIs

Part of subcall function 02D35ADE: GetVersionExW.KERNEL32(?), ref: 02D35B0E

BCryptOpenAlgorithmProvider.BCRYPT(00000000,SHA384,00000000,00000000,00000000,00000000,00000620,00000620,00000000,00000000), ref: 02D39CD8
BCryptOpenAlgorithmProvider.BCRYPT(?,ECDSA_P384,00000000,00000000), ref: 02D39CEC
BCryptImportKeyPair.BCRYPT(?,00000000,ECCPUBLICBLOB,?,00000000,00000064,00000000), ref: 02D39D0D
BCryptGetProperty.BCRYPT(00000000,ObjectLength,?,00000004,00000000,00000000), ref: 02D39D3D

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

BCryptGetProperty.BCRYPT(00000000,HashDigestLength,00000064,00000004,00000000,00000000), ref: 02D39D6D
BCryptCreateHash.BCRYPT(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D39D96
BCryptHashData.BCRYPT(00000000,?,?,00000000), ref: 02D39DAA
BCryptFinishHash.BCRYPT(00000000,00000000,00000064,00000000), ref: 02D39DBC
BCryptVerifySignature.BCRYPT(?,00000000,00000000,00000064,?,00000000,00000000), ref: 02D39DD5
BCryptCloseAlgorithmProvider.BCRYPT(00000000,00000000), ref: 02D39DFA
BCryptCloseAlgorithmProvider.BCRYPT(?,00000000), ref: 02D39E05
BCryptDestroyKey.BCRYPT(?), ref: 02D39E0F
BCryptDestroyHash.BCRYPT(00000000), ref: 02D39E1D

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

ECDSA_P384, xrefs: 02D39CB9, 02D39CE7
ECDSA_P256, xrefs: 02D39CC5
SHA256, xrefs: 02D39CC0, 02D39CD3
ECCPUBLICBLOB, xrefs: 02D39D04
SHA384, xrefs: 02D39CB4
ObjectLength, xrefs: 02D39D2C
d, xrefs: 02D39CA7
HashDigestLength, xrefs: 02D39D65

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3529F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37

APIs

GetCurrentProcess.KERNEL32(00000020,?,07C59620,?,?), ref: 02D352AE
OpenProcessToken.ADVAPI32(00000000), ref: 02D352B5
LookupPrivilegeValueW.ADVAPI32(00000000), ref: 02D352D0
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 02D352ED
CloseHandle.KERNEL32(?), ref: 02D352F8

Strings

SeDebugPrivilege, xrefs: 02D352C3

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D36C58, Relevance: 9.1, APIs: 6, Instructions: 88

APIs

Part of subcall function 02D36C30: lstrlenW.KERNEL32(?,?,?,?,02D36C70,?), ref: 02D36C39

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,02000000,02000000,00000000,00000000,?,?,?,?), ref: 02D36CB5
ConnectNamedPipe.KERNELBASE(00000000,00000000,?,?,?,?), ref: 02D36CC4
GetLastError.KERNEL32(?,?,?,?), ref: 02D36CCE

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

CreateThread.KERNEL32(00000000,00000000,02D36B38,00000000,00000000,?), ref: 02D36D0D
SetThreadPriority.KERNEL32(00000000,00000002,?,?,?,?), ref: 02D36D1D

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

CloseHandle.KERNEL32(00000000), ref: 02D36D30

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3A7D2, Relevance: 7.5, APIs: 5, Instructions: 45

APIs

socket.WS2_32(00000002,00000002,00000000), ref: 02D3A7E1
bind.WS2_32(00000000,?,00000010), ref: 02D3A816
WSAGetLastError.WS2_32(?,?,?,?,?,02D3B391,?,00000000,?,?,?,?,?,?,02D3B4BB,00000000), ref: 02D3A821
closesocket.WS2_32(00000000), ref: 02D3A82A
WSASetLastError.WS2_32(00000000,?,?,?,?,?,02D3B391,?,00000000,?,?,?,?,?,?,02D3B4BB), ref: 02D3A831

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3A8B0, Relevance: 4.5, APIs: 3, Instructions: 49

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 02D3A8F8
WSAGetLastError.WS2_32 ref: 02D3A903
recvfrom.WS2_32(00000102,?,00000080,00000000,?,02D3AF1F), ref: 02D3A91D

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3AFC9, Relevance: 28.8, APIs: 19, Instructions: 275

APIs

htons.WS2_32(00000001), ref: 02D3AFF4

Part of subcall function 02D3AE53: GetTickCount.KERNEL32(76B32D8B,?,?,02D3B020,?,?,?,00000014,?), ref: 02D3AE88
Part of subcall function 02D3AE53: GetTickCount.KERNEL32(?,?,?,?,?,?,02D3B020,?,?), ref: 02D3AEEC
Part of subcall function 02D3AE53: htons.WS2_32(00000101), ref: 02D3AF4D
Part of subcall function 02D3AE53: htons.WS2_32(?), ref: 02D3AF80
Part of subcall function 02D3AE53: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,02D3B020,?,?), ref: 02D3AF91

Part of subcall function 02D3ADC4: htons.WS2_32(?), ref: 02D3ADCA
Part of subcall function 02D3ADC4: htons.WS2_32(?), ref: 02D3ADD9

htons.WS2_32(?), ref: 02D3B045
Sleep.KERNEL32(0000012C), ref: 02D3B0BE

Part of subcall function 02D3ADED: getsockname.WS2_32(?,?,?), ref: 02D3AE05

Part of subcall function 02D3A961: GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,?,?,?,?,02D3B0F1,?,?), ref: 02D3A97B
Part of subcall function 02D3A961: GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,?,?,02D3B0F1,?,?), ref: 02D3A998

htons.WS2_32(00000003), ref: 02D3B122
htons.WS2_32(00000004), ref: 02D3B12A
htons.WS2_32(00000001), ref: 02D3B139
htons.WS2_32(00000008), ref: 02D3B141
htons.WS2_32(00000003), ref: 02D3B1A4
htons.WS2_32(00000004), ref: 02D3B1AC
htons.WS2_32(00000001), ref: 02D3B1BB
htons.WS2_32(00000008), ref: 02D3B1C3
Sleep.KERNEL32(00000190,?,?,?,0000001C,?,?,00000010), ref: 02D3B210
htons.WS2_32(00000001), ref: 02D3B220
htons.WS2_32(?), ref: 02D3B274
Sleep.KERNEL32(000001F4), ref: 02D3B2BD
htons.WS2_32(00000003), ref: 02D3B2CB
htons.WS2_32(00000004), ref: 02D3B2D3
htons.WS2_32(00000001), ref: 02D3B2E2
htons.WS2_32(00000008), ref: 02D3B2EA

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BC6B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51

APIs

GetTickCount.KERNEL32 ref: 02D3BC78
FindWindowW.USER32(#32770,00000000), ref: 02D3BC8A
EnumChildWindows.USER32(00000000,02D3BBB1,00000000), ref: 02D3BCA5
GetTickCount.KERNEL32 ref: 02D3BCB0
Sleep.KERNELBASE(000000FA), ref: 02D3BCB9
EnumChildWindows.USER32(00000000,02D3BBBD,00000000), ref: 02D3BCDC
UpdateWindow.USER32(00000000), ref: 02D3BCDF
EnumChildWindows.USER32(00000000,02D3BC11,00000000), ref: 02D3BCED

Strings

#32770, xrefs: 02D3BC85

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3D5D3, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 241

APIs

WSAStartup.WS2_32(00000202,?), ref: 02D3D5EC

Part of subcall function 02D369E4: HeapCreate.KERNELBASE(00040000,00400000,00000000,02D3D602), ref: 02D369F9

Part of subcall function 02D3D52E: OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,02D3D60B), ref: 02D3D53C
Part of subcall function 02D3D52E: CloseHandle.KERNEL32(00000000), ref: 02D3D547

Part of subcall function 02D3BF5E: GetVersionExW.KERNEL32(02D446E0), ref: 02D3BF7F

Part of subcall function 02D3BF3E: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,02D44674,00000000), ref: 02D3BF56

Part of subcall function 02D36A58: HeapDestroy.KERNEL32(07860000,02D3D688,?,?), ref: 02D36A6A

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D37C47: InitializeCriticalSection.KERNEL32(00000420,00000438), ref: 02D37C94

Part of subcall function 02D385E4: DeleteCriticalSection.KERNEL32(07C587C8,02D3D5CA,07C59620,02D3D941,?,?,02D3BBAA), ref: 02D385E8

Part of subcall function 02D3327E: DeleteCriticalSection.KERNEL32(07C5B2BC,07C5AEF8,02D3D91D,?,?,02D3BBAA), ref: 02D332A7
Part of subcall function 02D3327E: DeleteCriticalSection.KERNEL32(07C5B288,?,?,02D3BBAA), ref: 02D332B0
Part of subcall function 02D3327E: DeleteCriticalSection.KERNEL32(07C5B2A0,?,?,02D3BBAA), ref: 02D332B9
Part of subcall function 02D3327E: DeleteCriticalSection.KERNEL32(07C5B2D4,?,?,02D3BBAA), ref: 02D332C2

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D37F98: DeleteCriticalSection.KERNEL32(07C59A40,07C59620), ref: 02D37FCF

Part of subcall function 02D3322C: InitializeCriticalSection.KERNEL32(00000390), ref: 02D33254
Part of subcall function 02D3322C: InitializeCriticalSection.KERNEL32(000003A8), ref: 02D3325D
Part of subcall function 02D3322C: InitializeCriticalSection.KERNEL32(000003C4), ref: 02D33266
Part of subcall function 02D3322C: InitializeCriticalSection.KERNEL32(000003DC), ref: 02D3326F

Part of subcall function 02D3DF91: InitializeCriticalSection.KERNEL32(02D44838,00000000,07C59620,00000000,?,02D3D862,02D44688,?,?), ref: 02D3DF9D
Part of subcall function 02D3DF91: GetModuleHandleW.KERNEL32(ntdll.dll,RtlCreateUserThread), ref: 02D3E0E6
Part of subcall function 02D3DF91: GetProcAddress.KERNEL32(00000000), ref: 02D3E0EF
Part of subcall function 02D3DF91: GetModuleHandleW.KERNEL32(ntdll.dll,NtMapViewOfSection), ref: 02D3E100
Part of subcall function 02D3DF91: GetProcAddress.KERNEL32(00000000), ref: 02D3E103
Part of subcall function 02D3DF91: GetModuleHandleW.KERNEL32(ntdll.dll,ZwUnmapViewOfSection), ref: 02D3E114
Part of subcall function 02D3DF91: GetProcAddress.KERNEL32(00000000), ref: 02D3E117
Part of subcall function 02D3DF91: GetCurrentProcessId.KERNEL32 ref: 02D3E11E
Part of subcall function 02D3DF91: DeleteCriticalSection.KERNEL32(02D44838,?,02D3D862,02D44688,?,?), ref: 02D3E132

Part of subcall function 02D3529F: GetCurrentProcess.KERNEL32(00000020,?,07C59620,?,?), ref: 02D352AE
Part of subcall function 02D3529F: OpenProcessToken.ADVAPI32(00000000), ref: 02D352B5
Part of subcall function 02D3529F: LookupPrivilegeValueW.ADVAPI32(00000000), ref: 02D352D0
Part of subcall function 02D3529F: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 02D352ED
Part of subcall function 02D3529F: CloseHandle.KERNEL32(?), ref: 02D352F8

CreateThread.KERNEL32(00000000,00000000,02D3D37A,02D442D0,00000000,?), ref: 02D3D89A

Part of subcall function 02D3D552: CreateMutexW.KERNELBASE(02D44678,00000001,Global\pen3j3832h,02D3D8B5), ref: 02D3D55E

TerminateThread.KERNEL32(00000000), ref: 02D3D8C0

Part of subcall function 02D3E1B6: DeleteCriticalSection.KERNEL32(02D44838,02D3D90C,?,?,02D3BBAA), ref: 02D3E1BB

Strings

D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;WD)(A;;GA;;;RC)S:(ML;;NW;;;LW), xrefs: 02D3D659
Xn4, xrefs: 02D3D648, 02D3D668, 02D3D670
D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;WD)(A;;GA;;;RC)(A;;GA;;;AC)S:(ML;;NW;;;S-1-16-0), xrefs: 02D3D652

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3AE53, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122

APIs

GetTickCount.KERNEL32(76B32D8B,?,?,02D3B020,?,?,?,00000014,?), ref: 02D3AE88
GetTickCount.KERNEL32(?,?,?,?,?,?,02D3B020,?,?), ref: 02D3AEEC

Part of subcall function 02D3A8B0: select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 02D3A8F8
Part of subcall function 02D3A8B0: WSAGetLastError.WS2_32 ref: 02D3A903
Part of subcall function 02D3A8B0: recvfrom.WS2_32(00000102,?,00000080,00000000,?,02D3AF1F), ref: 02D3A91D

htons.WS2_32(00000101), ref: 02D3AF4D
htons.WS2_32(?), ref: 02D3AF80
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,02D3B020,?,?), ref: 02D3AF91

Strings

d, xrefs: 02D3AE7E

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3A9F3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82

APIs

Part of subcall function 02D35939: GetAddrInfoW.WS2_32(757DC340,00000000,?,757DC340), ref: 02D35967
Part of subcall function 02D35939: FreeAddrInfoW.WS2_32(757DC340), ref: 02D35980

socket.WS2_32(00000002,00000001,00000000), ref: 02D3AA63
htons.WS2_32(00000050), ref: 02D3AA87
connect.WS2_32(00000000,?,00000010), ref: 02D3AA98
closesocket.WS2_32(00000000), ref: 02D3AAA1

Strings

google.com, xrefs: 02D3AA1C
microsoft.com, xrefs: 02D3AA26

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D38763, Relevance: 6.1, APIs: 4, Instructions: 78

APIs

CreateFileW.KERNEL32(02D3863B,80000000,00000000,00000000,00000003,00000000,00000000), ref: 02D3877C
GetFileSize.KERNEL32(00000000,00000000), ref: 02D38790
CloseHandle.KERNEL32(?), ref: 02D38811

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 02D387BD

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3AC8D, Relevance: 4.6, APIs: 3, Instructions: 84

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?,?,02D3B3DC,?,?,?), ref: 02D3AC9B
StrToIntW.SHLWAPI(?), ref: 02D3ACCC

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D358CD: lstrlenW.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,02D3AD23,00000000,?,02D3B3DC,?,?), ref: 02D358DB
Part of subcall function 02D358CD: WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,00000000,00000D96,00000001,00000000,00000000,?), ref: 02D35912
Part of subcall function 02D358CD: inet_addr.WS2_32(00000D96), ref: 02D3591F

htons.WS2_32(00000D96), ref: 02D3AD40

Part of subcall function 02D35939: GetAddrInfoW.WS2_32(757DC340,00000000,?,757DC340), ref: 02D35967
Part of subcall function 02D35939: FreeAddrInfoW.WS2_32(757DC340), ref: 02D35980

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D38909, Relevance: 4.6, APIs: 3, Instructions: 73

APIs

Part of subcall function 02D38820: lstrlenA.KERNEL32(?,00000000,00000000,-00000006,?,?,?,?,?,02D3892D,?,-00000006,00000000,00000000,-00000006,02D38A02), ref: 02D3884A
Part of subcall function 02D38820: lstrlenA.KERNEL32(?,00000000,00000000,-00000006,?,?,?,?,?,02D3892D,?,-00000006,00000000,00000000,-00000006,02D38A02), ref: 02D38892

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

CreateFileW.KERNEL32(02D38A02,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D3896F
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D38989
CloseHandle.KERNEL32(00000000), ref: 02D389A0

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3AB46, Relevance: 4.5, APIs: 3, Instructions: 47

APIs

htons.WS2_32(?), ref: 02D3AB58

Part of subcall function 02D3A7D2: socket.WS2_32(00000002,00000002,00000000), ref: 02D3A7E1
Part of subcall function 02D3A7D2: bind.WS2_32(00000000,?,00000010), ref: 02D3A816
Part of subcall function 02D3A7D2: WSAGetLastError.WS2_32(?,?,?,?,?,02D3B391,?,00000000,?,?,?,?,?,?,02D3B4BB,00000000), ref: 02D3A821
Part of subcall function 02D3A7D2: closesocket.WS2_32(00000000), ref: 02D3A82A
Part of subcall function 02D3A7D2: WSASetLastError.WS2_32(00000000,?,?,?,?,?,02D3B391,?,00000000,?,?,?,?,?,?,02D3B4BB), ref: 02D3A831

htons.WS2_32(?), ref: 02D3AB79
htons.WS2_32(00000400), ref: 02D3AB9B

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D385FC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28

APIs

Part of subcall function 02D3858B: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D38594
Part of subcall function 02D3858B: StrStrIW.SHLWAPI(?,Roaming), ref: 02D385A0
Part of subcall function 02D3858B: lstrcpyW.KERNEL32(00000000,Local), ref: 02D385B0
Part of subcall function 02D3858B: lstrcatW.KERNEL32(?,02D3FC48), ref: 02D385BC
Part of subcall function 02D3858B: lstrlenW.KERNEL32(?), ref: 02D385C3

lstrcatW.KERNEL32(?,ne9bzef6m8.dll), ref: 02D38619

Part of subcall function 02D38C17: EnterCriticalSection.KERNEL32(-00000008,02D38628), ref: 02D38C1B

Part of subcall function 02D38763: CreateFileW.KERNEL32(02D3863B,80000000,00000000,00000000,00000003,00000000,00000000), ref: 02D3877C
Part of subcall function 02D38763: GetFileSize.KERNEL32(00000000,00000000), ref: 02D38790
Part of subcall function 02D38763: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 02D387BD
Part of subcall function 02D38763: CloseHandle.KERNEL32(?), ref: 02D38811

Part of subcall function 02D38C25: LeaveCriticalSection.KERNEL32(02D387F4,02D38B48,00000000,00000000,-00000006,00000006,?,02D38743,00000000,-00000006,00000000,?,?,?,00000000,00000000), ref: 02D38C29

Strings

ne9bzef6m8.dll, xrefs: 02D38611

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D389C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26

APIs

Part of subcall function 02D3858B: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D38594
Part of subcall function 02D3858B: StrStrIW.SHLWAPI(?,Roaming), ref: 02D385A0
Part of subcall function 02D3858B: lstrcpyW.KERNEL32(00000000,Local), ref: 02D385B0
Part of subcall function 02D3858B: lstrcatW.KERNEL32(?,02D3FC48), ref: 02D385BC
Part of subcall function 02D3858B: lstrlenW.KERNEL32(?), ref: 02D385C3

lstrcatW.KERNEL32(?,ne9bzef6m8.dll), ref: 02D389DF

Part of subcall function 02D38C17: EnterCriticalSection.KERNEL32(-00000008,02D38628), ref: 02D38C1B

Part of subcall function 02D38909: CreateFileW.KERNEL32(02D38A02,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D3896F
Part of subcall function 02D38909: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D38989
Part of subcall function 02D38909: CloseHandle.KERNEL32(00000000), ref: 02D389A0

Part of subcall function 02D38C25: LeaveCriticalSection.KERNEL32(02D387F4,02D38B48,00000000,00000000,-00000006,00000006,?,02D38743,00000000,-00000006,00000000,?,?,?,00000000,00000000), ref: 02D38C29

Strings

ne9bzef6m8.dll, xrefs: 02D389D7

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3D552, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8

APIs

CreateMutexW.KERNELBASE(02D44678,00000001,Global\pen3j3832h,02D3D8B5), ref: 02D3D55E

Strings

Global\pen3j3832h, xrefs: 02D3D552

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3B378, Relevance: 3.1, APIs: 2, Instructions: 65

APIs

Part of subcall function 02D3AB46: htons.WS2_32(?), ref: 02D3AB58
Part of subcall function 02D3AB46: htons.WS2_32(?), ref: 02D3AB79
Part of subcall function 02D3AB46: htons.WS2_32(00000400), ref: 02D3AB9B

WSAGetLastError.WS2_32(?,00000000,?,?,?,?,?,?,02D3B4BB,00000000,?,?,?), ref: 02D3B39B
closesocket.WS2_32(?), ref: 02D3B41D

Part of subcall function 02D3AC8D: lstrlenW.KERNEL32(00000000,00000000,?,?,?,02D3B3DC,?,?,?), ref: 02D3AC9B
Part of subcall function 02D3AC8D: StrToIntW.SHLWAPI(?), ref: 02D3ACCC
Part of subcall function 02D3AC8D: htons.WS2_32(00000D96), ref: 02D3AD40

Part of subcall function 02D3AFC9: htons.WS2_32(00000001), ref: 02D3AFF4
Part of subcall function 02D3AFC9: htons.WS2_32(?), ref: 02D3B045
Part of subcall function 02D3AFC9: Sleep.KERNEL32(0000012C), ref: 02D3B0BE
Part of subcall function 02D3AFC9: htons.WS2_32(00000003), ref: 02D3B122
Part of subcall function 02D3AFC9: htons.WS2_32(00000004), ref: 02D3B12A
Part of subcall function 02D3AFC9: htons.WS2_32(00000001), ref: 02D3B139
Part of subcall function 02D3AFC9: htons.WS2_32(00000008), ref: 02D3B141
Part of subcall function 02D3AFC9: htons.WS2_32(00000003), ref: 02D3B1A4
Part of subcall function 02D3AFC9: htons.WS2_32(00000004), ref: 02D3B1AC
Part of subcall function 02D3AFC9: htons.WS2_32(00000001), ref: 02D3B1BB
Part of subcall function 02D3AFC9: htons.WS2_32(00000008), ref: 02D3B1C3
Part of subcall function 02D3AFC9: Sleep.KERNEL32(00000190,?,?,?,0000001C,?,?,00000010), ref: 02D3B210
Part of subcall function 02D3AFC9: htons.WS2_32(00000001), ref: 02D3B220
Part of subcall function 02D3AFC9: htons.WS2_32(?), ref: 02D3B274
Part of subcall function 02D3AFC9: Sleep.KERNEL32(000001F4), ref: 02D3B2BD
Part of subcall function 02D3AFC9: htons.WS2_32(00000003), ref: 02D3B2CB
Part of subcall function 02D3AFC9: htons.WS2_32(00000004), ref: 02D3B2D3
Part of subcall function 02D3AFC9: htons.WS2_32(00000001), ref: 02D3B2E2
Part of subcall function 02D3AFC9: htons.WS2_32(00000008), ref: 02D3B2EA

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D373F2, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35

APIs

Part of subcall function 02D372B6: GetVersionExW.KERNEL32(?,00000000,?), ref: 02D372D2
Part of subcall function 02D372B6: GetComputerNameA.KERNEL32(?,00000000), ref: 02D372FF
Part of subcall function 02D372B6: lstrlenA.KERNEL32(?), ref: 02D37321
Part of subcall function 02D372B6: lstrlenA.KERNEL32(?), ref: 02D37376
Part of subcall function 02D372B6: wsprintfA.USER32(-00000214,%s_W%d%d%d.%s,?,?,?,?,?), ref: 02D373AA

lstrlenA.KERNEL32(00000314,00000000,botid,00000314,00000080,00000000,00000000,?,02D37F13,00000438,00000000,?,02D37CA1), ref: 02D37428

Strings

botid, xrefs: 02D37404, 02D37409, 02D37434

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3C0C1, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33

APIs

wsprintfA.USER32(?,%d.%d.%d.%d,?,?,?,?,?,?,?,02D3D4D9,AUTOKILLOS,00000029,02D3CA42,?,0000029A,02D3D172), ref: 02D3C108

Strings

%d.%d.%d.%d, xrefs: 02D3C0FC

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35939, Relevance: 3.0, APIs: 2, Instructions: 33

APIs

GetAddrInfoW.WS2_32(757DC340,00000000,?,757DC340), ref: 02D35967
FreeAddrInfoW.WS2_32(757DC340), ref: 02D35980

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BCF8, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BC6B,00000000,00000000,?), ref: 02D3BD0F
CloseHandle.KERNEL32(00000000), ref: 02D3BD16

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 01EA04D1, Relevance: 1.6, APIs: 1, Instructions: 66

APIs

LoadLibraryA.KERNEL32(?), ref: 01EA0526

Memory Dump Source

Source File: 00000004.00000002.4866786961.01EA0000.00000040.sdmp, Offset: 01EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1ea0000_explorer.jbxd

Function 02D36D9C, Relevance: 1.5, APIs: 1, Instructions: 17

APIs

CreateThread.KERNEL32(00000000,00000000,02D36C58,?,00000000,00000000), ref: 02D36DB8

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3A842, Relevance: 1.5, APIs: 1, Instructions: 15

APIs

sendto.WS2_32(00000000,00000064,00000064,00000000,?,00000010), ref: 02D3A855

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D369E4, Relevance: 1.5, APIs: 1, Instructions: 14

APIs

HeapCreate.KERNELBASE(00040000,00400000,00000000,02D3D602), ref: 02D369F9

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 01EA0625, Relevance: 1.3, APIs: 1, Instructions: 9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,01EA03E0,?,00000000), ref: 01EA0634

Memory Dump Source

Source File: 00000004.00000002.4866786961.01EA0000.00000040.sdmp, Offset: 01EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1ea0000_explorer.jbxd

Non-executed Functions

Function 02D311C5, Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 284

APIs

WSAStartup.WS2_32(00000202,?), ref: 02D311E7
GetLastError.KERNEL32 ref: 02D311F1
WSACreateEvent.WS2_32 ref: 02D31200
CloseHandle.KERNEL32(?), ref: 02D3159A

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

shutdown.WS2_32(00000001,00000002), ref: 02D3124D
closesocket.WS2_32(00000001), ref: 02D31254
Sleep.KERNEL32(00003A98), ref: 02D3125F
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 02D3126E
inet_addr.WS2_32(?), ref: 02D3128A
htons.WS2_32(?), ref: 02D31299
Sleep.KERNEL32(00003A98), ref: 02D312BB
WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 02D312D4
WSASend.WS2_32 ref: 02D31371
WSAEventSelect.WS2_32(?,?,00000021), ref: 02D313A8
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,000000FF,00000000), ref: 02D313C5
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 02D313E3
WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02D3141B

Part of subcall function 02D39BA0: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000620,00000000,?,?,?,02D37B5D,00000000), ref: 02D39BDB
Part of subcall function 02D39BA0: GetLastError.KERNEL32(?,?,?,02D37B5D,00000000), ref: 02D39BE1
Part of subcall function 02D39BA0: GetLastError.KERNEL32(?,?,?,02D37B5D,00000000), ref: 02D39BE7
Part of subcall function 02D39BA0: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000008,?,?,?,02D37B5D,00000000), ref: 02D39C01
Part of subcall function 02D39BA0: CryptImportKey.ADVAPI32(00000000,00000000,02D37B5D,00000000,00000000,02D37B5D,?,?,?,02D37B5D,00000000), ref: 02D39C1C
Part of subcall function 02D39BA0: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C37
Part of subcall function 02D39BA0: CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C49
Part of subcall function 02D39BA0: CryptVerifySignatureW.ADVAPI32(00000000,?,?,02D37B5D,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C61
Part of subcall function 02D39BA0: CryptDestroyHash.ADVAPI32(00000000,?,?,?,02D37B5D,00000000), ref: 02D39C6C
Part of subcall function 02D39BA0: CryptDestroyKey.ADVAPI32(02D37B5D,?,?,?,02D37B5D,00000000), ref: 02D39C75
Part of subcall function 02D39BA0: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C7F

GetTickCount.KERNEL32(00000000,00000000,00000000), ref: 02D3150D
GetTickCount.KERNEL32 ref: 02D31512

Part of subcall function 02D31D74: WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 02D31D94
Part of subcall function 02D31D74: inet_addr.WS2_32(?), ref: 02D31DAE
Part of subcall function 02D31D74: htons.WS2_32(?), ref: 02D31DBC
Part of subcall function 02D31D74: WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 02D31DD3
Part of subcall function 02D31D74: CreateThread.KERNEL32(00000000,00000000,02D3270A,00000000,00000000,00000000), ref: 02D31E03
Part of subcall function 02D31D74: SetThreadPriority.KERNEL32(00000000,00000002), ref: 02D31E13
Part of subcall function 02D31D74: WSASend.WS2_32(00000000,?,00000001,?,00000000,00000000,00000000), ref: 02D31E4C
Part of subcall function 02D31D74: WSAGetLastError.WS2_32 ref: 02D31E57
Part of subcall function 02D31D74: TerminateThread.KERNEL32(?,00000000), ref: 02D31E68
Part of subcall function 02D31D74: shutdown.WS2_32(?,00000002), ref: 02D31E76
Part of subcall function 02D31D74: closesocket.WS2_32(?), ref: 02D31E7F

Part of subcall function 02D31000: WSASend.WS2_32(0000054F,?,00000001,?,00000000,00000000,00000000), ref: 02D31064
Part of subcall function 02D31000: GetTickCount.KERNEL32 ref: 02D3107F
Part of subcall function 02D31000: WSAWaitForMultipleEvents.WS2_32(00000002,?,00000000,00003A98,00000000), ref: 02D3109E
Part of subcall function 02D31000: WSAEnumNetworkEvents.WS2_32(0000054F,00000001,?), ref: 02D310D0
Part of subcall function 02D31000: WSARecv.WS2_32(0000054F,?,00000001,?,?,00000000,00000000), ref: 02D3110C
Part of subcall function 02D31000: WaitForSingleObject.KERNEL32(?,00000010), ref: 02D31162
Part of subcall function 02D31000: WSAGetLastError.WS2_32 ref: 02D31198
Part of subcall function 02D31000: WSAGetLastError.WS2_32 ref: 02D311AE

WSAGetLastError.WS2_32 ref: 02D31439

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

shutdown.WS2_32(?,00000002), ref: 02D31561
closesocket.WS2_32(?), ref: 02D3156B
WSACloseEvent.WS2_32(?), ref: 02D31575

Strings

, xrefs: 02D31426

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D39BA0, Relevance: 16.6, APIs: 11, Instructions: 91

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000620,00000000,?,?,?,02D37B5D,00000000), ref: 02D39BDB
GetLastError.KERNEL32(?,?,?,02D37B5D,00000000), ref: 02D39BE1
GetLastError.KERNEL32(?,?,?,02D37B5D,00000000), ref: 02D39BE7
CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000008,?,?,?,02D37B5D,00000000), ref: 02D39C01
CryptImportKey.ADVAPI32(00000000,00000000,02D37B5D,00000000,00000000,02D37B5D,?,?,?,02D37B5D,00000000), ref: 02D39C1C
CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C37
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C49
CryptVerifySignatureW.ADVAPI32(00000000,?,?,02D37B5D,00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C61
CryptDestroyHash.ADVAPI32(00000000,?,?,?,02D37B5D,00000000), ref: 02D39C6C
CryptDestroyKey.ADVAPI32(02D37B5D,?,?,?,02D37B5D,00000000), ref: 02D39C75
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,02D37B5D,00000000), ref: 02D39C7F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35649, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D35664
Process32FirstW.KERNEL32(00000000,0000022C), ref: 02D35674
lstrcmpiW.KERNEL32(?,explorer.exe), ref: 02D3568E
OpenProcess.KERNEL32(00000400,00000000,?), ref: 02D356A4
Process32NextW.KERNEL32(00000000,0000022C), ref: 02D356B6
CloseHandle.KERNEL32(00000000), ref: 02D356C9
CloseHandle.KERNEL32(00000000), ref: 02D356D1

Strings

explorer.exe, xrefs: 02D35682

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35770, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,02D3589B,00000000,00000000,00000000,00000000,?), ref: 02D35781

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

CreateEnvironmentBlock.USERENV(00000000,00000000,00000000), ref: 02D3580D
CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000420,00000000,00000000,00000044,?), ref: 02D3582C
CloseHandle.KERNEL32(?), ref: 02D35857
CloseHandle.KERNEL32(02D3E25F), ref: 02D3585C
DestroyEnvironmentBlock.USERENV(00000000), ref: 02D35868

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

D, xrefs: 02D357B9

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35303, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 02D35312
OpenProcessToken.ADVAPI32(00000000), ref: 02D35319
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D35334
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D35351
CloseHandle.KERNEL32(?), ref: 02D3535C

Strings

SeShutdownPrivilege, xrefs: 02D35327

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3DE9A, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 47

APIs

StrStrIW.SHLWAPI(?,chrome.exe), ref: 02D3DEB0
StrStrIW.SHLWAPI(?,firefox.exe), ref: 02D3DEBE
StrStrIW.SHLWAPI(?,iexplore.exe), ref: 02D3DECC

Part of subcall function 02D3DA57: EnterCriticalSection.KERNEL32(?,02D3E24E,00000000,00000000,00000001,?,00000000,?,?,00000001), ref: 02D3DA5B

Part of subcall function 02D3DA65: LeaveCriticalSection.KERNEL32(?,02D3E2BC,00000000,00000000,00000000,00000000,00000001,?,00000000,?,?,00000001), ref: 02D3DA69

Part of subcall function 02D3DD9B: OpenProcess.KERNEL32(0000043A,00000000,?,?,02D3DEF3,?,?,?,?,?,?,?,02D3CDA5,?,?), ref: 02D3DDB0

Strings

firefox.exe, xrefs: 02D3DEB6
iexplore.exe, xrefs: 02D3DEC4
chrome.exe, xrefs: 02D3DEA5

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3D97E, Relevance: 7.5, APIs: 5, Instructions: 44

APIs

UnmapViewOfFile.KERNEL32(?,00000000,?,02D3DE6F,00000000,?,02D3E1B1), ref: 02D3D98A
NtUnmapViewOfSection.NTDLL ref: 02D3D9A0
CloseHandle.KERNEL32(?), ref: 02D3D9B4
CloseHandle.KERNEL32(?), ref: 02D3D9BE
CloseHandle.KERNEL32(?), ref: 02D3D9CD

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35A57, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 11

APIs

Part of subcall function 02D35303: GetCurrentProcess.KERNEL32(00000020,?), ref: 02D35312
Part of subcall function 02D35303: OpenProcessToken.ADVAPI32(00000000), ref: 02D35319
Part of subcall function 02D35303: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D35334
Part of subcall function 02D35303: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D35351
Part of subcall function 02D35303: CloseHandle.KERNEL32(?), ref: 02D3535C

ShellExecuteW.SHELL32(00000000,open,C:\windows\system32\shutdown.exe,/r /f /t 5,00000000,00000000), ref: 02D35A70

Strings

/r /f /t 5, xrefs: 02D35A60
open, xrefs: 02D35A6A
C:\windows\system32\shutdown.exe, xrefs: 02D35A65

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3ABB6, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 02D3ABC9
htons.WS2_32(?), ref: 02D3ABF6
bind.WS2_32(00000000,?,00000010), ref: 02D3AC07
closesocket.WS2_32(00000000), ref: 02D3AC18

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3DAA9, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

NtMapViewOfSection.NTDLL ref: 02D3DAD6

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D354CF, Relevance: 1.5, APIs: 1, Instructions: 12

APIs

GetLocalTime.KERNEL32(?), ref: 02D354D9

Part of subcall function 02D3547D: GetModuleHandleW.KERNEL32(ntdll.dll,RtlTimeToSecondsSince1970,?,02D354E8,?), ref: 02D3549D
Part of subcall function 02D3547D: GetProcAddress.KERNEL32(00000000,?,02D354E8,?), ref: 02D354A4
Part of subcall function 02D3547D: SystemTimeToFileTime.KERNEL32(02D354E8,?,?,02D354E8,?), ref: 02D354B6

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3270A, Relevance: 56.5, APIs: 28, Strings: 4, Instructions: 483

APIs

WSACreateEvent.WS2_32 ref: 02D32744
WSAEventSelect.WS2_32(?,?,00000023), ref: 02D3275C
WSAWaitForMultipleEvents.WS2_32(00000003,?,00000000,00001388,00000000), ref: 02D327F8
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 02D32822
WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 02D32861
WSAGetLastError.WS2_32 ref: 02D32880
GetTickCount.KERNEL32 ref: 02D32895
WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02D3290C
WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02D3295E
GetTickCount.KERNEL32 ref: 02D3296F
wsprintfW.USER32 ref: 02D329A9
WSAGetLastError.WS2_32 ref: 02D329BC

Part of subcall function 02D32615: wsprintfW.USER32 ref: 02D32675

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D32A88
CreateThread.KERNEL32(00000000,00000000,02D32D35,00000000,00000000,00000000), ref: 02D32AE1
CloseHandle.KERNEL32(00000000), ref: 02D32AE8

Part of subcall function 02D324D0: EnterCriticalSection.KERNEL32(?,?,00000001,?,02D323C0,?,?,?), ref: 02D324D8
Part of subcall function 02D324D0: SetEvent.KERNEL32(?,?,02D323C0,?,?,?), ref: 02D32522
Part of subcall function 02D324D0: LeaveCriticalSection.KERNEL32(?,?,02D323C0,?,?,?), ref: 02D32529

Part of subcall function 02D32535: EnterCriticalSection.KERNEL32(?,?,?,02D32353,?), ref: 02D3253C
Part of subcall function 02D32535: ResetEvent.KERNEL32(?,02D32353,?), ref: 02D325AB
Part of subcall function 02D32535: LeaveCriticalSection.KERNEL32(?,02D32353,?), ref: 02D325B2

wsprintfW.USER32 ref: 02D32B79
ResetEvent.KERNEL32(00010000), ref: 02D32BC1

Part of subcall function 02D325BF: EnterCriticalSection.KERNEL32(?,?,02D32341), ref: 02D325C4
Part of subcall function 02D325BF: ResetEvent.KERNEL32(?), ref: 02D325D3
Part of subcall function 02D325BF: LeaveCriticalSection.KERNEL32(?), ref: 02D325DC

WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 02D32C0E
GetTickCount.KERNEL32 ref: 02D32C2F
WSAGetLastError.WS2_32 ref: 02D32C40
WSAGetLastError.WS2_32 ref: 02D32C5A

Part of subcall function 02D31D5B: EnterCriticalSection.KERNEL32(?,02D31C1E), ref: 02D31D5F

SetEvent.KERNEL32(?), ref: 02D32C87

Part of subcall function 02D31D69: LeaveCriticalSection.KERNEL32(?,02D31C4F,00000000), ref: 02D31D6D

Sleep.KERNEL32(00000010), ref: 02D32CA4
WSACloseEvent.WS2_32(?), ref: 02D32CC6
shutdown.WS2_32(?,00000002), ref: 02D32CD6
closesocket.WS2_32(?), ref: 02D32CE0
shutdown.WS2_32(?,00000002), ref: 02D32CE7
closesocket.WS2_32(?), ref: 02D32CEC

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D32443: DeleteCriticalSection.KERNEL32(?,76B3449D,02D32D08), ref: 02D32447
Part of subcall function 02D32443: CloseHandle.KERNEL32(?), ref: 02D32450

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D32424: InitializeCriticalSection.KERNEL32(00000000,02D3277E), ref: 02D32425
Part of subcall function 02D32424: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D32433

Part of subcall function 02D31BB3: InitializeCriticalSection.KERNEL32(00000018,?,02D32732), ref: 02D31BC5

Strings

ServerWorkerThread: [--INFO--] LoadData failed. size = %d, xrefs: 02D32B73
mBLuH)Ku, xrefs: 02D329A9, 02D32B79
, xrefs: 02D32B92
ServerWorkerThread: [--INFO--] received = %d, total = %d, xrefs: 02D329A3

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BE22, Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 68

APIs

wsprintfW.USER32 ref: 02D3BE4B
ShellExecuteW.SHELL32(00000000,open,net,?,00000000,00000000), ref: 02D3BE6C
Sleep.KERNEL32(00003A98), ref: 02D3BE73
wsprintfW.USER32 ref: 02D3BE86
ShellExecuteW.SHELL32(00000000,open,net,?,00000000,00000000), ref: 02D3BEA1

Part of subcall function 02D3BD76: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000004,?), ref: 02D3BD94
Part of subcall function 02D3BD76: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02D3BDBB
Part of subcall function 02D3BD76: RegCloseKey.ADVAPI32(?), ref: 02D3BDCF
Part of subcall function 02D3BD76: RegCloseKey.ADVAPI32(?), ref: 02D3BDD4

Part of subcall function 02D3BD27: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000002,?,?,?,?,?,02D3BDEE,SYSTEM\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,?,02D3D4F2,AUTOKILLOS,00000029), ref: 02D3BD44
Part of subcall function 02D3BD27: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?,02D3BDEE,SYSTEM\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,?,02D3D4F2,AUTOKILLOS), ref: 02D3BD5D
Part of subcall function 02D3BD27: RegCloseKey.ADVAPI32(?,?,?,?,?,02D3BDEE,SYSTEM\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,?,02D3D4F2,AUTOKILLOS,00000029,02D3CA42,?,0000029A,02D3D172), ref: 02D3BD6B

Strings

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts, xrefs: 02D3BEBD
open, xrefs: 02D3BE66, 02D3BE9B
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 02D3BEA8
SpecialAccounts, xrefs: 02D3BEA3
localgroup Administrators %s /add, xrefs: 02D3BE80
user %s %s /add, xrefs: 02D3BE45
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 02D3BECE
net, xrefs: 02D3BE61, 02D3BE96
UserList, xrefs: 02D3BEB8
lname0, xrefs: 02D3BE39, 02D3BE3E, 02D3BE79, 02D3BECD
1qazxsw2, xrefs: 02D3BE34

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D32014, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 336

APIs

WSACreateEvent.WS2_32 ref: 02D32029
WSAGetLastError.WS2_32 ref: 02D32038

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

WSAEventSelect.WS2_32(?,?,00000023), ref: 02D320A5
WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 02D32194
WSAGetLastError.WS2_32 ref: 02D321C8
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,00000BB8,00000001), ref: 02D321F2
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 02D32222
WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 02D32268
WSAGetLastError.WS2_32 ref: 02D322A1
WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02D322E2

Part of subcall function 02D325BF: EnterCriticalSection.KERNEL32(?,?,02D32341), ref: 02D325C4
Part of subcall function 02D325BF: ResetEvent.KERNEL32(?), ref: 02D325D3
Part of subcall function 02D325BF: LeaveCriticalSection.KERNEL32(?), ref: 02D325DC

Part of subcall function 02D32535: EnterCriticalSection.KERNEL32(?,?,?,02D32353,?), ref: 02D3253C
Part of subcall function 02D32535: ResetEvent.KERNEL32(?,02D32353,?), ref: 02D325AB
Part of subcall function 02D32535: LeaveCriticalSection.KERNEL32(?,02D32353,?), ref: 02D325B2

WSAGetLastError.WS2_32 ref: 02D32390

Part of subcall function 02D324D0: EnterCriticalSection.KERNEL32(?,?,00000001,?,02D323C0,?,?,?), ref: 02D324D8
Part of subcall function 02D324D0: SetEvent.KERNEL32(?,?,02D323C0,?,?,?), ref: 02D32522
Part of subcall function 02D324D0: LeaveCriticalSection.KERNEL32(?,?,02D323C0,?,?,?), ref: 02D32529

shutdown.WS2_32(?,00000000), ref: 02D323C4
closesocket.WS2_32(?), ref: 02D323CD
WSACloseEvent.WS2_32(?), ref: 02D323DF

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

, xrefs: 02D32315

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D363D1, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157

APIs

Part of subcall function 02D3634C: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 02D3635D
Part of subcall function 02D3634C: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D36386
Part of subcall function 02D3634C: GetLastError.KERNEL32(?,02D363E2), ref: 02D36393
Part of subcall function 02D3634C: InternetCloseHandle.WININET(?), ref: 02D3639E
Part of subcall function 02D3634C: SetLastError.KERNEL32(00000000,?,02D363E2), ref: 02D363A5

GetLastError.KERNEL32 ref: 02D363E6
HttpOpenRequestA.WININET(?,POST,?,00000000,00000000,00000000,04803000,00000000), ref: 02D3643F
InternetCloseHandle.WININET(?), ref: 02D365BD

Part of subcall function 02D35F55: InternetQueryOptionW.WININET(?,0000001F,?,?), ref: 02D35F6E
Part of subcall function 02D35F55: InternetSetOptionW.WININET(00000004,0000001F,00000380,00000004), ref: 02D35F86

Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000002,?,00000004), ref: 02D35FB0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000005,?,00000004), ref: 02D35FC0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000006,?,00000004), ref: 02D35FD0

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D3620C: wsprintfA.USER32(?,02D3F72C,?,00001000,Content-Length: ), ref: 02D3625A

GetLastError.KERNEL32 ref: 02D3648D
lstrlenA.KERNEL32(00000000,20000000), ref: 02D3649E
HttpAddRequestHeadersA.WININET(?,00000000), ref: 02D364A9
GetLastError.KERNEL32 ref: 02D364B3

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D3627F: HttpSendRequestExW.WININET(?,?,00000000,00000000,00000000), ref: 02D362B8
Part of subcall function 02D3627F: InternetWriteFile.WININET(?,?,00000400,?), ref: 02D362F3
Part of subcall function 02D3627F: HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 02D3630F

GetLastError.KERNEL32 ref: 02D364EA
InternetCloseHandle.WININET(?), ref: 02D364F5
InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 02D3650E
InternetReadFile.WININET(?,00000000,?,00800000), ref: 02D36536
InternetReadFile.WININET(?,?,?,00800000), ref: 02D36565
HttpQueryInfoW.WININET(?,00000013,?,?,00000000), ref: 02D3659D
StrToIntW.SHLWAPI(?), ref: 02D365AE

Strings

POST, xrefs: 02D36437

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D33F65, Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 84

APIs

GetVersionExW.KERNEL32(?), ref: 02D33F98
wsprintfA.USER32(?,/%s/%s/0/%s/%d/%s/,?,?,?,00000464,?), ref: 02D34068

Strings

Win_7, xrefs: 02D33FB3
Win_XP, xrefs: 02D33FCF
Win_7_SP1, xrefs: 02D33FC1
Win_Vista_SP1, xrefs: 02D34023
Win_8.1, xrefs: 02D33FEB
_32bit, xrefs: 02D3403F
Win_Vista, xrefs: 02D34015
empty, xrefs: 02D33F70
Win_Vista_SP2, xrefs: 02D34007
unknown, xrefs: 02D3402A
/%s/%s/0/%s/%d/%s/, xrefs: 02D34060
Win_8, xrefs: 02D33FDD
Win_Server_2003, xrefs: 02D33FF9

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3DF91, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 157

APIs

InitializeCriticalSection.KERNEL32(02D44838,00000000,07C59620,00000000,?,02D3D862,02D44688,?,?), ref: 02D3DF9D

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D35160: QueryPerformanceCounter.KERNEL32(00000000,000000FA,000000FA,?,02D35A48,00000000,?,02D35CC4,00000000,00000030,00000000,000000FA), ref: 02D35169

GetModuleHandleW.KERNEL32(ntdll.dll,RtlCreateUserThread), ref: 02D3E0E6
GetProcAddress.KERNEL32(00000000), ref: 02D3E0EF
GetModuleHandleW.KERNEL32(ntdll.dll,NtMapViewOfSection), ref: 02D3E100
GetProcAddress.KERNEL32(00000000), ref: 02D3E103
GetModuleHandleW.KERNEL32(ntdll.dll,ZwUnmapViewOfSection), ref: 02D3E114
GetProcAddress.KERNEL32(00000000), ref: 02D3E117
GetCurrentProcessId.KERNEL32 ref: 02D3E11E
DeleteCriticalSection.KERNEL32(02D44838,?,02D3D862,02D44688,?,?), ref: 02D3E132

Strings

ntdll.dll, xrefs: 02D3E0E1, 02D3E0F6, 02D3E10A
NtMapViewOfSection, xrefs: 02D3E0F1
ZwUnmapViewOfSection, xrefs: 02D3E105
RtlCreateUserThread, xrefs: 02D3E0DC

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3673A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 128

APIs

Part of subcall function 02D3634C: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 02D3635D
Part of subcall function 02D3634C: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D36386
Part of subcall function 02D3634C: GetLastError.KERNEL32(?,02D363E2), ref: 02D36393
Part of subcall function 02D3634C: InternetCloseHandle.WININET(?), ref: 02D3639E
Part of subcall function 02D3634C: SetLastError.KERNEL32(00000000,?,02D363E2), ref: 02D363A5

GetLastError.KERNEL32 ref: 02D36758
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,00000000,04803000,00000000), ref: 02D367A8
StrToIntW.SHLWAPI(?), ref: 02D368A2

Part of subcall function 02D35F55: InternetQueryOptionW.WININET(?,0000001F,?,?), ref: 02D35F6E
Part of subcall function 02D35F55: InternetSetOptionW.WININET(00000004,0000001F,00000380,00000004), ref: 02D35F86

Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000002,?,00000004), ref: 02D35FB0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000005,?,00000004), ref: 02D35FC0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000006,?,00000004), ref: 02D35FD0

HttpSendRequestA.WININET(?,00000000,00000000,00000000,00000000), ref: 02D367D4
GetLastError.KERNEL32 ref: 02D367DE
InternetCloseHandle.WININET(?), ref: 02D367E9
InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 02D36802
InternetCloseHandle.WININET(?), ref: 02D368B1

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

InternetReadFile.WININET(?,00000000,?,?), ref: 02D3682A
InternetReadFile.WININET(?,?,?,?), ref: 02D36859

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

HttpQueryInfoW.WININET(?,00000013,?,?,00000000), ref: 02D36891

Strings

GET, xrefs: 02D367A0

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3C46C, Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 138

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

lstrlenW.KERNEL32(==General==), ref: 02D3C4A8

Part of subcall function 02D3C33B: lstrcpyW.KERNEL32(00000000,no CPU info), ref: 02D3C350

lstrlenW.KERNEL32(00000000), ref: 02D3C4C6
lstrlenW.KERNEL32(==Users==), ref: 02D3C4EF

Part of subcall function 02D3C35A: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02D3C3A2
Part of subcall function 02D3C35A: lstrlenW.KERNEL32(?), ref: 02D3C3C9
Part of subcall function 02D3C35A: NetApiBufferFree.NETAPI32(?), ref: 02D3C3FB
Part of subcall function 02D3C35A: NetApiBufferFree.NETAPI32(?), ref: 02D3C418
Part of subcall function 02D3C35A: lstrlenW.KERNEL32(no users info), ref: 02D3C429

lstrlenW.KERNEL32(00000000), ref: 02D3C50E

Part of subcall function 02D3B6BC: lstrlenW.KERNEL32(?,?,?), ref: 02D3B6DE
Part of subcall function 02D3B6BC: lstrlenW.KERNEL32(DisplayName), ref: 02D3B715

lstrlenW.KERNEL32(==Programs==), ref: 02D3C55C
lstrlenW.KERNEL32(==Services==), ref: 02D3C5A2

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D3B79E: RegOpenKeyW.ADVAPI32(?,?,?), ref: 02D3B7AF
Part of subcall function 02D3B79E: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 02D3B800

Strings

==General==, xrefs: 02D3C49E, 02D3C4A3, 02D3C4AA
==Users==, xrefs: 02D3C4E9, 02D3C4EE, 02D3C4F1
==Programs==, xrefs: 02D3C552, 02D3C557, 02D3C55E
generalinfo, xrefs: 02D3C5CF
==Services==, xrefs: 02D3C598, 02D3C59D, 02D3C5A4
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 02D3C532
SYSTEM\CurrentControlSet\services, xrefs: 02D3C578

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D36A71, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76

APIs

CreateFileW.KERNEL32(\\.\pipe\1ef4d32we,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 02D36A95
Sleep.KERNEL32(00000032,?,02D381E4,?,00000100,00000100,?), ref: 02D36AA7
WriteFile.KERNEL32(00000000,00000100,00000114,?,00000000), ref: 02D36AC7
CloseHandle.KERNEL32(00000000), ref: 02D36AD2
GetTickCount.KERNEL32(?,02D381E4,?,00000100,00000100,?), ref: 02D36AE6
GetTickCount.KERNEL32(?,02D381E4,?,00000100,00000100,?), ref: 02D36AF2
Sleep.KERNEL32(00000010,?,02D381E4,?,00000100,00000100,?), ref: 02D36B00
ReadFile.KERNEL32(00000100,00000100,00000400,?,00000000), ref: 02D36B12
CloseHandle.KERNEL32(00000100), ref: 02D36B23

Strings

@, xrefs: 02D36AAC
\\.\pipe\1ef4d32we, xrefs: 02D36A90

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D31D74, Relevance: 16.6, APIs: 11, Instructions: 102

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 02D31D94
inet_addr.WS2_32(?), ref: 02D31DAE
htons.WS2_32(?), ref: 02D31DBC
WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 02D31DD3
CreateThread.KERNEL32(00000000,00000000,02D3270A,00000000,00000000,00000000), ref: 02D31E03
SetThreadPriority.KERNEL32(00000000,00000002), ref: 02D31E13
WSASend.WS2_32(00000000,?,00000001,?,00000000,00000000,00000000), ref: 02D31E4C
WSAGetLastError.WS2_32 ref: 02D31E57
TerminateThread.KERNEL32(?,00000000), ref: 02D31E68
shutdown.WS2_32(?,00000002), ref: 02D31E76
closesocket.WS2_32(?), ref: 02D31E7F

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3CC6E, Relevance: 16.6, APIs: 4, Strings: 7, Instructions: 68

APIs

lstrcmpA.KERNEL32(?,AUTOBACKCONN), ref: 02D3CC8D
lstrcmpA.KERNEL32(?,I2P_EVENT), ref: 02D3CCE1
lstrcmpA.KERNEL32(?,I2P_NODESTAT), ref: 02D3CD02
lstrcmpA.KERNEL32(?,malware), ref: 02D3CD24

Part of subcall function 02D338EF: lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
Part of subcall function 02D338EF: lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907
Part of subcall function 02D338EF: wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Part of subcall function 02D3C094: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 02D3C0AC
Part of subcall function 02D3C094: CloseHandle.KERNEL32(00000000), ref: 02D3C0B7

Strings

malware, xrefs: 02D3CD1B, 02D3CD20, 02D3CD2D
I2P_EVENT, xrefs: 02D3CCD9
I2P_NODESTAT, xrefs: 02D3CCFA
i2p stat, xrefs: 02D3CD0B
TRUE, xrefs: 02D3CC9E
i2p, xrefs: 02D3CCEA
AUTOBACKCONN, xrefs: 02D3CC85

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D31000, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143

APIs

WSASend.WS2_32(0000054F,?,00000001,?,00000000,00000000,00000000), ref: 02D31064
GetTickCount.KERNEL32 ref: 02D3107F
WSAWaitForMultipleEvents.WS2_32(00000002,?,00000000,00003A98,00000000), ref: 02D3109E
WSAEnumNetworkEvents.WS2_32(0000054F,00000001,?), ref: 02D310D0
WSARecv.WS2_32(0000054F,?,00000001,?,?,00000000,00000000), ref: 02D3110C
WaitForSingleObject.KERNEL32(?,00000010), ref: 02D31162
WSAGetLastError.WS2_32 ref: 02D31198
WSAGetLastError.WS2_32 ref: 02D311AE

Strings

, xrefs: 02D31140

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3B524, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83

APIs

InternetOpenA.WININET(02D3F2D8,00000000,00000000,00000000,00000000), ref: 02D3B53E
InternetOpenUrlA.WININET(00000000,http://icanhazip.com,00000000,00000000,00000000,00000000), ref: 02D3B559
InternetReadFile.WININET(00000000,?,00000418,?), ref: 02D3B58F
inet_addr.WS2_32(?), ref: 02D3B5B6
InternetCloseHandle.WININET(00000000), ref: 02D3B5F0
InternetCloseHandle.WININET(?), ref: 02D3B5F9

Strings

http://icanhazip.com, xrefs: 02D3B553

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D372B6, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81

APIs

GetVersionExW.KERNEL32(?,00000000,?), ref: 02D372D2

Part of subcall function 02D3720C: lstrlenA.KERNEL32(?,?), ref: 02D37233
Part of subcall function 02D3720C: wsprintfA.USER32(02D372E4,%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D372A7

GetComputerNameA.KERNEL32(?,00000000), ref: 02D372FF
lstrlenA.KERNEL32(?), ref: 02D37321
lstrlenA.KERNEL32(?), ref: 02D37376
wsprintfA.USER32(-00000214,%s_W%d%d%d.%s,?,?,?,?,?), ref: 02D373AA

Strings

C, xrefs: 02D37309
%s_W%d%d%d.%s, xrefs: 02D373A4

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3858B, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 23

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D38594
StrStrIW.SHLWAPI(?,Roaming), ref: 02D385A0
lstrcpyW.KERNEL32(00000000,Local), ref: 02D385B0
lstrcatW.KERNEL32(?,02D3FC48), ref: 02D385BC
lstrlenW.KERNEL32(?), ref: 02D385C3

Strings

Roaming, xrefs: 02D3859A
Local, xrefs: 02D385AA

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D33444, Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 99

APIs

lstrlenA.KERNEL32(?,?,?), ref: 02D33455
lstrcmpiA.KERNEL32(?,.b32.i2p:443), ref: 02D3346E

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Part of subcall function 02D338EF: lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
Part of subcall function 02D338EF: lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907
Part of subcall function 02D338EF: wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

resolve failed , xrefs: 02D334CD
:443, xrefs: 02D3351A
no response from module, xrefs: 02D3354A
i2p, xrefs: 02D3354F
.b32.i2p:443, xrefs: 02D33464
success resolved b32-address, xrefs: 02D3352F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D319D5, Relevance: 10.7, APIs: 7, Instructions: 156

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 02D31A01
WSAConnect.WS2_32(000000FF,?,00000010,00000000,00000000,00000000,00000000), ref: 02D31A50
closesocket.WS2_32(000000FF), ref: 02D31A5E
getsockname.WS2_32(000000FF,?,?), ref: 02D31A98
socket.WS2_32(00000002,00000001,00000006), ref: 02D31AC2

Part of subcall function 02D3598B: MultiByteToWideChar.KERNEL32(00000000,00000000,02D31B24,000000FF,?,00000100), ref: 02D359AA

WSAConnect.WS2_32(000000FF,?,00000010,00000000,00000000,00000000,00000000), ref: 02D31B4B
getsockname.WS2_32(000000FF,?,?), ref: 02D31B81

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3C35A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02D3C3A2
lstrlenW.KERNEL32(?), ref: 02D3C3C9
NetApiBufferFree.NETAPI32(?), ref: 02D3C3FB
NetApiBufferFree.NETAPI32(?), ref: 02D3C418
lstrlenW.KERNEL32(no users info), ref: 02D3C429

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

no users info, xrefs: 02D3C423, 02D3C428, 02D3C42F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D315AD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

lstrlenA.KERNEL32(?), ref: 02D315C5
CreateEventA.KERNEL32(00000000,00000001,00000000,02D3F2D8), ref: 02D315F1
CreateThread.KERNEL32(00000000,00000000,Function_000011C5,00000000,00000000,?), ref: 02D3164F
CloseHandle.KERNEL32(?), ref: 02D3165C
CloseHandle.KERNEL32(00000000), ref: 02D31667

Strings

8 , xrefs: 02D31608

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3C7A7, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72

APIs

GetTickCount.KERNEL32 ref: 02D3C7D3
Sleep.KERNEL32(00000BB8), ref: 02D3C7F1
GetTickCount.KERNEL32 ref: 02D3C832

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D338EF: lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
Part of subcall function 02D338EF: lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907
Part of subcall function 02D338EF: wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Strings

cannot get config, xrefs: 02D3C85C
start fail, xrefs: 02D3C88C
backconn, xrefs: 02D3C861, 02D3C891

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3634C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 02D3635D

Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000002,?,00000004), ref: 02D35FB0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000005,?,00000004), ref: 02D35FC0
Part of subcall function 02D35F91: InternetSetOptionW.WININET(?,00000006,?,00000004), ref: 02D35FD0

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D36386
GetLastError.KERNEL32(?,02D363E2), ref: 02D36393
InternetCloseHandle.WININET(?), ref: 02D3639E
SetLastError.KERNEL32(00000000,?,02D363E2), ref: 02D363A5

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko, xrefs: 02D36358

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3CDAA, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 101

APIs

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D3BA3D: CloseHandle.KERNEL32(00000001), ref: 02D3BA74

wsprintfA.USER32(?,02D3F72C,?), ref: 02D3CEBE

Part of subcall function 02D338EF: lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
Part of subcall function 02D338EF: lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907
Part of subcall function 02D338EF: wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Part of subcall function 02D3B9B6: GetExitCodeProcess.KERNEL32(?,?), ref: 02D3B9CC
Part of subcall function 02D3B9B6: CloseHandle.KERNEL32(?), ref: 02D3B9E2

Strings

none, xrefs: 02D3CDCC
vnc32, xrefs: 02D3CE09
tv32, xrefs: 02D3CE23
cannot get, xrefs: 02D3CE4F
VNC, xrefs: 02D3CDD8

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D36B38, Relevance: 9.1, APIs: 6, Instructions: 96

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

GetLastError.KERNEL32 ref: 02D36B85
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D36BCA
ReadFile.KERNEL32(?,?,02000000,?,00000000), ref: 02D36BE7

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

FlushFileBuffers.KERNEL32(?), ref: 02D36C05
DisconnectNamedPipe.KERNEL32(?), ref: 02D36C0D
CloseHandle.KERNEL32(?), ref: 02D36C15

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34EA1, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83

APIs

lstrlenA.KERNEL32(00000540,00000000,?,00000000,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000), ref: 02D34EC5
lstrlenA.KERNEL32(00000644,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34ECA
lstrlenA.KERNEL32(00000440,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34ED5
lstrlenA.KERNEL32(02D3393A,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34EDC

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

wsprintfA.USER32(00000000,/%s/%s/%d/%s/%s/,00000540,00000440,0000000E,02D3393A,00000644,?,?,?,02D330DB,?,?,00000000,?,00000000), ref: 02D34F14

Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D3619B
Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D361A3
Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D361AB

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

/%s/%s/%d/%s/%s/, xrefs: 02D34F0E

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35E13, Relevance: 9.1, APIs: 6, Instructions: 74

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,02D35E0A,00000001,?,00000114,?,?,02D350CD,00000038,00000114), ref: 02D35E3F
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,02D35E0A,00000001,?,00000114,?,?,02D350CD,00000038,00000114,?,00000001), ref: 02D35E56
CloseHandle.KERNEL32(00000000), ref: 02D35E63
lstrlenA.KERNEL32(00000114,00000080,00000001,?,02D35E0A,00000001,?,00000114,?,?,02D350CD,00000038,00000114,?,00000001,?), ref: 02D35E95

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

CloseHandle.KERNEL32(?), ref: 02D35ED7

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

CloseHandle.KERNEL32(?), ref: 02D35ECF

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3D1E1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 60

APIs

Part of subcall function 02D3C118: GetTickCount.KERNEL32 ref: 02D3C126
Part of subcall function 02D3C118: GetTickCount.KERNEL32 ref: 02D3C1C9

GetTickCount.KERNEL32(AUTOBACKCONN), ref: 02D3D238

Part of subcall function 02D35289: GetCurrentProcess.KERNEL32(?), ref: 02D3528F

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000200,00000000,00000000,AUTOBACKCONN), ref: 02D3D271

Part of subcall function 02D3C63F: CreateThread.KERNEL32(00000000,00000000,Function_0000C617,?,00000000,?), ref: 02D3C664
Part of subcall function 02D3C63F: CloseHandle.KERNEL32(00000000), ref: 02D3C671

Part of subcall function 02D3C1DB: GetTickCount.KERNEL32 ref: 02D3C1FA
Part of subcall function 02D3C1DB: GetTickCount.KERNEL32 ref: 02D3C24A

Part of subcall function 02D3C682: GetVersionExW.KERNEL32(?,?), ref: 02D3C6A1
Part of subcall function 02D3C682: wsprintfA.USER32(?,02D3F72C,?), ref: 02D3C777

Part of subcall function 02D34E1B: lstrlenA.KERNEL32(?,?), ref: 02D34E34
Part of subcall function 02D34E1B: lstrlenA.KERNEL32(?), ref: 02D34E3B
Part of subcall function 02D34E1B: wsprintfA.USER32(00000000,%s/%s/0,?,?), ref: 02D34E5A

Part of subcall function 02D3C094: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 02D3C0AC
Part of subcall function 02D3C094: CloseHandle.KERNEL32(00000000), ref: 02D3C0B7

Strings

NAT, xrefs: 02D3D227
user, xrefs: 02D3D282
AUTOBACKCONN, xrefs: 02D3D1F9

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3547D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlTimeToSecondsSince1970,?,02D354E8,?), ref: 02D3549D
GetProcAddress.KERNEL32(00000000,?,02D354E8,?), ref: 02D354A4
SystemTimeToFileTime.KERNEL32(02D354E8,?,?,02D354E8,?), ref: 02D354B6

Strings

ntdll.dll, xrefs: 02D35498
RtlTimeToSecondsSince1970, xrefs: 02D35493

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3DC07, Relevance: 7.6, APIs: 5, Instructions: 130

APIs

Part of subcall function 02D3DB5E: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000,00000000,?,02D3DC33,00000000,00000000,00000000,00000000,?,00000000), ref: 02D3DB6E
Part of subcall function 02D3DB5E: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000,?,02D3DC33,00000000,00000000,00000000,00000000,?,00000000,?,02D3E27C,?), ref: 02D3DB80
Part of subcall function 02D3DB5E: UnmapViewOfFile.KERNEL32(?,?,?,00000000,?,00000000,?,02D3E27C,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02D3DBAB
Part of subcall function 02D3DB5E: CloseHandle.KERNEL32(?), ref: 02D3DBB3

Part of subcall function 02D35160: QueryPerformanceCounter.KERNEL32(00000000,000000FA,000000FA,?,02D35A48,00000000,?,02D35CC4,00000000,00000030,00000000,000000FA), ref: 02D35169

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D3DC91
RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 02D3DCB3
Sleep.KERNEL32(00000010,?,?,?,?,?,?,00000000,?,00000000,?,02D3E27C,?,00000000,?,?), ref: 02D3DCC3

Part of subcall function 02D3DBC0: lstrcmpA.KERNEL32(?,GetProcAddress,00000000,00000000,02D3DCEA,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02D3DBD4

FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 02D3DCF3
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,02D3E27C,?), ref: 02D3DD0A

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34147, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 81

APIs

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

lstrlenA.KERNEL32(00000540,00000000,?,00000000,?,?,02D33EE3,00000000,00000000,?,00000002,00000002,00000001,00000000,?), ref: 02D3417A
lstrlenA.KERNEL32(00000644,?,?,02D33EE3,00000000,00000000,?,00000002,00000002,00000001,00000000,?,?,?,02D3CC15,?), ref: 02D34186
lstrlenA.KERNEL32(00000440,?,?,02D33EE3,00000000,00000000,?,00000002,00000002,00000001,00000000,?,?,?,02D3CC15,?), ref: 02D34194
wsprintfA.USER32(00000000,/%s/%s/5/%s/%s/,00000540,00000440,00000000,00000644,?,?,02D33EE3,00000000,00000000,?,00000002,00000002,00000001,00000000), ref: 02D341CC

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

/%s/%s/5/%s/%s/, xrefs: 02D341C6

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3AACE, Relevance: 7.5, APIs: 5, Instructions: 47

APIs

inet_addr.WS2_32(00000000), ref: 02D3AAD9
socket.WS2_32(00000002,00000001,00000000), ref: 02D3AAF0
htons.WS2_32(000001BB), ref: 02D3AB17
connect.WS2_32(00000000,?,00000010), ref: 02D3AB28
closesocket.WS2_32(00000000), ref: 02D3AB31

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35FD9, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 36

APIs

wsprintfA.USER32(?,--%sContent-Disposition: form-data; name="%s",?,00000000,00000000,?,?,02D360E8,?,000000A4,00000000,00000000,?,?,?,02D350ED), ref: 02D35FEA
lstrlenA.KERNEL32(?,00000000,,00000000,00000000,Content-Type: ,02D350ED,?), ref: 02D36020

Strings

Content-Type: , xrefs: 02D35FF3
, xrefs: 02D36012
--%sContent-Disposition: form-data; name="%s", xrefs: 02D35FE4

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BC11, Relevance: 7.5, APIs: 5, Instructions: 33

APIs

GetWindowLongW.USER32(?,000000F0), ref: 02D3BC1E
GetWindowInfo.USER32(?,?), ref: 02D3BC30
GetParent.USER32(?), ref: 02D3BC42
SetActiveWindow.USER32(00000000), ref: 02D3BC49
PostMessageW.USER32(?,000000F5,00000000,00000000), ref: 02D3BC59

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3C682, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92

APIs

GetVersionExW.KERNEL32(?,?), ref: 02D3C6A1
wsprintfA.USER32(?,02D3F72C,?), ref: 02D3C777

Part of subcall function 02D338EF: lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
Part of subcall function 02D338EF: lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907
Part of subcall function 02D338EF: wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Part of subcall function 02D335AC: WaitForSingleObject.KERNEL32(?,00000010), ref: 02D335B9
Part of subcall function 02D335AC: CloseHandle.KERNEL32(?), ref: 02D335CD
Part of subcall function 02D335AC: CreateThread.KERNEL32(00000000,00000000,02D3356C,?,00000000,00000000), ref: 02D335E1

Part of subcall function 02D3B9B6: GetExitCodeProcess.KERNEL32(?,?), ref: 02D3B9CC
Part of subcall function 02D3B9B6: CloseHandle.KERNEL32(?), ref: 02D3B9E2

Part of subcall function 02D3BCF8: CreateThread.KERNEL32(00000000,00000000,Function_0000BC6B,00000000,00000000,?), ref: 02D3BD0F
Part of subcall function 02D3BCF8: CloseHandle.KERNEL32(00000000), ref: 02D3BD16

Part of subcall function 02D3BA3D: CloseHandle.KERNEL32(00000001), ref: 02D3BA74

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

m_i2p32, xrefs: 02D3C6DF, 02D3C6E4, 02D3C712, 02D3C784
cannot get, xrefs: 02D3C70D

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3627F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67

APIs

HttpSendRequestExW.WININET(?,?,00000000,00000000,00000000), ref: 02D362B8
InternetWriteFile.WININET(?,?,00000400,?), ref: 02D362F3
HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 02D3630F

Strings

(, xrefs: 02D36296

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34439, Relevance: 6.4, APIs: 5, Instructions: 114

APIs

lstrcmpA.KERNEL32(?,?,00000000,?,00000000), ref: 02D34498
lstrcmpA.KERNEL32(?,?), ref: 02D344D1
lstrcmpA.KERNEL32(?,?), ref: 02D34518
lstrlenA.KERNEL32(?), ref: 02D3454C
lstrcpyA.KERNEL32(?,00000000), ref: 02D3455E

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34AA3, Relevance: 6.1, APIs: 4, Instructions: 103

APIs

lstrcmpA.KERNEL32(?,-00000540,00000000,00000000), ref: 02D34AFD
lstrcmpA.KERNEL32(?,-00000440), ref: 02D34B3A
lstrcmpA.KERNEL32(00000000,00000000), ref: 02D34B6E
StrToIntA.SHLWAPI(00000000), ref: 02D34BA3

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35121, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 80

APIs

wsprintfA.USER32(?,/%s/%s/%d/%s/%s/,00000540,00000440,00000000,00000000,00000644,00000000), ref: 02D3507E
wsprintfA.USER32(?,/%s/%s/%d/%s/,00000540,00000440,00000000,00000644,00000000), ref: 02D350A0

Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D3619B
Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D361A3
Part of subcall function 02D3614C: CloseHandle.KERNEL32(?), ref: 02D361AB

Strings

/%s/%s/%d/%s/, xrefs: 02D3509A
/%s/%s/%d/%s/%s/, xrefs: 02D35078

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3520D, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 02D3521E
GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 02D3523D
GetLastError.KERNEL32 ref: 02D3523F

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 02D35267

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Part of subcall function 02D3519A: LookupAccountSidW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 02D351C2
Part of subcall function 02D3519A: GetLastError.KERNEL32 ref: 02D351CD
Part of subcall function 02D3519A: LookupAccountSidW.ADVAPI32(00000000,00000200,?,00000200,00000000,?,?), ref: 02D351FB

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BD76, Relevance: 6.0, APIs: 4, Instructions: 44

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000004,?), ref: 02D3BD94
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02D3BDBB
RegCloseKey.ADVAPI32(?), ref: 02D3BDCF
RegCloseKey.ADVAPI32(?), ref: 02D3BDD4

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34E1B, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43

APIs

lstrlenA.KERNEL32(?,?), ref: 02D34E34
lstrlenA.KERNEL32(?), ref: 02D34E3B

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

wsprintfA.USER32(00000000,%s/%s/0,?,?), ref: 02D34E5A

Part of subcall function 02D34EA1: lstrlenA.KERNEL32(00000540,00000000,?,00000000,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000), ref: 02D34EC5
Part of subcall function 02D34EA1: lstrlenA.KERNEL32(00000644,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34ECA
Part of subcall function 02D34EA1: lstrlenA.KERNEL32(00000440,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34ED5
Part of subcall function 02D34EA1: lstrlenA.KERNEL32(02D3393A,?,?,?,02D330DB,?,?,00000000,?,00000000,00000000,?,?,?,02D331B9,0000000E), ref: 02D34EDC
Part of subcall function 02D34EA1: wsprintfA.USER32(00000000,/%s/%s/%d/%s/%s/,00000540,00000440,0000000E,02D3393A,00000644,?,?,?,02D330DB,?,?,00000000,?,00000000), ref: 02D34F14

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

%s/%s/0, xrefs: 02D34E54

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3DB5E, Relevance: 6.0, APIs: 4, Instructions: 42

APIs

CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000,00000000,?,02D3DC33,00000000,00000000,00000000,00000000,?,00000000), ref: 02D3DB6E
MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000,?,02D3DC33,00000000,00000000,00000000,00000000,?,00000000,?,02D3E27C,?), ref: 02D3DB80
CloseHandle.KERNEL32(?), ref: 02D3DBB3

Part of subcall function 02D3DAA9: NtMapViewOfSection.NTDLL ref: 02D3DAD6

UnmapViewOfFile.KERNEL32(?,?,?,00000000,?,00000000,?,02D3E27C,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02D3DBAB

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3620C, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41

APIs

wsprintfA.USER32(?,02D3F72C,?,00001000,Content-Length: ), ref: 02D3625A

Strings

Content-Length: , xrefs: 02D36243
Accept: text/htmlConnection: Keep-Alive, xrefs: 02D3626D
Content-Type: multipart/form-data; boundary=, xrefs: 02D36224

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D338EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39

APIs

lstrlenA.KERNEL32(?,00000000,00000000,?,?,02D3C794,?,m_i2p32,?), ref: 02D33900
lstrlenA.KERNEL32(02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33907

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

wsprintfA.USER32(00000000,%s/%s/0,?,02D3C794,?,02D3C794,?,m_i2p32,?), ref: 02D33926

Part of subcall function 02D36A42: HeapFree.KERNEL32(00000000,?), ref: 02D36A50

Strings

%s/%s/0, xrefs: 02D33920

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3E141, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D3E158
Process32FirstW.KERNEL32(00000000,?), ref: 02D3E172

Part of subcall function 02D3DE9A: StrStrIW.SHLWAPI(?,chrome.exe), ref: 02D3DEB0
Part of subcall function 02D3DE9A: StrStrIW.SHLWAPI(?,firefox.exe), ref: 02D3DEBE
Part of subcall function 02D3DE9A: StrStrIW.SHLWAPI(?,iexplore.exe), ref: 02D3DECC

Process32NextW.KERNEL32(00000000,0000022C), ref: 02D3E194
CloseHandle.KERNEL32(00000000), ref: 02D3E1A4

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D356FF, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,?,02D35760,00000000,02D35888,?,?,02D3E233,C:\Program Files\Internet Explorer\iexplore.exe,00000000,00000001), ref: 02D35714
OpenProcessToken.ADVAPI32(00000000,00000002,00000000,00000000,?,02D35760,00000000,02D35888,?,?,02D3E233,C:\Program Files\Internet Explorer\iexplore.exe,00000000,00000001,?,02D3E25F), ref: 02D3572B
CloseHandle.KERNEL32(00000000), ref: 02D3574C

Part of subcall function 02D356DA: DuplicateTokenEx.ADVAPI32(00000000,000F01FF,00000000,00000002,00000001,00000000,?,?,02D35743,00000000,?,02D35760,00000000,02D35888,?), ref: 02D356F4

CloseHandle.KERNEL32(00000000), ref: 02D35749

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3BBBD, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

GetWindowLongW.USER32(?,000000F0), ref: 02D3BBC5
SetActiveWindow.USER32(?), ref: 02D3BBE7
SendMessageW.USER32(?,000000F5,00000001,00000000), ref: 02D3BBF8
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 02D3BC00

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34078, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33

APIs

wsprintfA.USER32(?,/%s/%s/%d/%s/,?,?,00000000,?,?,?,?), ref: 02D340AE
wsprintfA.USER32(?,/%s/%s/%d/%s/%s/,?,?,00000000,00000000,?,?,?,?), ref: 02D340CD

Part of subcall function 02D33F65: GetVersionExW.KERNEL32(?), ref: 02D33F98
Part of subcall function 02D33F65: wsprintfA.USER32(?,/%s/%s/0/%s/%d/%s/,?,?,?,00000464,?), ref: 02D34068

Strings

/%s/%s/%d/%s/, xrefs: 02D340A6
/%s/%s/%d/%s/%s/, xrefs: 02D340C5

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3556C, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

FindResourceW.KERNEL32(?,?,0000000A), ref: 02D35578
LoadResource.KERNEL32(?,00000000,?,?,?,02D3C27F,733ysoac4,?,?,?,02D3D635,?,?), ref: 02D35589
SizeofResource.KERNEL32(?,00000000,?,?,?,02D3C27F,733ysoac4,?,?,?,02D3D635,?,?), ref: 02D35599
LockResource.KERNEL32(00000000,?,?,?,02D3C27F,733ysoac4,?,?,?,02D3D635,?,?), ref: 02D355A5

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3327E, Relevance: 6.0, APIs: 4, Instructions: 25

APIs

DeleteCriticalSection.KERNEL32(07C5B2BC,07C5AEF8,02D3D91D,?,?,02D3BBAA), ref: 02D332A7
DeleteCriticalSection.KERNEL32(07C5B288,?,?,02D3BBAA), ref: 02D332B0
DeleteCriticalSection.KERNEL32(07C5B2A0,?,?,02D3BBAA), ref: 02D332B9
DeleteCriticalSection.KERNEL32(07C5B2D4,?,?,02D3BBAA), ref: 02D332C2

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D34BD5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55

APIs

StrStrA.SHLWAPI(00000000,/), ref: 02D34BEA
StrToIntA.SHLWAPI(00000000), ref: 02D34C16

Part of subcall function 02D36A13: HeapAlloc.KERNEL32(00000008,?,?,02D34127,00000000,00000000,?,02D34FD8,00000000,00000000,?,02D33983,07C5AEF8,07C5AEF8,02D3328B,02D3D91D), ref: 02D36A21

Strings

/, xrefs: 02D34BE1

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D32615, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44

APIs

wsprintfW.USER32 ref: 02D32675

Strings

mBLuH)Ku, xrefs: 02D32675
TunnelDataPacket::LoadData: [--INFO--] m_RawData->DataSize = %d, size = %d, connID = %d, xrefs: 02D3266F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D35F16, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24

APIs

GetTickCount.KERNEL32(02D350ED,?,00000000,?), ref: 02D35F2D
wsprintfA.USER32(?,%sbound-%d,?,00000000), ref: 02D35F40

Strings

%sbound-%d, xrefs: 02D35F38

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3D52E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14

APIs

OpenMutexW.KERNEL32(00100000,00000000,Global\pen3j3832h,?,02D3D60B), ref: 02D3D53C
CloseHandle.KERNEL32(00000000), ref: 02D3D547

Strings

Global\pen3j3832h, xrefs: 02D3D52F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D37069, Relevance: 5.1, APIs: 4, Instructions: 107

APIs

lstrlenA.KERNEL32(?,?,02D34760,?,?,?,?,?,02D348EA,?,02D348EA,00000000,00000000,?,00000000), ref: 02D370B2
StrStrIA.SHLWAPI(00000000,?), ref: 02D370CA
StrStrIA.SHLWAPI(00000001,00000000), ref: 02D37129
lstrlenA.KERNEL32(?,?,02D34760,?,?,?,?,?,02D348EA,?,02D348EA,00000000,00000000,?,00000000), ref: 02D37142

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Function 02D3322C, Relevance: 5.0, APIs: 4, Instructions: 25

APIs

InitializeCriticalSection.KERNEL32(00000390), ref: 02D33254
InitializeCriticalSection.KERNEL32(000003A8), ref: 02D3325D
InitializeCriticalSection.KERNEL32(000003C4), ref: 02D33266
InitializeCriticalSection.KERNEL32(000003DC), ref: 02D3326F

Memory Dump Source

Source File: 00000004.00000002.4892952610.02D30000.00000040.sdmp, Offset: 02D30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d30000_explorer.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Signature Overview

DDOS:

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Networking:

Boot Survival:

Remote Access Functionality:

Stealing of Sensitive Information:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: FRUK22.exe PID: 2004 Parent PID: 3980

General

Chronological Activities

Analysis Process: gNLgAaLjeJfBoaJ.exe PID: 3164 Parent PID: 2004

General

Chronological Activities

Analysis Process: explorer.exe PID: 1972 Parent PID: 3164

General

Chronological Activities

Analysis Process: svchost.exe PID: 1104 Parent PID: 508

General

Chronological Activities

Analysis Process: WerFault.exe PID: 3524 Parent PID: 1104

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FRUK22.exe PID: 2004 Parent PID: 3980

Execution Graph

Executed Functions

Function 00403850, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85

Function 00401520, Relevance: 13.6, APIs: 9, Instructions: 109

Function 00390117, Relevance: 11.1, APIs: 7, Instructions: 620